What Is Passwordless Authentication? How It Works and More

AUTHENTICATION

In this article, we dive into passwordless authentication and some of the implications of using this verification method. You’ll learn about examples of passwordless authentication solutions, whether they're secure, and how it's different from multi-factor authentication (MFA). After reading this article, you’ll have a full understanding of how passwordless authentication works and how it can address today’s cybersecurity and access management challenges.

a laptop computer sitting on top of a white desk
a laptop computer sitting on top of a white desk

What is Passwordless Authentication?

Passwordless authentication is a verification method in which a user gains access to a network, application, or system without a knowledge-based factor such as a password, security question, or PIN. Rather than using a set of information for authentication, the user would provide something they possess, such as biometric evidence or a piece of hardware. Passwordless authentication provides organizations and IT management teams with an alternative solution for identity verification because of the security and user-friendliness of its process. It’s generally used with other authentication processes such as MFA or single sign-on (SSO) and is becoming an increasingly popular substitute to the traditional username and password methods.

History of Passwordless Authentication?

The idea of a “passwordless world'' was teased numerous times in the last two decades before becoming the relatively standard paradigm it is today. Technology leaders like Bill Gates and top-ranking members of market-leading firms such as Google, IBM, and Gartner have acknowledged the idea that passwords create system vulnerabilities and come with user experience issues.

Going as far back as the 1980s, we saw the first true passwordless security solution in the form of a fob, which held built-in authentication components to access computer systems. Since then, tons of progress has been made in the advancement of passwordless technology and how it's been incorporated into other types of solutions and organizational cybersecurity programs.

Passwordless Technology Progression?

In an era defined by rapid technological innovation, staying ahead of cyber threats requires leveraging the latest advancements in security technology. At Alexa Cybersecurity, we harness the power of artificial intelligence, machine learning, and behavioral analytics to detect and mitigate threats in real-time. Our advanced threat detection solutions enable proactive threat hunting, anomaly detection, and automated response, helping you stay one step ahead of cybercriminals.

Once AT&T patented the first MFA tool, companies got into an “arms race” for passwordless technology. Advocating for the technology, Microsoft helped design the tamper-resistant biometric ID card in 2004. Then, 2005 saw an increase in biometric and token-based authentication innovations as a result of the Federal Financial Institutions Examination Council’s (FFIEC) new security guidelines that required new multiple-factor authentication measures, including a few passwordless methods.

Fast forward to 2013, when Google became entirely passwordless and made MFA procedures the new standard. That same year, Apple brought to market biometric technology like Touch ID, which later evolved into Face ID. In 2020, Apple announced they would incorporate their biometric verification functions for use in the WebAuthn authenticator.

Benefits of Passwordless Authentication?

There is a clear and apparent reason why 92% of businesses believe going passwordless is the future of system-access security — the benefits outweigh the costs. While passwords, in theory, seem like a constructive layer for securing organizational data and applications, they actually lead to additional access points to be exploited by cybercriminals.

For instance, common attacks such as phishing, credential stuffing, brute force algorithms, and keylogging only work on the premise that the threat actor can first acquire the login credentials like a password or other piece of information — then use that to access a valuable technology asset or data system. By going passwordless, you eliminate that whole component of the equation and strengthen your security posture.

Much of the vulnerability of passwords are tied to the tedious process employees need to undergo for secure password management. To be effective, they must follow certain best practices for designing, storing, updating, and sharing their infinite number of account passwords. All of these strict parameters lead to password fatigue and a higher susceptibility to negligent password management. This type of solution eliminates this problem and improves the overall user experience — especially when paired with a passwordless SSO.

Cost-Friendliness of Passwordless

When evaluating for the long term, passwordless authentication is better in terms of both direct financial and indirect operational costs. Because no password management is required, an organization can save money by not investing in password management software tools or frequent security training on how to best design and store a password. Furthermore, IT management resources are freed up for other initiatives because they are no longer burdened with enforcing company-wide password policies, monitoring anomalous password shares, or resetting forgotten and misplaced login credentials. When it's all said and done, it's estimated that organizations can save roughly $1.9 million by going passwordless.

Challenges of Passwordless Authentication?


Cost

Just like any type of cybersecurity solution, there are drawbacks to implementing passwordless authentication, which make it not well-suited for certain businesses. For instance, while the long-term costs for any company looking to make this change are very appealing, the initial costs of implementation are burdensome. Incorporating this solution into your directory service is long, and complicated, and comes with major expenses for purchasing the essential hardware and software required.

Training

There are also challenges with fully adopting the technology — particularly when referring to the end user. For years, employees have become comfortable with the idea of usernames and passwords for logging into their applications, which would suddenly come to an end with this type of solution. There would also need to be plenty of training for the employees who will use the authentication methods as well as the IT security staff who will administer it.

Access

From a security standpoint, there are a few limitations, such as the idea of a single point of failure. For example, if an employee was using a push notification to their phone or a hardware token to verify their identity and either lost their phone or token, they wouldn’t be able to gain access. Plus, issues arise if a biometric factor such as a voice command is replicated using a recording of the user or if a hardware authenticator is lost or stolen.

How Does Passwordless Authentication Work?

Passwordless authentication works by using something the user “has” or something the user “is” to verify their identity and give them system access to a website, application, or network. This would be in contrast to a traditional password login, which would be something the user “knows.”

Typically, a passwordless login starts with the user going onto a device, entering a session, or opening an application and entering some type of identifiable information like their name, phone number, email address, or designated username. From there, they need to verify their identity by inserting something they “have” such as a hardware token, smart card, fob, or clicking a link sent to a mobile device. If the identifiable information or registered device matches a given factor’s information in the authenticating database, they are given access permission.

Alternatively, they could use something the user “is,” which would be the equivalent of a biometric factor. So, when they try to enter a device or account on an application, they could be prompted to insert identifiable information in addition to voice recognition or a fingerprint, eye, or facial scan.

Passwordless Authentication and Public-Key Cryptography?

Passwordless authentication uses public-key cryptography to securely store and manage the authentication factors required. When the user registers an account or device, they are assigned a public-private key combination. The public key of the system they wish to log in to can only be accessed using the private key that’s associated with that user’s device. In this case, the private key is linked to the passwordless authentication method (biometric or hardware factor)

Passwordless Authentication Methods?

Organizations need to carefully assess passwordless authentication tools to find the one that works best with their overall identity security posture. Some of the most popular passwordless authentication methods available include:

1. Native options
Some applications or systems that many companies already use—like Google or Microsoft—offer embedded passwordless authentication tools. For example, Google Chrome now allows users to log in to applications or websites via a USB security key or an on-screen QR code that links with a user’s mobile device. Organizations may combine such tools into their overall MFA process.
2. Biometrics
Biometric logins can include fingerprint, voice or facial recognition, or retina scanning. In these methods, advanced scanners or sensors capture the biometric and compare it to data saved in the database to grant or deny access. In some cases, the user’s smartphone may serve as a biometric authentication device.
3. Hardware token
A hardware token is a small electronic device, such as a fob or USB device. A USB device works through a physical connection to the computer, while some hard tokens, such as fobs, do not. A fob generates a new passcode each time a user pushes a button, which the user enters into an on-screen prompt to gain access.
4. Software token
A software token is a digital token sent to a requester’s smartphone, computer, or tablet. It typically consists of a one-time password, usually a 6-8 digit code, which the user must enter, often along with a second authentication factor, to gain access. Authenticator apps typically rely on a shared secret key and support OATH event-based (HOTP) and time-based (TOTP) algorithms.
5. Magic link
A “magic link” allows a user to log in to an account with a one-time URL sent via email or SMS. Once opened, an authentication application in the background matches the device to a token in a database.
6. Smart card
Smart card authentication relies on a physical card, card reader, and enabling software to grant users access to workstations or applications. Smart cards often rely on a data-containing chip and RFID wireless connectivity to grant access privileges.
7. Third-party identity provider
Anyone who’s signed into an application with Google or Facebook has used a third-party IDP. The quick, simple process looks like this: The user enters credentials from a third-party login; the IdP verifies the user and their privileges with their company’s IT; and finally, the user gains access to the application or resource.
8. Persistent cookie
A persistent cookie is a file stored on a particular device. It can remember the device user’s sign-on credentials and determine whether they are logged in, using that info to grant access to applications. A persistent cookie can remain on a computer permanently or until a predetermined expiration date.