Passwordless authentication: What it is and how it works

What is passwordless authentication?

Passwordless authentication is an authentication or identity verification method that uses biometrics, certifications, or one-time passwords (OTPs). Considered more secure than traditional password security questions or PIN (personal identification number) codes, passwordless authentication offers enhanced security, reduced administrative burden, and simpler access for users. Passwordless authentication is commonly used in conjunction with multi-factor authentication (MFA) or single sign-on (SSO). 

Learn about five ways identity strengthens cybersecurity for the enterprise.

Unlike traditional authentication methods that can be stolen, shared, or reused, passwordless authentication requires users to verify their identity with a possession or inherent factor. A possession factor is something that uniquely identifies the user and that no other user would have, such as a registered mobile device or an issued hardware token. Inherent factors include fingerprints, thumbprints, palm or handprints, voice and facial recognition, and retina or iris scans. 

Passwordless authentication offers an effective alternative to passwords, which are commonly leaked, guessed, or reverse-engineered. The enhanced security provided protects against many well-known attacks that exploit the vulnerabilities of password authentication.  

Among the types of attacks that passwordless authentication is resistant to are: 

• Brute-force attacks  
• Credential stuffing  
• Dictionary attacks 
• Keylogging  
• Man-in-the-middle (MitM) attacks  
• Password spraying 
• Phishing 
• Rainbow table attacks 
• Reverse brute force attacks 
• Smishing 
• Spear phishing 
• Vishing 
• Whaling 

Additional benefits of passwordless authentication are: on layers.

• Less impact on support teams 
• More user-friendly than traditional password-based authentication 
• Lower total cost of ownership (TCO) with reduced infrastructure  
• Reduced complexity in the identity stack
• Users no longer need to remember a password 

Types of passwordless authentication

Biometrics

Advanced scanners are used to capture and validate biometric authentication factors, such as fingerprints, thumbprints, palm or handprints, voice and facial recognition, and retina or iris scans, against data saved in an authentication database.  

Biometrics are an especially reliable authentication factor because they are statistically impossible to replicate; for instance, the likelihood that two faces are similar in physical attributes is less than one in a trillion, and the chance of identical fingerprints is one in 64 trillion.

Hardware tokens

A hardware token is a small electronic device (e.g., fob or USB device) that generates a one-time password (OTP), also called a software token, each time a user activates it. The code is entered into the system to authenticate the user. 

Magic links

A magic link is a one-time URL sent to users via email or text for identity verification. An authentication application in the background matches the device to a token in a database when the user clicks the link.  

Native options

Passwordless authentication tools are embedded in some applications or systems, such as Google and Microsoft. This native option for passwordless authentication allows users to access codes from these apps rather than using others.  

Persistent cookies

Persistent cookies are stored on authenticated devices. They remember the device user’s sign-on credentials. When users are logged in, the persistent cookie is used to grant access to resources based on permissions. Persistent cookies can remain on systems permanently or be set to expire after a specified amount of time.   

Smart cards

Smart cards are physical cards that a reader scans to authenticate users and grant them access to resources. Most smart cards store data on chips and use RFID (Radio-Frequency IDentification) for connectivity.   

How passwordless authentication works

Passwordless authentication prompts users to authenticate using something they have (e.g., token fob) or something they are (e.g., fingerprint) for identity verification before they are granted access to secured resources. The steps a user takes are divided into two phases—registration and verification. 

Passwordless authentication registration

1. When users first approach an application or service, they receive a registration approval request validated using passwordless authentication (e.g., biometric). 
2. When the request is approved, a private encryption key is generated for the user. 
3. The public encryption key is sent to the application or service. 

Passwordless authentication verification

1. A challenge is generated and sent to the user’s device when they try to log in. 
2. The user responds to the challenge by unlocking the private key using the established passwordless authentication method. 
3. The private key is used to complete the challenge. 
4. For the user to gain access, the public key must accept the private key. 

Data security and passwordless authentication

Passwordless authentication mitigates traditional passwords’ inherent vulnerabilities and significantly improves data security in the following ways: 

• Customer satisfaction can be improved without compromising data security. 
• Data security for sensitive information can be significantly improved. 
• Seamless user experiences can be provided alongside enhanced data security. 
• The cost of data security can be reduced. 

Multi-factor authentication (MFA) vs. passwordless authentication

Passwordless authentication and multi-factor authentication (MFA) are often confused and considered synonymous. Both are types of multi-factor authentication, but they rely on different factors. Passwordless authentication does not use passwords, while MFA uses passwords as one of the factors for identity verification. 

Implementing passwordless authentication

Passwordless authentication can be implemented in a number of ways, but the most common are biometrics, FIDO (Fast Identity Online Client) tokens, and one-time codes.   

• Biometrics use devices that have a biometric sensor. 
• FIDO tokens use physical devices that generate one-time codes. 
• Magic links are sent to a user’s email or phone number. 
• One-time codes deliver passcodes to a user’s email address or phone number. 

Organizations can use one of these or implement a combination of them. For instance, they might use a one-time code or FIDO token for initial identity verification, then use biometrics for additional authentication.   

The following are the steps used to implement passwordless authentication.  

1. Select the mode of authentication (e.g., biometrics, FIDO tokens, magic links, one-time codes). 
2. Determine how many factors will be used—multiple factors are considered a best practice.  
3. Acquire and deploy supporting hardware and software systems. 
4. Register users on the authentication system (e.g., scan the faces of all employees for a facial recognition system). 

Passwordless authentication and adaptive authentication

While it is more difficult to hack inherent factors, possession factors, or magic links, it is possible. Combining passwordless with adaptive authentication takes access security to a higher level.

Adaptive authentication adds an artificial intelligence (AI)-powered layer of protection to passwordless authentication that uses machine learning to develop typical user behavior patterns. A deviation in patterns represents a risk and triggers a designated security response, such as prompting the user for secondary authentication or locking the account. 

Passwordless authentication and zero trust

A zero trust security strategy requires eliminating trust of any kind. This means eliminating traditional passwords for identity authentication, since they are not only untrustworthy and expensive, but also slow down zero trust programs. Passwordless authentication is a reasonable replacement as it aligns with the principles of zero trust and delivers many other benefits.   

Mitigating prime attack vectors

Passwords are widely considered to be a primary gateway for data breaches. Using passwordless authentication mitigates this vulnerability.  

Unlike some enhanced security solutions, passwordless authentication is cost-effective and user-friendly. Organizations of all types and sizes have successfully implemented passwordless authentications, and it should be considered for any organization with digital assets to protect. 

You might also be interested in: