As opposed to password-based authentication, passwordless authentication does not rely on passwords or any other memorized secret to verifying a user’s identity.
Instead of passwords, Identities can be verified based on a “possession factor”, which is an object that uniquely identifies the user (e.g. a one-time password, a registered mobile device, or a hardware token) or an “inherent factor” like a person’s biometric (e.g. fingerprint, face, retina, etc.).
Unlike possession or inherent factors, authentication that is based on something the user knows (a memorable secret such as a password, passphrase, or PIN code) is problematic because the user or the enterprise is unable to determine if their memorable secret is stolen or compromised.
How do you know that no one else knows your password? Additionally, memorable secrets are susceptible to easy theft, re-use by users, and requires constant management and handling by both users and IT managers.
There are different ways to achieve passwordless authentication. Making the right choice depends on organization’s risk posture and business requirements.
Sign-In using a magic link or one-time code sent to the user’s email.
Sign-In e.g. by approving the authentication on your smartphone.
Sign-In by using the crypto hardware of your device or a security key.
Signing-In in by sending a magic link to the users’ is common, but by far the least secure option. The Mobile Authenticator, a mobile application installed on the user’s smartphone, can make use of the smartphone’s hardware secure module and thus provide far better security. Since the smartphone is so widely populated this option can be a no brainer as it usually requires no additional hardware. WebAuthN, a standard commonly known as FIDO2, makes use of each device’s secure hardware module or the use of security keys to authenticate. While many companies have embraced the standard, it usually requires a separate hardware device if it’s not built in. A separate hardware can be forgotten, lost or stolen. When the authenticator is in-built, then it cannot be used on another device.
Overall, the Mobile Authenticator, especially when used as a MFA Authenticator e.g. when combined with biometrics and posession offers the greatest security, convenience while being a low hurdle to integrate.