When passwords were introduced more than fifty years ago, cyberattackers were much less sophisticated. But, even in those early days, compromised passwords provided a way to hack into IT systems. Over time, passwords have become cybersecurity’s weakest link. And today’s attackers use advanced, automated techniques to phish and steal credentials. That’s why the technology industry has been moving toward a passwordless future.
As the name implies, passwordless authentication verifies identity without requiring a memorized secret—like a password or pin. While best practices for password management help you strengthen security, passwordless authentication goes one step further. Since password security is an ongoing challenge, organizations are looking at passwordless solutions as a way to reduce their risks.
What is passwordless authentication?
Authentication, like two-factor authentication (2FA) or multi-factor authentication (MFA), typically requires one or more of these factors:
- Something you know (knowledge factor), or a memorized secret, such as a password, passphrase or pin
- Something you are (inherent factor), which means biometrics such as a fingerprint, voice or face scan
- Something you have (possession factor), which may be a software token or one-time code, or a hardware device like mobile phone, proximity badge or security key
The main difference between passwordless authentication and 2FA or MFA is that the latter options add secondary authentication layers on top of passwords, and passwordless authentication eliminates the need for knowledge-based secrets and may or may not use multiple verification layers.
In recent years, passwordless authentication has gained traction with a movement focused on the development of industry standards for a frictionless, interoperable approach. For web applications, an alliance called FIDO (Fast Identity Online) introduced open authentication standards that use public-key cryptography.
The goal of passwordless authentication is to enable the use of the same authentication methods across different devices through authenticators such as biometrics, security keys and tokens. In the case of FIDO’s FIDO2 standards (also known as WebAuthn), public-key cryptography protocols replace the shared secret. Similar standards exist for mobile devices and the secondary 2FA/MFA factor.
How does it work?
Each tool used for passwordless authentication functions a little differently—the user may need to scan a fingerprint, wave a card or push a button. Regardless of the means, this is how authentication mechanisms that rely on public-key cryptography work:
- Similar to digital certificates, the tool, or authenticator (whether it’s an authenticator app, hardware device or another method) uses two cryptographic keys: one public and one private.
- When a user tries to log in, the app (or website, system, etc.) sends data to the authenticator tool, which then signs in with the private key. The private key is on the authenticator or local device only. A hacker would have to steal the authenticator to gain access to the app or system.
- The public key—provided by the app—verifies the validity of the signature.
Passwordless authentication is not limited to cloud-based environments. For example, Windows Hello for Business, introduced with Windows 10 version 1507, is an authentication method that uses biometrics and public-key cryptography both for on-premises and cloud services. In this case, biometric data is the initial factor that unlocks the private cryptographic key that authenticates the user.
What are the benefits?
As passwordless authentication creates a barrier for hackers who can easily steal credentials or buy them on the dark web, enhanced security is the primary and most apparent benefit.
From credential stuffing and brute-force attacks to business email compromise, compromised passwords are the source of a variety of cyberattacks. Cryptographic login credentials, on the other hand, are unique for each app or website, not stored on a server and very difficult to fake.
Security, of course, is only one benefit to moving away from passwords others include:
- Controls and visibility: It’s not uncommon for employees to share passwords. Passwordless authentication gives your IT team better control over identity access management (IAM).
- User experience: Your employees no longer need to memorize complex passwords or manage multiple login credentials. Using their device, biometrics, security keys and other methods provides convenience.
- IT simplification: Password management is time-consuming and requires ongoing maintenance. Passwordless authentication simplifies IT while saving costs.
Moving away from password-based security will help your organization reduce risk. However, as with any security approach, it’s imperative to use best practices like integrating your authentication tools into your IAM platform and using multiple authentication techniques. Before you adopt a new approach, ensure it fits within your goals and your IAM program. See how SailPoint can help you find the right solution for your organization.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint and Password Management.