Passwordless Authentication: The Easy Path to a Password-Free World?

Part 1 of 2

Sign up below to receive our weekly newsletter: 

Passwordless authentication is a Holy Grail that always seems just out of reach. Why go passwordless? Well, human error is the primary cause of most data breaches, with 82% stemming from stolen passwords, phishing, misuse, and mistakes. Let’s not forget that users downright hate passwords. They slow us down, especially on small devices where it’s easy to mistype passwords. Get rid of passwords, and voilà—the number of breaches is significantly reduced, and users are happier!

So, what's the catch? Well, various communities have had mixed results, but to be effective, passwordless authentication needs to be ubiquitous. Completely end-to-end.

Keep reading to learn more about how passwordless authentication works, the user experience, the benefits of digital security, and key considerations for businesses looking to build a secure, passwordless future

What is passwordless authentication?

Passwordless authentication, sometimes simply referred to as “passwordless,” is the process of verifying a user’s identity without a password, allowing the user to log in without having to enter any credentials. One tap and you’re in.

Instead of a password, we use possession factors such as one-time passwords, mobile devices, and hardware tokens combined with unique biometric factors to verify a person’s identity. Once verified, the user can then unlock and activate the use of possession factors, thereby protecting the confidentiality of the biometric data. With standards and protocols like Passkey and FIDO2 (we’ll discuss these later).

Passwords can be seen as a facade, masking the continued use of passwords behind the scenes.

For example, if I were a software developer and my application isn’t configured for passwordless authentication, I wouldn’t want to incur the cost of rewriting the application. Instead, I could overlay a passwordless mechanism that prompts the user to enter their username and a second factor, such as a fingerprint. The password is then injected behind the scenes. With the password still in play, the user is tricked into thinking the process is passwordless.

Compare this to the traditional login process, where a user must provide a credential (usually a username) and a verifier (such as a password, passphrase, PIN, identification, key, certificate, or other type of secret). The identifier confirms the user’s identity and determines which authenticator is required to authenticate and grant the appropriate level of access permissions. 

With passwordless authentication, secrets are still exchanged to verify a user’s permissions and access level—they’re just exchanged behind the scenes. Secrets can be permanent or temporary, depending on your risk profile and security objectives.  

Password-less authentication: Entering access keys

As noted above, there are authentication methods that enhance the user experience and provide greater security for high-risk users and critical services.

FIDO credentials are the most notable example. They can be used in software (such as a Trusted Platform Module in a laptop) or with a portable hardware token (such as a YubiKey). They enhance security by serving as an additional factor—something you have—and by resisting phishing attempts.

Initially, FIDO tokens enhanced password security by adding additional factors. More recently, the FIDO Alliance has partnered with Big Tech (Apple, Google, and Microsoft) to develop a new standard security key standard. As described on the passkeys.io website , a passkey is a new way to log in that works entirely without a password. Instead of supplementing a password, it completely replaces it. Passkeys build on existing FIDO standards, enhancing the user experience and offering digital security benefits.

Users can access their passkey from all their devices using a method they use every day: verifying their fingerprint, face, or the device’s PIN. There is no need to register a new FIDO ID on every new device. Service providers can support authentication via an authentication key without the need for passwords, as an alternative method for logging in or recovering an account. Private key management can be ecosystem-specific; for example, Apple uses its iCloud and Keychain for synchronization.

In addition, password keys have been combined with autofill technologies to simplify the login process for users, so that the user’s identity is automatically filled in when accessing a web application that has been previously registered for password key-based login. This results in a “hands-free” experience for the user once they have completed biometric verification.

Companies like eBay, PayPal, Best Buy, and Kayak have pledged to offer an alternative login method, and the founding members of Big Tech have all updated their systems and apps to support it. This level of support will bring us closer to a truly password-free world from start to finish.

No password required for the company

Will security keys or something similar become the norm?

As password-less authentication becomes the norm, the standard will require every service provider to update its existing password-based authentication. We can expect password-less adoption to extend from the cloud to legacy applications and systems. Many SaaS applications already support modern standards and protocols such as OpenID Connect, SAML, and OAuth2 for federated authentication from a trusted identity provider, as well as multi-factor authentication (MFA), so the transition should be easier.

Any web application that currently supports FIDO2 should be able to leverage security key technology due to its interoperability. For example, the identity services within the Delinea platform support both FIDO2 passwordless and password-based user authentication. However, websites that have not yet added FIDO2 support will need to be modified to support security keys.

According to Forrester Research, more and more companies are adopting passwordless authentication. A recent survey found that about half are experimenting with passwordless login. Most of these are pilot projects, proof-of-concept programs, and small-scale deployments with specific user groups. Surveys conducted by vendors such as Ping Identity and Yubico indicate a strong desire within the IT sector to adopt passwordless authentication. So, the dominoes are falling.

Access keys are ideal for passwordless login to laptops and web applications, but organizations need to consider how to extend passwordless authentication to servers and enterprise applications. Businesses have advanced security requirements and demand a more rigorous level of authentication management.

Organizations will also require a higher level of assurance that the user authenticating with the password is the person for whom it was created. A modern privileged access management (PAM) solution for server protection, such as Delinea Cloud Suite, supports passwordless login and MFA.

The combination of password-free authentication and strong credentials can address nearly every scenario, making life easier for users (through biometric touch or facial recognition for access) and enhancing digital security for businesses.

Several uses of biometric unlocking:

  • Biometric unlocking for strong mutual authentication based on resource-efficient cryptography, enabling greater ubiquity and ease of use (e.g., FIDO2 or passkeys combined with federated login protocols such as SAML, OAuth, and OpenID Connect.)
  • Biometric unlocking for cryptography-based authentication for resources where strong mutual authentication is not possible (e.g., SSH certificates.)
  • Biometric unlocking to access a shared secret as a fallback solution. That is, a password or SSH key stored in the background, where an underlying secret vault or password manager automatically provides the password, ensures high service quality, and automatically rotates the password.

Source: Delinea 

Sign up below to receive our weekly newsletter: 

Share: