Achieving Secure Passwordless Authentication

October 3, 2017
Dustin Maxey
Director of Product Marketing

You may have heard the term "passwordless authentication" before, but what does it mean? Really, there is no hidden meaning to it. It means authenticating a user by means other than having them type in a password. Generally, that also extends to means beyond other knowledge-based authentication (KBA) methods, such as providing the name of your first pet.


Examples could be a second authentication factor, such as SMS, email or device-based authentication in your own mobile app. Some of these authentication factors have specific advantages and drawbacks, particularly for customer use cases.


The more difficult question to answer is, which situations are appropriate for passwordless authentication? To answer that question, your security and user experience teams must agree on where the balance between security and convenience lies. Using multi-factor authentication (MFA) along with a password will add a level of security. However, the password portion of the MFA transaction is generally the weakest link. Your security team must consider how secure your alternative authentication methods are. For example, SMS has been deemed less secure by the National Institute of Standards and Technology (NIST). You almost certainly don't want to use SMS to achieve passwordless authentication. Other methods such as push notifications that require a fingerprint on a specific device, integrated MDM solutions or hard tokens are much more secure.


The more secure your passwordless authentication factor is, the higher level of assurance (LOA) you can associate with a customer's claim that they are who they say they are. That LOA should then dictate which applications, URLs or APIs an authenticated user has access to. Based on the confidence your security team has in the authentication factor you plan to use as an alternative to passwords, they can assign the appropriate LOA. Having a more secure alternative authentication factor will allow your users to do more without entering a password.


Another variable that can contribute to the required LOA is user or device contexts. Is the user authenticating from a known geofence from a known device, or from another country on an unknown device? In the former scenario, a company may require a lower LOA to allow access to certain resources. In the latter, the company may want to require the user to enter credentials in addition to other authentication factors, just to be safe.


Your marketing and UX teams must have input and help your security team determine where reductions of friction in customer experiences would have the greatest impact on conversions, revenue or other KPIs. Between the two teams you can determine the best places to leverage passwordless authentication for your enterprise and what LOA would be required to securely allow access to users in those scenarios.


The Ping Identity Platform utilizes device-based authentication that verifies device secrets directly from a mobile application. This method is much more secure than both email and SMS authentication. It can be used as a second factor to step-up authentications and gain a higher LOA when necessary, or alone to achieve passwordless authentication where appropriate. Advanced policies can also evaluate user and device contexts to help determine which authentication methods are required in various scenarios.


Ping offers two capabilities that enable second authentication factors that can be used in lieu of passwords:


PingID Standalone Mobile Application

PingID is a cloud-based MFA service that allows organizations to utilize a host of methods and devices for authentication including a mobile application for iOS and Android devices. For the purpose of passwordless authentication, the preferred configuration would include a trusted mobile device with the PingID application installed. The advanced authentication policies PingID offers could also play an important role in making the passwordless authentication even more secure.


Let's look at an example to better understand how this service works to support passwordless authentication:

  1. User launches an application in their browser that is protected by PingID MFA.
  2. The PingID MFA service is invoked prior to asking for ID and password.
  3. PingID policies are evaluated to determine how to authenticate the user. Here are two primary scenarios:

Employee is in the office


Policy 1 checks to see what IP address the request is originating from and, if in a known range, then checks to see if the GPS location of the registered mobile device is within a defined office geo-fence. If both of these are true, the user without ANY interaction with the device is authenticated and the application is launched.


Employee is out of the office


Policy 1 fails (IP and geofence), so policy 2 is executed. A secure push notification is sent to the registered device and the user must then use their fingerprint to authenticate on the mobile device. If successful, the user is authenticated and the application launches without any passwords or passcodes.


PingID can also be used in combination with Mobile Device Management solutions, giving even more data and options for passwordless authentication.


PingID's Mobile SDK

The PingID Mobile SDK embeds the device-based authentication capabilities of PingID directly into your own iOS or Android mobile applications. This solution is primarily used for consumer use cases. It incorporates both the security of device-based authentication, and mitigates any friction that may be caused by requiring the customer to download a third-party application. It is often used to step up a customer's LOA for authentications and high-value transactions. In either case, specific information about what the customer is approving can be included in the push notification sent to the customer. This secure, convenient authentication factor can also be used to achieve passwordless authentication. Here are a couple of examples of passwordless authentication for consumers.

Passwordless authentication is a convenient method for allowing customers to recover or reset lost credentials. For example, a customer who has forgotten their password can go to a company's website and click a button to send a push notification to their mobile device, approve the password reset request on their device, and then immediately enter a new password on the website. This is much more convenient, and more secure, than multi-step password reset processes using SMS or email to verify a customer's identity.


CSR identity verification

Another use case where passwordless authentication can make things safer and more convenient for your customers is during phone calls to your customer support department. Many organizations require customers to verify information such as your social security number to access an account, a passcode (which, due to password reuse, is often the same as their debit card pin), or a code word. Customers are often required to verbally verify these details to your CSRs. High profile breaches like Equifax are making customers more wary of sharing this type of information over the phone. Using the PingID SDK, the CSR can simply click a button to send a push notification to a customer's trusted device, and have the customer verify their identity with a thumbprint using the company's mobile application.


These are just examples. There are many other creative ways you can leverage passwordless authentication for your organization. The decision of where to implement them should be a collaborative effort within your organization. The results will reduce friction for customers and increase efficiency for employees.


To learn more about how to leverage passwordless authentication, get the PingID datasheet.