Contact us

BOOK A PRESENTATION

What is Passwordless Authentication and how does it work?

October 4, 2022
NO NAME
Before we jump on to the whats and hows of passwordless authentication, let's discuss why  there is a need to eliminate passwords. After all, passwords served their purpose for decades; some would even go as far as having a favorite password. Some childhood passwords are with us to this day.  So, where does all this negativity towards passwords come from?

Passwords: The weakest link of authentication

Today's remote workforce relies heavily on various services and applications to perform day-to-day operations. An average worker uses 9 different applications a day to go about their daily tasks. Overwhelmed by the amount of user credentials, it is common for users to take shortcuts. Reusing the same password for every app, covering your screen with sticky notes containing credentials for different applications, using common/weak passwords – we've all been there at some point. However, fraudsters can take advantage of users' poor password management practices and gain access to confidential data. After all, four out of five security breaches are related to passwords.

Common password vulnerabilities

Passwords have been with us long enough for hackers to develop efficient and highly successful cracking techniques. Among the most popular ones are the following:

  • Phishing - the practice of sending bogus emails pretending to be a well-known company in order to convince people to reveal personal data, such as passwords and credit card numbers. Such emails usually contain content mentioning urgency, making the targeted victim act fast without suspecting fraud.
  • Brute force attacks – a trial-and-error hacking method used to crack login credentials, passwords, and encryption keys. Brute force attacks are fairly simple yet effective hacking methods for gaining unauthorized access to victim accounts and company networks. Ranging from manual entry to automated scripts, brute force attacks rely on testing a variety of username and password combinations until they hit the correct one.
  • Keylogging – malware installed on a victim's device can capture keystrokes made during the entry of user credentials. The malware shares the collected credentials with the bad actors, who then compromise the account.
  • Credential stuffing – an automated version of the brute force attack. The attacker relies on poor password hygiene. A single data breach can reveal a number of usernames and passwords that are sold on the dark web. A bad actor in possession of such lists creates a script that feeds login forms for different applications and services with obtained credentials. This approach shows high success rates due to easy execution and human errors regarding passwords – e.g., reusing passwords on multiple accounts.

The common denominator for all mentioned vulnerabilities is the password. To circumvent mentioned security issues, we'd like to provide you with a comprehensive guide to passwordless authentication.

What is passwordless authentication?

Passwordless authentication is a method of verifying a user's identity that eliminates the need for passwords. Instead of passwords, passwordless authentication is based on other authentication factors within the scope of MFA. Mentioned authentication factors include:

  • Possession factors- something the user owns (e.g., HW or SW token)
  • Inherence factors- something the user is, their uniquely identifiable traits (e.g., fingerprint or face recognition)

However, passwordless authentication is not limited to the official MFA authentication factors. It includes a variety of convenient and user-friendly means of authentication, including magic links, OTPs, push notifications – it's all good until there is a password involved.

By eliminating passwords, being one of the weakest links in the security ecosystem, you're ensuring higher security standards and a number of business benefits discussed later in the article.

Types of passwordless authentication

Passwordless authentication is based on proving the identity of a user through alternative, more secure authentication methods. Possession factors refer to hardware uniquely linked to a particular user – common devices include hardware tokens and mobile devices containing authenticator apps. A step further are the inherence factors relying on the user's unique physical traits – biometrics. This commonly includes authentication via fingerprint or face recognition. Furthermore; despite some people would argue whether knowledge factors can be a part of true passwordless authentication; knowledge-based authentication factors can be included in passwordless – as long as it's not a static password.

Biometrics

Biometric authentication offers the utmost convenience and security within the scope of passwordless authentication. Based on inherence factors that are unique, the user is granted access to a service or application. Also, due to its frictionless nature, including biometric authentication in passwordless ensures an impeccable user experience. An extended list of biometric authentication methods includes voiceprinting, iris scans, fingerprint, and facial recognition.

Magic links

Instead of prompting the user to submit a password, magic links are based on the user's email address. When logging into an application, the user must submit their email and click the magic link received in their email inbox.

Push Notifications

When logging into an application, the user receives a Push Notification on their mobile device through an authenticator app. The user verifies their identity with an authentication method previously set up on the authenticator app and logs in to the wanted application.

OTP (One-Time Passcodes)

Similar to magic links, OTP-based passwordless authentication requires the user to enter their email or mobile phone number upon registration. Depending on the selected channel, the user receives a dynamically generated OTP either through email or SMS. To log in, they must enter the received One-Time Passcode in the designated field.

How does passwordless authentication work?

Passwordless authentication uses PKI principles to enable a truly passwordless login – a key pair including public and a private key. Regardless of the fact we call them ''keys'', think of the public key as a safe, while the private key is an actual key that unlocks the safe. Public Key Infrastructure demands that only one key can open a single safe.

Upon registering to a service, the user needs to generate the key pair with a dedicated authenticator app on their mobile device. Once the keypair is generated, the private key is stored on the user's mobile device, while the public key is stored on the service's system.

The private key stored on the user's mobile device can only be accessed by submitting the appropriate authentication factor (fingerprint, face ID, push notification...).

Now that we explained what happens in the background let's review the passwordless authentication flow as seen from the user perspective.

Passwordless authentication flow example

  1. The user wants to log in to a service and enters/selects their username.
  2. A push notification is sent to the user's mobile device.
  3. Upon selecting the push notification, an authenticator app opens.
  4. The user authenticates with their fingerprint.
  5. Authentication is successful and the user is logged in to the service. 

Benefits of implementing passwordless authentication

Businesses benefit from implementing passwordless authentication in many ways. However, smooth user experience and security implications have the most significant impact. Each organization has its unique business needs that passwordless authentication contributes to. Customer-based enterprises can reduce help desk costs and improve efficiency by eliminating password reset tickets. Companies dealing with sensitive user information gain the highest security standards accompanied by a smooth, frictionless user experience.

To better understand how passwordless authentication aids your business strategy, here's a list summing up the most relevant benefits.

1. Passwordless contributes to significant improvement in user experience

Passwordless authentication eliminates the need for exhausting password management practices. Coming up with a new set of characters each month to protect your personal and business accounts is no longer an issue with passwordless. The users appreciate the convenience of a fingerprint or a push notification. The process is seamless and provides a smooth user experience requiring none to minimum friction.

2. Significantly decreases cart abandonment rates for online merchants

Online shoppers expect a smooth checkout without interruptions. In case a web shop requires login information to finalize a checkout, 30% of customers abandon their carts. This is due to increased friction; or the obvious case of forgetting their password. Dealing with a password reset process in the middle of the checkout process is an option. However, are you willing to gamble your profits on your customer's patience? Passwordless authentication eliminates friction issues as well as password reset requests.

3. Passwordless authentication wipes out password-related threat vectors

All of the cybersecurity attacks that use password cracking as a breach method can no longer prove to be successful. By implementing passwordless, you're eliminating all password-related threat vectors; brute force attacks, credential stuffing, keylogging, and phishing scams are no longer a worry.

4. Heightened security measures due to sophisticated authentication methods

Passwordless authentication relies on authentication factors that provide more sophisticated security when compared to knowledge factors – among which are passwords. Inherence and possession factors are harder to spoof and provide the user with the most sophisticated authentication technology there is. Also, the technical aspect of passwordless contributes to the adoption of MFA; since almost all passwordless authentication requires at least two authentication factors to be present.

5. Passwordless reduces the Total Cost of Ownership (TCO)

Password-based authentication infrastructure is expensive, and so are the password reset requests that undoubtedly come with it. Further investments such as automated account recovery can prove to be a sizeable additional cost in an effort to increase efficiency. Passwordless allows you to circumvent these costs and provides IT with control and visibility over your authentication system. The user is no longer the wildcard in the organization; no more password reuse and phishing threats. IT can finally gain complete control over identity and access management.

Which security threats are prevented by passwordless authentication?

Brute force attacks

Brute force attacks are based on a trial-and-error technique involving the guessing of various character combinations. If it's conducted manually, it usually targets a single account. The longer the password, the higher the difficulty of the attack.

Keylogging

Keylogging malware installed on a user's device tracks keyboard movements and reports them to the bad actor, revealing sensitive user information, including the password. Passwordless authentication eliminates the password. Therefore, keylogger attacks would prove to be unsuccessful.

Credential stuffing

Credential stuffing is a more sophisticated version of a brute force attack, including an automated script. Instead of the bad guy doing all the leg work, the script simply feeds a list of stolen credentials (usually bought or available on the dark web) to various login forms until there is a hit.

Rainbow table attacks

Rainbow tables hold the ability to reveal passwords from exposed password hashes. Basically, it is a table with a huge amount of hashes and possible password matches recovered from reversing the hash. This method provides bad actors with high success rates at cracking complex passwords.

Account takeover

Account takeover can prove to be especially harmful if the compromised account serves business purposes. The attacker can easily gain access to sensitive company and client data, as well as cause company network issues, make fraudulent payments, etc.

Phishing

Phishing is a popular method of obtaining user credentials through bogus emails demanding sensitive information, including passwords. The sender, more precisely the hacker, introduces themselves as a well-known company that can be trusted and demands the target to provide them with sensitive information.

Social engineering

Social engineering is a broad term that uses manipulation to obtain user credentials. The attacker can engage directly with targets through email, SMS, fake chatbots, etc. However, there is a number of cases where the bad actor gains sensitive information from service providers under false pretenses.

A step toward a passwordless future

The grim reality of the rising cyber security issues in the past few years is a clear sign that changes in the way we conduct our daily authentication are a necessity. Passwordless authentication offers a scalable and secure solution that bypasses all password-related threats.

Also, companies are coming to a realization that most data breaches are somehow related to passwords. The decision to invest in a passwordless authentication solution becomes an easy one if you compare it to the cost of a single data breach.

Finally, the users will appreciate the additional security perks enabled through frictionless authentication mechanisms that passwordless enables.

Passwordless authentication FAQ

What are examples of passwordless authentication?

The cances are, you're probably already using passwordless authentication, you're just not aware that it falls under the ''passwordless category. Here are some examples:

1. Email based login systems

Instead using your username and password, an online service prompts you to enter your email address. After submitting your email, you'll receive a clickable ''magic link'' to your inbox that will redirect you to your registered account.

2. Biometric authentication and push notification

Instead of a password or a PIN, you'd simply use your fingerprint to access a network or an application. For example, you'd like to process an online payment. To finalize a purchase and authorize a transaction you'd typically receive a push notification on your smartphone, authenticate with your fingerprint to access your mBanking account, and authorize the transaction.

How does passwordless authentication work?

Passwordless authentication works by allowing users to log in to a website or application without having to enter their password. This is done through the use of either a digital certificate or a token. A digital certificate is a string of data that proves that the user is who they say they are. When a user logs in to a website or application using a digital certificate, the server is able to verify the certificate and authorize the user accordingly. A token is similar to a digital certificate, but it does not contain any personal information about the user. Instead, it is simply a unique identifier that is used to identify the user. When a user logs in to a website or application using a token, the server simply sends the token along with the request for authentication. The token can then be used to access specific resources on the website or application, rather than requiring the user to enter their username and password every time they login.

What are the key benefits of passwordless authentication?

  • Passwordless contributes to significant improvement in user experience.
  • Significantly decreases cart abandonment rates for online merchants.
  • Passwordless authentication wipes out password-related threat vectors.
  • Heightened security measures due to sophisticated authentication methods.
  • Passwordless reduces the Total Cost of Ownership (TCO).

In case you're curious, feel free to contact us - zero obligation. Our ASEE team will be happy to hear you out.

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram