What is PasswordlessAuthentication and how does it work?
Passwordless authentication is a cutting-edge technology that offers a secure and effortless login experience without the need for passwords. Our solutions prioritize your security and streamline your authentication process, eliminating the hassle of remembering and typing in passwords.
Before we jump on to the whats and hows of passwordless authentication, let's discuss why there is a need to eliminate passwords. After all, passwords have served their purpose for decades; some would even go as far as having a favorite password. Some childhood passwords are with us to this day. So, where does all this negativity toward passwords come from?
Today's remote workforce relies heavily on various services and applications to perform day-to-day operations. An average worker uses 9 different applications a day to go about their daily tasks. Overwhelmed by the number of user credentials, it is common for users to take shortcuts. Reusing the same password for every app, covering your screen with sticky notes containing credentials for different applications, using common/weak passwords – we've all been there at some point. However, fraudsters can take advantage of users' poor password management practices and gain access to confidential data. After all, four out of five security breaches are related to passwords.
Four out of five breaches are somehow related to passwords.
Passwords have been with us long enough for hackers to develop efficient and highly successful cracking techniques. Among the most popular ones are the following:
Phishing
● the practice of sending bogus emails pretending to be a well-known company in order to convince people to reveal personal data, such as passwords and credit card numbers. Such emails usually contain content mentioning urgency, making the targeted victim act fast without suspecting fraud.
Brute force attacks
● a trial-and-error hacking method used to crack login credentials, passwords, and encryption keys. Brute force attacks are fairly simple yet effective hacking methods for gaining unauthorized access to victim accounts and company networks. Ranging from manual entry to automated scripts, brute force attacks rely on testing a variety of username and password combinations until they hit the correct one.
Keylogging
● Keystroke logger is malware installed on a victim's device able to capture keystrokes made during the entry of user credentials. A keylogger attack typically involves targeting unsecured Wi-Fi that prompts the user to download the malicious software under the claim they're accessing free Wi-Fi. The malware shares the collected credentials with the bad actor, who then compromises the account.
Credential stuffing
● an automated version of the brute force attack. The attacker relies on poor password hygiene. A single data breach can reveal a number of usernames and passwords that are sold on the dark web. A bad actor in possession of such lists creates a script that feeds login forms for different applications and services with obtained credentials. This approach shows high success rates due to easy execution and human errors regarding passwords – e.g., reusing passwords on multiple accounts.
The common denominator for all mentioned vulnerabilities is the password. To circumvent mentioned security issues, we'd like to provide you with a comprehensive guide to passwordless authentication.
What is passwordless authentication
Passwordless authentication is a method of verifying a user's identity that eliminates the need for passwords. Instead of passwords, passwordless authentication is based on other authentication factors within the scope of MFA. Mentioned authentication factors include:
Possession factors- something the user owns (e.g., HW or SW token)
Inherence factors- something the user is, their uniquely identifiable traits (e.g., fingerprint or face recognition)
However, passwordless authentication is not limited to the official MFA authentication factors. It includes a variety of convenient and user-friendly means of authentication, including magic links, OTPs, log-in on demand, push notifications – it's all good until there is a password involved.
By eliminating passwords, being one of the weakest links in the security ecosystem, you're ensuring higher security standards and a number of business benefits discussed later.
The key elements of passwordless authentication
MFA Device
Biometrics
Single Sign-On System
PKI infrastructure
With today's zero-trust security policies, mobile application hardening is a necessary tool for enhancing the security of your mobile app. Unprotected apps are not only subject to financial losses due to a data breach but could also experience reputational damage, as well as hold accountability for compromising sensitive user data – all being very hard to bounce back from.
Types of passwordless authentication
Passwordless authentication is based on proving the identity of a user through alternative, more secure authentication methods. Possession factors refer to hardware uniquely linked to a particular user – common devices include hardware tokens and mobile devices containing authenticator apps. A step further is the inherence factors relying on the user's unique physical traits – biometrics. This commonly includes authentication via fingerprint or face recognition. Furthermore; despite some people would argue whether knowledge factors can be a part of true passwordless authentication; knowledge-based authentication factors can be included in passwordless – as long as it's not a static password.
To log into a service, the user would open an authenticator app on their mobile device using biometrics and choose the service they want to log in to. Identity checks are performed in the background, as well as access privileges dedicated to the users. If checks are passed, the user is granted access to the selected service.
Magic links
Instead of prompting the user to submit a password, magic links are based on the user's email address. When logging into an application, the user must submit their email and click the magic link received in their email inbox.
Push Notifications
When logging into an application, the user receives a Push Notification on their mobile device through an authenticator app. The user verifies their identity with an authentication method previously set up on the authenticator app and logs in to the wanted application.
OTP (One-Time Passcodes)
A dynamically generated OTP using an authenticator app can also be used as a means of passwordless authentication. Typically, the user would access their authenticator app using biometrics and generate an OTP within the app. Upon receiving the One-Time Passcode, the user would use it to log in to the wanted service.
Passwordless authentication uses PKI principles to enable a truly passwordless login – a key pair including a public and a private key. Regardless of the fact we call them ''keys'', think of the public key as a safe, while the private key is an actual key that unlocks the safe. Public Key Infrastructure demands that only one key can open a single safe.
Upon registering to a service, the user needs to generate the key pair with a dedicated authenticator app on their mobile device. Once the keypair is generated, the private key is stored on the user's mobile device, while the public key is stored on the service's system. The private key stored on the user's mobile device can only be accessed by submitting the appropriate authentication factor (fingerprint, face ID, push notification...).
Now that we explained what happens in the background, let's review the passwordless authentication flow as seen from the user's perspective.
Passwordless authentication flow example
Push notification flow:
1
The user wants to log in to a service and enters/selects their username
2
A push notification is sent to the user's mobile device.
3
Upon selecting the push notification, an authenticator app opens.
4
The user authenticates with their fingerprint.
5
Authentication is successful, and the user is logged in to the service.
Authenticator app flow:
1
The user wants to log in to a service and enters/selects their username.
2
The user uses their fingerprint to access the authenticator app.
3
The user selects the service to which they want to log in to.
4
Authentication is successful.
Benefits of implementing passwordless authentication
Businesses benefit from implementing passwordless authentication in many ways. However, smooth user experience and security implications have the most significant impact. Each organization has its unique business needs that passwordless authentication contributes to. Customer-based enterprises can reduce help desk costs and improve efficiency by eliminating password reset tickets. Companies dealing with sensitive user information gain the highest security standards accompanied by a smooth, frictionless user experience.
To better understand how passwordless authentication aids your business strategy, here's a list summing up the most relevant benefits.
1
Passwordless contributes to significant improvement in user experience
Passwordless authentication eliminates the need for exhausting password management practices. Coming up with a new set of characters each month to protect your personal and business accounts is no longer an issue with passwordless. The users appreciate the convenience of a fingerprint or a push notification. The process is seamless and provides a smooth user experience requiring none to minimum friction.
2
Significantly decreases cart abandonment rates for online merchants
Online shoppers expect a smooth checkout without interruptions. In case a web shop requires login to finalize a checkout, 30% of customers abandon their carts. This is due to increased friction; or the obvious case of forgetting their password. Dealing with a password reset process in the middle of the checkout process is an option. However, are you willing to gamble your profits on your customer's patience? Passwordless authentication eliminates friction issues as well as password reset requests.
3
Passwordless authentication wipes out password-related threat vectors
All of the cybersecurity attacks that use password cracking as a breach method can no longer prove to be successful. By implementing passwordless, you're eliminating all password-related threat vectors; brute force attacks, credential stuffing, keylogging, and phishing scams are no longer a worry.
4
Heightened security measures due to sophisticated authentication methods
Passwordless authentication relies on authentication factors that provide more sophisticated security when compared to knowledge factors – among which are passwords. Inherence and possession factors are harder to spoof and provide the user with the most sophisticated authentication technology there is. Also, the technical aspect of passwordless contributes to the adoption of MFA; since almost all passwordless authentication requires at least two authentication factors to be present.
5
Passwordless reduces the Total Cost of Ownership (TCO)
Password-based authentication infrastructure is expensive, and so are the password reset requests that undoubtedly come with it. Further investments, such as automated account recovery, can prove to be a sizeable additional cost in an effort to increase efficiency. Passwordless allows you to circumvent these costs and provides IT with control and visibility over your authentication system – an extension of the zero trust security model. The user is no longer the wildcard in the organization; no more password reuse and phishing threats. IT can finally gain complete control over identity and access management.
Which security threats are prevented by passwordless authentication?
Brute force attacks
Brute force attacks are based on a trial-and-error technique involving the guessing of various character combinations. If it's conducted manually, it usually targets a single account. The longer the password, the greater the difficulty of the attack.
Keylogging
Keylogging malware installed on a user's device tracks keyboard movements and reports them to the bad actor, revealing sensitive user information, including the password. Passwordless authentication eliminates the password. Therefore, keylogger attacks would prove to be unsuccessful.
Credential stuffing
Credential stuffing is a more sophisticated version of a brute-force attack, including an automated script. Instead of the bad guy doing all the leg work, the script simply feeds a list of stolen credentials (usually bought or available on the dark web) to various login forms until there is a hit.
Rainbow table attacks
Rainbow tables hold the ability to reveal passwords from exposed password hashes. Basically, it is a table with a huge amount of hashes and possible password matches recovered from reversing the hash. This method provides bad actors with high success rates at cracking complex passwords.
Account takeover
Account takeover can prove to be especially harmful if the compromised account serves business purposes. The attacker can easily gain access to sensitive company and client data, as well as cause company network issues, make fraudulent payments, etc.
Phishing
Phishing is a popular method of obtaining user credentials through bogus emails demanding sensitive information, including passwords. The sender, more precisely the hacker, introduces themselves as a well-known company that can be trusted and demands the target to provide them with sensitive information.
Social engineering
Social engineering is a broad term that uses manipulation to obtain user credentials. The attacker can engage directly with targets through email, sms, fake chatbots, etc. However, there are a number of cases where the bad actor gains sensitive information from service providers under false pretenses.
A step toward a passwordless future
The grim reality of the rising cyber security issues in the past few years is a clear sign that changes in the way we conduct our daily authentication are a necessity. Passwordless authentication offers a scalable and secure solution that bypasses all password-related threats.
Also, companies are coming to a realization that most data breaches are somehow related to passwords. The decision to invest in a passwordless authentication solution becomes an easy one if you compare it to the cost of a single data breach.
Finally, the users will appreciate the additional security perks enabled through frictionless authentication mechanisms that passwordless enables.
Passwordless authentication FAQ
1. What are some examples of passwordless authentication?
The chances are, you're probably already using passwordless authentication;
you're just not aware that it falls under the ‘’passwordless’’ category.
Here are some examples:
Here are some examples:
Push notification flow:
The user wants to log in to a service and enters/selects their username.
A push notification is sent to the user's mobile device.
Upon selecting the push notification, an authenticator app opens.
The user authenticates with their fingerprint..
Authentication is successful, and the user is logged in to the service.
Authenticator app flow:
The user wants to log in to a service and enters/selects their username.
The user uses their fingerprint to access the authenticator app.
The user selects the service to which they want to log in to.
Authentication is successful.
2. What are common use cases for passwordless authentication?
Passwordless authentication can take many forms, as well as have many more use cases.
Except for the mentioned web application or system logins, the most common passwordless
authentication use cases are some of the following:
VPN network access
Windows login
MAC login
Linux login
Document management systems
E-commerce web applications
Workstation login
3. What are the key benefits of passwordless authentication?
Passwordless contributes to significant improvement in user experience.
Significantly decreases cart abandonment rates for online merchants.
Passwordless authentication wipes out password-related threat vectors.
Heightened security measures due to sophisticated authentication methods.
Passwordless reduces the Total Cost of Ownership (TCO).
4. How does passwordless authentication work?
Passwordless is based on authentication methods that don't require a standard password login. Instead, the authentication flow includes other forms of identity verification, such as face recognition, fingerprint, or a software/hardware token device.
5. Is going passwordless more secure?
By eliminating passwords altogether, passwordless authentication automatically provides heightened security measures, including advanced authentication methods such as biometrics and tokens. In addition to heightened security, passwordless authentication brings user experience benefits as well.
6. Is passwordless authentication the future?
Considering the numerous benefits passwordless authentication brings, topped with the fast development of easy-to-implement passwordless solutions, the future seems to be heading in the passwordless direction.
