The use of passwords as the main way to verify user identities when logging in to computer systems stretches back to the early 1960s at MIT. Despite their longevity, the susceptibility of passwords to a wide range of cyberattacks makes them no longer fit for authenticating users in an increasingly digitized world. Threat actors use brute force methods, stolen credentials procured from the dark web, and social engineering tactics as part of a large arsenal of weapons that make passwords increasingly vulnerable.
Many organizations try to adopt solutions that reduce reliance on passwords as the sole method of authentication. Often, these replacements still depend on passwords as one of two or more categories of information required to verify user identities. Passwordless authentication attempts to move away from passwords completely—read on to understand how it works, including examples and challenges.
Passwordless authentication is any type of authentication that completely removes the need for users to enter passwords when logging in to applications or IT systems. Verifying a user’s identity in passwordless authentication doesn’t require any specific technology or processes. Instead, passwordless authentication is more of a desired goal to achieve using a range of potential methods or solutions.
It’s important not to confuse passwordless authentication with multifactor authentication (MFA). Multifactor authentication (MFA) requires users to provide two or more distinct categories of information (factors) before they’re granted access to an IT resource. Passwordless authentication methods could be one or both of the categories required for MFA. Also, you can implement passwordless authentication using just one factor, but that factor must not require a password.
Passwords are knowledge-based ways to authenticate users because they rely on something the user knows. Passwordless authentication methods typically depend on something the user has (also known as a possession factor) or something that the user is (also known as an inherence factor).
With this in mind, here are some examples of passwordless authentication:
It’s worth noting that using passwordless authentication doesn’t mean you should abandon MFA. It’s still a cybersecurity best practice to require multiple categories of evidence to verify user identities. In fact, several passwordless authentication methods have built-in MFA; for example, biometrics often requires providing the fingerprint, retina, etc. (something the user is) on a specific registered device (something the user possesses).
The most compelling reason to eliminate passwords is that you can reduce the risk of user accounts being compromised. An investigation into data breaches found that 81% of hacking-related breaches stemmed from either stolen or weak passwords.
The hybrid workforces that are now commonplace just add to the risks of password-based attacks. When working remotely, users need to log in with passwords to access pretty much every corporate IT resource. Passwordless authentication makes it much harder to compromise a user’s account.
Another downside to passwords is the user friction from needing to create, memorize, change and reset combinations of letters, symbols and numbers. Organizations tried to mitigate password-based attacks by requiring users to set even more complex passwords, but that just led to more user friction and worse password hygiene. Passwordless authentication is designed to be seamless and to take the burden of password management away from users.
It’s important to note that this benefit extends to customer-facing services. People want a seamless experience when using online services, whether the service is a banking app or an eCommerce site. While not all passwordless authentication methods are feasible to implement for customers, it is still possible to decrease friction when logging in to customer-based services using passwordless methods such as biometrics.
An interesting finding from research conducted by Forrester a few years back was that password resets cost businesses an average of $70 per reset. These costs quickly add up if you have multiple users every day requesting IT support desks to reset their password to an app or service. The mere cost of IT helpdesks supporting these resets can add up to a substantial chunk of your annual IT budget.
Furthermore, there are indirect costs to consider from lost productivity. When employees get locked out of IT resources, they can’t perform whatever work depends on having access to that resource. Passwordless authentication completely removes the costs of resetting passwords.
If there was one single way to provide 100% security to user accounts, then all discussions around passwords would dissolve. Alas, passwordless authentication is only useful if you recognize that comes with its own security limitations.
While not relying on passwords significantly reduces account compromise likelihood, there are still ways to get around some implementations. Man-in-the-middle attacks and trojans could be used to intercept one-time codes, for example.
Changing the status quo is never straightforward. People have firm ideas and beliefs about what constitutes effective security. Logging in without any password at all requires an organization-wide shift in mentality to embrace this idea rather than fearing it. Communication is key here for users to get on board with the idea of passwords no longer being secure and alternatives being better suited for today’s threat landscape.
Whether you’re ready to move on from passwords or not, opt for a defense-in-depth approach to security. Recognize that no single type of solution or method is going to protect against diverse modern cyber threats.
Alongside strengthening authentication, consider zero-trust initiatives, and look to improve your detection and response capabilities so you can react faster to ongoing threats. And don’t forget about the power of outsourcing security capabilities to third parties that can bring the expertise and capabilities without the overhead.