As a security professional, you probably hear a lot of talk about the need to maximize security while minimizing user friction. You may also be familiar with the term “passwordless authentication.” Passwordless authentication goes hand in hand with the concept of balancing security and user experience and is increasingly mentioned as a solution to achieving this balance.
Yet, the idea of passwordless authentication creates more questions than answers for many. What does it really mean to authenticate without passwords? Also, why should you want to and how does it work? Read on to gain a deeper understanding of the what, why and how of removing passwords to improve both user experience and your overall security.
What Is Passwordless Authentication?
According to the Secret Security Wiki, passwordless authentication is “any method of verifying the identity of a user that does not require the user to provide a password.” I think we all get that much. But the confusion seems to stem from the fact that passwordless doesn’t fit into the usual box. It isn’t a product or technology per se, like multi-factor authentication (MFA) or single sign-on (SSO). Instead, it’s a goal or desired outcome.
The objective of passwordless is to provide technologies and support use cases that reduce—and potentially eliminate—the use of passwords. This is a logical goal because using passwords presents well-known usability issues and security risks.
As an example, using facial recognition instead of a password is one way to achieve passwordless authentication. Using intelligent behavior analysis of user activity to determine authentication requirements (aka adaptive MFA) is another.
Chief among the priorities of passwordless authentication is ensuring you are maintaining or improving security by reducing or eliminating the use of passwords. Said another way, to ensure security isn’t compromised, you should only implement passwordless tactics when you’re able to gather enough other factors to be highly confident in the user’s identity.
A common workforce use case is slowly minimizing the requirement for passwords based on user behavior. When the same user is logging into the same computer around the same time every day, a pattern of typical behavior is established. If the user continues to follow this same pattern, you can reduce the requirement for password authentication in a systematic fashion. For example, you might require that the user enter a password for every login during the first week. If the user’s behavior stays consistent, you might then reduce the requirement for a password to once a day during the first month. If typical behavior continues, you could then require a password only once per week from the second month on.
Why Eliminate Passwords?
You may be thinking that passwordless authentication sounds pretty cool. But you might also be questioning if it’s really necessary.
While passwords may be the devil we know, they present too many negatives to ignore. For starters, passwords are too easy to steal and guess. Unfortunately, users’ password practices are resulting in passwords that are weak or being reused across multiple sites.
The reality is that despite knowing the risks, users are still making poor choices when it comes to passwords. Why? You can blame password fatigue if nothing else. It’s estimated that the average user has 200 passwords to manage and that number could double by 2023. Because of the sheer number of accounts they must manage, your users are prone to resort to risky practices just to keep track of all of those passwords.
80% of major data breaches are caused
by weak or compromised passwords.
2019 Data Breach Investigations Report, Verizon
In an effort to combat this tendency, some organizations are requiring increased password complexity and more frequent password changes. However, this often only compounds the problem by increasing the likelihood that users will write down their passwords or use the same password across multiple sites. It also comes at a cost as helpdesks often take the brunt of increased password reset requests, a typically burdensome process for everyone involved.
Given the security risks and usability problems that passwords present, the need for passwordless authentication isn’t just a good idea, it’s an imperative.
Is Multi-factor Authentication the Same as Passwordless?
The short answer is no. Multi-factor authentication provides a method of increasing the confidence that a user is who they claim to be by requiring an additional authentication factor to gain access to resources. In contrast, passwordless authentication is gaining access to resources with an authentication factor other than a password. Unlike MFA, passwordless authentication may involve only one factor, such as a biometric. If the authentication process requires more than one factor and none of the factors is a password, it’s then passwordless MFA.
What Authentication Scheme Is Best for Passwordless?
Passwordless authentication is achieved when an authentication factor other than a password is used. But just because a password wasn’t used doesn’t mean the authentication factor that was used is necessarily stronger. Every authentication type has relative strengths and weaknesses.
When evaluating which authentication scheme to use, you’ll want to evaluate the pros and cons of each type of authentication factor. Authentication factors fit into one of three categories—something you know, something you have and something you are—with pros and cons as follows.
Something you know
Examples: password, PIN, the name of your first pet (also known as KBA, or knowledge based authentication)
Examples: biometric factors, such as facial recognition, fingerprint scan, voiceprint, EKG
Pros: Can’t be forgotten
Cons: Dependent on a device if tied to one
Given the range of authentication options available, you may be left wondering how to strike the right balance of security, usability and cost for your use cases. For starters, inventory the various applications you’re using, determine the security needs of each and identify what user populations should have access to them. Once you have that information, you can start laying out application access scenarios that will make it easier to identify the best authentication method(s) for each one.
Two very different but common use cases for passwordless authentication are providing consumer access to prepaid credit cards and enabling insurance adjuster access to customer insurance records and claim history.
Consumer Access to Gift Card Balances
Gift cards are a popular gift, estimated to account for $27.5B in holiday gift sales, according to the National Retail Federation. But they’re just as popular with cybercriminals and other thieves. Despite the many ways bad actors can steal and scam using gift cards, retailers understandably want to make the cards as easy to use as possible for legitimate users—or risk losing significant revenue.
This presents an opportunity for passwordless authentication. Since in nearly all cases the customer will have registered to gain access to their card balance using their email, that same email could be used to send a one-time authorization code the first time they access the card from a new device. You could also give the user the option to trust the new device and then fingerprint the device so that they do not need to re-authenticate from it for a specified period of time.
Insurance Adjuster Access to Records
In the insurance industry, security is paramount. But you don’t want to make security measures so restrictive that they inhibit the ability to access information for those who need it. For this type of use case, authentication could involve sending a push notification to a phone-based authentication app which uses fingerprint or facial recognition, with a backup factor of a PIN-protected roaming FIDO authenticator such as a YubiKey.
Using this combination, the adjuster can log in under normal conditions by responding to the push notification. If they can’t receive or respond to the push notification, the adjuster can use the YubiKey as a fallback authentication method. Since the YubiKey is a FIDO authenticator and therefore not tied to the phone or laptop, the adjuster can use a PIN to unlock the authenticator and gain access. Security is maintained, and productivity isn’t negatively impacted.
Getting Started with Passwordless Authentication
You’re now starting to see the benefits of passwordless authentication. You may even have some ideas about how it could provide stronger security and better experience for your users. While having an understanding of the benefits is step one, to actually realize them you must continue to move ahead.
To help you plan your journey, we at Ping Identity have developed a Passwordless Maturity Scale so you can better understand your current state and discover the next best step for your organization. You’ll learn the eight steps that will help you move from usernames and passwords all the way to zero login and continuous authentication.
To learn more about the Passwordless Maturity Scale and begin mapping out your journey to passwordless authentication, get the white paper.