What Does Passwordless Authentication Mean?
Passwordless is an authentication scheme that uses possession factors (something the user has) and inherence factors (something the user is) instead of knowledge factors (something the user knows) to verify someone’s identity. Popular possession factors include smart phones and security tokens. Popular inherence factors include physical and behavioral biometric data from fingerprints and keystroke patterns.
The goal of passwordless authentication is to reduce the cyber risks associated with password use. This is important because the majority of security breaches today involve some type of credential theft. The danger is that once an attacker has stolen someone’s password by using social engineering or brute force strategies, they can move laterally through the target and look for ways to escalate access privileges.
Besides password manager solutions, tier-1 vendors such as Apple, Google, and Microsoft have all announced plans to support FIDO2 passwordless authentication.
Techopedia Explains Passwordless Authentication
Passwords have always been the weakest security link because weak passwords can be easy to guess, and strong passwords can be difficult to recall.
Benefits
A passwordless approach to authentication makes it more difficult — and expensive — for attackers to steal identities, breach networks, and carry out advanced persistent threats (APTs). It significantly reduces the chance of a password-based attack being successful by preventing credentials from being stolen through malware, phishing, or business email compromise (BEC) attacks.
How Passwordless Authentication Works
In the enterprise, passwordless authentication is sometimes deployed in conjunction with single sign-on (SSO) so employees can use the same proximity badges, security tokens, and authentication apps to access all their enterprise applications and services.
Approaches to passwordless authentication include:
Magic Links
Instead of a password, the user is asked to enter their email address or mobile phone number, after which they are sent an email or SMS message that contains a “magic” link. Magic links are time-sensitive URLs that, when clicked on, verify the user’s identity and grant access.
One-time Passcodes
During the authentication process, the user is sent a time-sensitive numerical code to use instead of a password. Sometimes the code will have to be copied and pasted manually, and sometimes the code will be hyperlinked and function like a magic link.
Authenticator Apps
When the end user wants to log into a computing resource registered with an authenticator app, they start by entering their username as usual. This action prompts the user to open the authentication app and receive a one-time passcode or magic link.
Security Tokens
A security token is a small physical device that the user has to connect to their computing device’s USB Type-C port. Once plugged in, the token will generate a one-time passcode for the end user to enter in place of a password.
Passkeys
When the user initially signs into a website or app that supports cryptographic passkeys, their computing device will generate a public and private key. The public key is sent to the website or app’s server, and the private key is stored on the device in a secure area of the operating system. The next time the user logs in, the server will send the device a decryption challenge that requires the private key to solve. Passkeys may or may not be supported by two-factor authentication (2FA).
Adoption Challenges
Although passwordless authentication is generally considered to be a more secure type of authentication mechanism than passwords, there can still be obstacles that are preventing its widespread adoption. They include:
- Incompatibility with legacy applications
- Too many implementation options that require additional capital expenditures (CAPEX)
- Lack of end-user trust
- Privacy concerns about device tracking
- Concerns about quantum computing and the future of public key cryptography (PKC).