a good thing!
Passwordless: A Complete Guide to Passwordless Authentication
As an IT leader, you hear a lot of talk about the need to maximize security while minimizing user friction. You may also be familiar with the term “passwordless authentication.” Passwordless authentication is seen as the ultimate answer to balancing security and experience by reducing risk and removing friction.
Yet, the idea of going fully passwordless creates more questions than answers for many. What does it really mean to authenticate without passwords? Is it less secure? How does it actually work? Read on to gain a deeper understanding of the what, why and how of passwordless login to improve both your users’ experience and your overall security.
According to the Secret Security Wiki, passwordless authentication is “any method of verifying the identity of a user that does not require the user to provide a password.” That makes sense. But there’s confusion around how to implement passwordless solutions. There isn’t a product or technology per se, like multi-factor authentication (MFA) or single sign-on (SSO). Instead, passwordless is a goal or desired outcome.
The objective of passwordless authentication is to provide technologies and support use cases that reduce—and potentially eliminate—the use of passwords. This is an important goal because using passwords presents well-known usability issues and security risks.
As an example, using facial recognition instead of a password is one way to achieve passwordless authentication. Using intelligent behavior analysis of user activity to determine authentication requirements (aka adaptive MFA) is another.
Chief among the priorities of passwordless authentication is ensuring you are maintaining or improving security by reducing or eliminating the use of passwords. Passwordless relies on the ability to gather other attributes about a user's identity, such as a fingerprint or a device identifier. When you have those abilities, you can implement passwordless without compromising security.
You may be thinking that passwordless authentication sounds pretty cool. But you might also be questioning if it’s necessary. Given the dangers passwords present, it should be prioritized by all organizations.
61% of data breaches involve the use of unauthorized credentials.
2021 Data Breach Investigations Report, Verizon
While passwords are seen as a necessary evil, they present too many risks to ignore. For starters, passwords are too easy to steal and guess. The 2021 Verizon Data Breach Investigations Report confirms this, finding that 61% of breaches in 2020 were executed using unauthorized credentials.
Despite efforts to increase password security awareness and strengthen policies, users continue to rely on poor and risky password practices. It’s estimated that the average user has 200 passwords to manage and that number could double by 2023. As a result, many passwords are weak or being reused across multiple sites.
In an effort to combat this tendency, some organizations are requiring increased password complexity and more frequent password changes. However, this only compounds the problem by increasing the likelihood that users will write down their passwords or use the same password across multiple sites. It also comes at a cost as helpdesks often take the brunt of increased password reset requests, a typically burdensome and costly process for everyone involved.
Given the security risks and usability problems that passwords present, passwordless authentication is a far better and safer method of ensuring only the right people have access to the right things and for the right reasons.
Lost and stolen passwords have long created security risks. By minimizing reliance on passwords, or eliminating them altogether, you automatically diminish their value to bad actors and improve your security posture. By replacing passwords with more secure authentication factors, you make it much more difficult and expensive for attackers to be successful. With the addition of advanced authentication mechanisms, like risk signal tracking and device trust, you gain even greater assurance that logins are secure.
Passwords present a host of usability problems that translate to poor experiences. For example, If your customer can’t remember the password they used on your site, their next action will often be to abandon the shopping cart rather than have to go through the forgotten password flow. In contrast, by providing customers with passwordless authentication, you eliminate the need to create, manage and remember (or have to reset) passwords. Your users can rely on convenient login mechanisms like push notifications and facial recognition to streamline transactions.
By decreasing the use of passwords, you also decrease the need for password resets. This shift alone can yield significant productivity increases by decreasing downtime. With more convenient and secure authentication options, your users gain quicker, easier access to resources and way less frustration.
Passwordless authentication eases the burden on your helpdesk by minimizing or eliminating password reset requests and their associated costs. Passwordless can also lower costs by replacing expensive hard tokens and smartcards with more cost-effective push notifications and biometric authentication that rely on the user’s smartphone.
The short answer is no. Multi-factor authentication provides a method of increasing the confidence that a user is who they claim to be by requiring an additional authentication factor to gain access to resources. In contrast, passwordless authentication is gaining access to resources with an authentication factor other than a password. Unlike MFA, passwordless authentication may involve only one factor, such as a biometric. If the authentication process requires more than one factor and none of the factors is a password, it’s then passwordless MFA.
Change can often introduce feelings of doubt and uncertainty. But in the case of passwordless authentication, those worries can be put to rest. Because passwordless lets you replace the use and storage of passwords with more secure authentication mechanisms, it’s inherently safer than the risky password-based authentication some organizations are still relying on.
Relying on the FID02 standard, the first open identity standard created specifically to support passwordless authentication. FIDO2 uses public key cryptography to provide the most secure method of passwordless authentication. Credentials never leave the user’s device and are never stored on a server, meaning they’re also not vulnerable to phishing, password theft or replay attacks. Passwordless authentication can also support the use of more sophisticated threat detection and risk minimization technologies to further strengthen security.
Passwordless authentication is achieved when an authentication factor other than a password is used. A password is a knowledge factor, meaning it’s something you know. The problem with relying on a knowledge factor alone is that it’s vulnerable to theft, sharing, repeat use, misuse and other risks. Passwordless authentication ultimately means no more passwords. Instead, it relies on a possession factor, which is something your user has, or an inherent factor, which is something your user is, to verify user identity with greater assurance.
When evaluating which authentication factors are best for your use cases, you’ll want to understand the pros and cons of each.
Examples: PIN, the name of your first pet (also known as KBA, or knowledge based authentication)
Examples: phone, RSA key, email account, FIDO authenticator
Examples: biometric factors, such as facial recognition, fingerprint scan, voiceprint, EKG
Given the range of authentication options available, you may be left wondering how to strike the right balance of security, usability and cost for your use cases. For starters, audit the various applications you’re using, determine the security needs of each and identify what user populations should have access to them. Once you have that information, you can start laying out application access scenarios that will make it easier to identify the best authentication method(s) for each one.
To learn more about evaluating authentication factors for your use cases:
The passwordless journey involves a number of steps, each of which can deliver significant improvements in usability and security. As such, a phased approach to passwordless implementation is often the most successful.
The process typically starts with identifying the most critical business needs to address and selecting initial users with an eye toward gaining invaluable feedback in the initial stages of deployment. The scale shown here suggests a framework to implement passwordless, beginning with centralizing authentication. Depending on your specific applications, user audience(s) and business needs, your implementation process may look different, though. To determine where to start your passwordless authentication journey, get the guide.
A common workforce use case is slowly minimizing the requirement for passwords based on user behavior. When the same user is logging into the same computer around the same time every day, a pattern of typical behavior is established. If the user continues to follow this same pattern, you can reduce the requirement for password authentication in a systematic fashion.
For example, you might require that the user enter a password for every login during the first week. If the user’s behavior stays consistent, you might then reduce the requirement for a password to once a day during the first month. If typical behavior continues, you could then require a password only once per week from the second month on.
Two common customer use cases for passwordless authentication are providing consumer access to prepaid credit cards and enabling insurance adjuster access to customer insurance records and claim history.
Gift cards are a popular gift, estimated to account for $27.5B in holiday gift sales, according to the National Retail Federation. But they’re just as popular with cybercriminals and other thieves. Despite the many ways bad actors can steal and scam using gift cards, retailers understandably want to make the cards as easy to use as possible for legitimate users—or risk losing significant revenue.
This presents an opportunity for passwordless authentication. Since in nearly all cases the customer will have registered to gain access to their card balance using their email, that same email could be used to send a one-time authorization code the first time they access the card from a new device. You could also give the user the option to trust the new device and then fingerprint the device so that they do not need to re-authenticate from it for a specified period of time.
In the insurance industry, security is paramount. But you don’t want to make security measures so restrictive that they inhibit the ability to access information for those who need it. For this type of use case, authentication could involve sending a push notification to a phone-based authentication app which uses fingerprint or facial recognition, with a backup factor of a PIN-protected roaming FIDO authenticator such as a YubiKey. To learn more, watch the webinar.
Using this combination, the adjuster can log in under normal conditions by responding to the push notification. If they can’t receive or respond to the push notification, the adjuster can use the YubiKey as a fallback authentication method. Since the YubiKey is a FIDO authenticator and therefore not tied to the phone or laptop, the adjuster can use a PIN to unlock the authenticator and gain access. Security is maintained, and productivity isn’t negatively impacted.
You’re now seeing the advantages of passwordless authentication. You may even have some ideas about how it could help you strengthen security, deliver better customer experiences, increase workforce productivity and lower your IT costs. While you’re off to a great start, to actually realize the benefits you must continue to move ahead.
To help you plan your journey, our PingZero passwordless capabilities provide you with a road map to get started today and allow your organization to reduce its password risk over time. We’ve identified eight steps that will help you move from usernames and passwords all the way to zero login and continuous authentication.
To learn more about the Passwordless Maturity Scale and begin mapping out your journey to passwordless authentication, download the white paper today.
To go passwordless means to reduce or eliminate the use of passwords by requiring one or more alternative authentication factors when your customers and/or employees log in to your apps or systems. Going passwordless drastically reduces the security risks associated with passwords while helping you deliver frictionless experiences.
Yes. Passwords are an enormous security risk and source of friction for enterprises today, especially since remote work and digital customer experience have become top business priorities. As a result, passwordless initiatives are becoming a reality for many organizations of all sizes, supported by advances in mobile technology, security standards and risk management.
No. Multi-factor authentication (MFA) requires users to provide an additional authentication factor, but still may include a password as part of the authentication process. Unlike MFA, passwordless authentication may only involve one authentication factor, as long as that factor is not a password.
There are three categories of authentication factors: knowledge factors, (something the user knows), possession factors (something the user has) and inherent factors (something the user is). A password is a knowledge factor, therefore passwordless authentication often relies on possession or inherent factors.
Passwords are a very common authentication method, but they introduce many security risks. Hackers can easily use stolen or guessed passwords to gain access to critical business systems and user accounts. Also, the more passwords users have to remember, the more likely they are to rely on poor practices like password reuse or password sharing. Passwordless authentication is more secure because it reduces or completely eliminates the risks associated with passwords, while still ensuring users are authenticated properly.