All you need to know about Passwordless
Authentication

What is Passwordless Authentication?

As opposed to password-based authentication, passwordless authentication does not rely on passwords or any other memorized secret to verifying  a user’s identity.

Instead of passwords, Identities can be verified based on a “possession factor”, which is an object that uniquely identifies the user (e.g. a one-time password, a registered mobile device, or a hardware token) or an “inherent factor” like a person’s biometric (e.g. fingerprint, face, retina, etc.).

Unlike possession or inherent factors, authentication that is based on something the user knows (a memorable secret such as a password, passphrase, or PIN code) is problematic because the user or the enterprise is unable to determine if their memorable secret is stolen or compromised.  

How do you know that no one else knows your password?  Additionally, memorable secrets are susceptible to easy theft, re-use by users, and requires constant management and handling by both users and IT managers.

How is passwordless achieved?

There are different ways to achieve passwordless authentication. Making the right choice depends on organization’s risk posture and business requirements.

Email

Sign-In using a magic link or one-time code sent to the user’s email.

Mobile Authenticator

Sign-In e.g. by approving the authentication on your smartphone.

No Credential Phishing

Sign-In by using the crypto hardware of your device or a security key.

Signing-In in by sending a magic link to the users’ is common, but by far the least secure option. The Mobile  Authenticator, a mobile application installed on the user’s smartphone, can make use of the smartphone’s hardware secure module and thus provide far better security. Since the smartphone is so widely populated this option can be a no brainer as it usually requires no additional hardware. WebAuthN, a standard commonly known as FIDO2, makes use of each device’s secure hardware module or the use of security keys to authenticate. While many companies have embraced the standard, it usually requires a separate hardware device if it’s not built in.  A separate hardware can be forgotten, lost or stolen. When the authenticator is in-built, then it cannot be used on another device.


Overall, the Mobile Authenticator, especially when used as a MFA Authenticator e.g. when combined with biometrics and posession offers the greatest security, convenience while being a low hurdle to integrate.


Learn more about passwordless authentication:

5 Compelling Reasons for Enterprises to Go Passwordless

Read Full Article

The Weaknesses of “Passwordless Experience” vs the Strengths of “Truly Passwordless”

Read Full Article

The Real Cost of Passwords : Why 2FA and SSO don't help

Read Full Article

Kill the password before it kills you : A Tale on Password Security

Read Full Article