Passwordless authentication is a way of verifying a user’s identity without using a password. This type of authentication isn’t a specific type of technology, but rather, a goal or desired outcome.
Passwords are becoming outdated and are often the weakest link in protecting digital resources. Not only are they hard to remember, often reused, and need to be changed frequently, but for many IT departments, password support and maintenance are often their largest expense.
Replacing passwords with more secure authentication factors makes it much more difficult and expensive for attackers to be successful. For example, with FIDO (Fast Identity Online), the first open identity standard created to support passwordless authentication, user credentials never leave the device and are not stored on a server, which reduces vulnerabilities to phishing, password theft, and replay attacks. Additional authentication mechanisms, like risk signal tracking and device trust, make passwordless authentication methods even more secure.
But perhaps most importantly, passwordless authentication improves the user experience. Passwords present a host of usability problems that translate to poor experiences. It's much easier for users to provide a fingerprint or speak into a microphone than it is to remember and keep track of passwords. The best part is that much of the authentication process is done behind the scenes and users are blissfully unaware that it’s even happening.
How does it work?
Passwordless authentication occurs when authentication factors other than passwords are used to access digital resources. One or more of these factors can be used:
Note that passwordless authentication is not necessarily the same thing as multi-factor authentication (MFA). With multi-factor authentication, users are required to use two or more factors to prove that they are who they claim to be, and one of these factors could involve a passwordless authentication method. With passwordless authentication, users might be required to use only one factor, but that factor is not a password. If authentication requires more than one passwordless factor, it’s considered passwordless MFA.
Inherence factors: Inherence factors use biological traits, such as fingerprints or retina scans, or behavioral traits, such as voice patterns and cursor movements, are used to verify users’ identities. Users’ distinctive characteristics are captured, transformed into numerical data, and compared to data stored in a database. If this information matches the data in the database, users are granted access to the digital resource.
Possession factors: With possession factors, users authenticate by proving that their device is in their possession. The system sends a one-time passcode to the user's device and the user enters that passcode to sign on to the system. Public-key cryptography techniques can also be used for authentication, which involve cryptographic key pairs with public and private keys. You can think of a public key as a padlock and a private key as the key that unlocks it. All communications are encrypted and private keys never leave users’ devices, which lessens the chances of someone discovering them during transmission.
Magic links: With magic links, users provide their email addresses and a unique token or code is created and stored. The system sends users emails with URLs that contain these unique tokens or codes. When users click these links, the server verifies the token or code and exchanges it for a long-lived token (often stored as a browser cookie), and users are granted access to the resource.
Passwordless authentication use cases
There are a variety of passwordless authentication methods and technologies available, and an infinite number of ways they can be used and combined to protect digital resources. Some methods are easy to implement and might be appropriate for accessing resources that do not contain sensitive information, while other methods provide robust security mechanisms but are more expensive to implement. All situations are unique.
For example, passwordless authentication methods are often used in the financial services industry due to the sensitivity of the data involved. In these two use cases, several different passwordless authentication methods are used to access account information.
Use case 1: Customer gift card balance access
To access a gift card balance, a retail company requires that users create a new account using their email address and password. The first time the customer accesses their account balance information from a new device:
The system could email them a one-time authorization code, which they provide to obtain access.
Or, the system could give the customer the opportunity to register the new device using a fingerprint, which they provide to obtain access.
Use case 2: Insurance adjuster record access
Additional security might be required to access more sensitive information. For example, if an insurance adjuster needs to access her client’s records, her identity could be authenticated using a variety of passwordless methods.
Authentication could involve sending a push notification to a phone-based authentication app, which uses fingerprint or facial recognition.
If for some reason, this method doesn’t work, a fallback authentication method, such as using a YubiKey could be used. Because the YubiKey is a FIDO authenticator and therefore not tied to a phone or laptop, the adjuster could use a PIN to unlock the authenticator and gain access. Security is maintained, and productivity isn’t negatively impacted. To learn more, watch the webinar.