What Does Passwordless Authentication Mean?
Passwordless is an authentication scheme that uses possession factors (something the user has) and inherence factors (something the user is) instead of knowledge factors (something the user knows) to verify someone's identity. Popular possession factors include smart phones and security tokens. Popular inherence factors include physical and behavioral biometric data from fingerprint scan matches or keystroke analysis.
The goal of passwordless authentication is to reduce the cyber risks associated with password use. This is important because the majority of security breaches today involve some type of password theft. The danger of password theft is that once an attacker has stolen access privileges through social engineering or brute force strategies, they can move laterally through the target and look for ways to escalate privileges.
Apple, Google and Microsoft have all announced plans to support Zero Trust cybersecurity with FIDO passwordless authentication. According to the research firm Gartner, 90% of mid-size companies and 60% of global enterprises will shift towards passwordless authentication methods.
Passwordless authentication may also be referred to as zero-knowledge authentication or zero-knowledge password proof.
Techopedia Explains Passwordless Authentication
Passwords have always been the weakest security link because weak passwords can be easy to guess, and strong passwords can be difficult to recall.
Passwordless authentication strikes a balance between locking down security and improving the user experience (UX). A passwordless approach to access management makes it more difficult -- and expensive -- for attackers to steal identities, breach networks and carry out advanced persistent threats (APTs). it significantly reduces the chance of a password-based attack being successful by preventing credentials from being stolen through malware, phishing or business email compromise strategies (BEC attacks).
How Passwordless Authentication Works
Passwordless authentication is built on the same cryptographic principles that support digital certificates and public key cryptography. The difference is that instead of storing private keys on a server, they are stored locally on the user's computing device. Because private key management remains under individual user control, potential attack surfaces are sigificantly reduced.
In the enterprise, passwordless authentication is typically deployed in conjunction with single sign-on (SSO) so employees can use the same proximity badges, security tokens and authentication apps to access all their enterprise applications and services.
Approaches to passwordless authentication include:
Instead of a password, the user is asked to enter their email address or mobile phone number, after which they are sent an email or SMS message that contains a “magic” link. Magic links are time-sensitive URLs that when clicked on, verify the user's identity and grant access.
During the authentication process, the user is sent a time-sensitive numerical code to use instead of a password. Sometimes the code will have to be entered manually, and sometimes the code will be hyperlinked and function like a magic link.
When the end user wants to log into a computing resource registered with an authenticator app, they start by entering their username as usual. This action will prompt the user to open the authentication app to receive a one-time passcode or magic link.
A security token is a small physical device that the user has to connect to their computing device. Once plugged in, the token will generate a one-time passcode for the end user to enter in place of a password.
Although passwordless authentication is a more secure type of authentication than passwords -- and Microsoft, Google and Apple have made this approach to implementing multifactor authentication (MFA) easier then ever, there can still be obstacles to adoption. They include:
- Incompatibility with legacy applications.
- Privacy concerns that prevent wide-spread adoption.