IDEE Knowledge Base > IAM Content Hub

All you need to know about Passwordless
Authentication

passwordless authentication

What is Passwordless Authentication?

As opposed to password-based authentication, passwordless authentication does not rely on passwords or any other memorized secret to verifying  a user’s identity.

Instead of passwords, Identities can be verified based on a “possession factor”, which is an object that uniquely identifies the user (e.g. a one-time password, a registered mobile device, or a hardware token) or an “inherent factor” like a person’s biometric (e.g. fingerprint, face, retina, etc.).

Unlike possession or inherent factors, authentication that is based on something the user knows (a memorable secret such as a password, passphrase, or PIN code) is problematic because the user or the enterprise is unable to determine if their memorable secret is stolen or compromised.  

How do you know that no one else knows your password?  Additionally, memorable secrets are susceptible to easy theft, re-use by users, and requires constant management and handling by both users and IT managers.

How is passwordless achieved?

There are different ways to achieve passwordless authentication. Making the right choice depends on organization’s risk posture and business requirements.

Email

Email

Sign-In using a magic link or one-time code sent to the user’s email.

Mobile Authenticator

Mobile Authenticator

Sign-In e.g. by approving the authentication on your smartphone.

No Credential Phishing

No Credential Phishing

Sign-In by using the crypto hardware of your device or a security key.

Signing-In in by sending a magic link to the users’ is common, but by far the least secure option. The Mobile  Authenticator, a mobile application installed on the user’s smartphone, can make use of the smartphone’s hardware secure module and thus provide far better security. Since the smartphone is so widely populated this option can be a no brainer as it usually requires no additional hardware. WebAuthN, a standard commonly known as FIDO2, makes use of each device’s secure hardware module or the use of security keys to authenticate. While many companies have embraced the standard, it usually requires a separate hardware device if it’s not built in.  A separate hardware can be forgotten, lost or stolen. When the authenticator is in-built, then it cannot be used on another device.


Overall, the Mobile Authenticator, especially when used as a MFA Authenticator e.g. when combined with biometrics and posession offers the greatest security, convenience while being a low hurdle to integrate.


Learn more about passwordless authentication:

7 Passwordless Risks and How to Mitigate Them

Read Full Article

Passwordless Cost: Here’s What You Wanted to Know

Read Full Article

Why Organisations Should Count on Passwordless Security?

Read Full Article

Authentication: Why you should go passwordless today

Read Full Article

5 Compelling Reasons for Enterprises to Go Passwordless

Read Full Article

The Weaknesses of “Passwordless Experience” vs the Strengths of “Completely Passwordless”

Read Full Article

The Real Cost of Passwords : Why 2FA and SSO don't help

Read Full Article

Kill the password before it kills you : A Tale on Password Security

Read Full Article