What Is Passwordless Authentication & How Does It Work?
Imagine logging into a computer without tapping in a password, answering a security question, or otherwise giving away any knowledge-based secret. You've just envisioned a passwordless authentication system.
To many security experts, a passwordless future is ideal. If we can reduce the burden of creating and remembering passwords, we can make it easier for people to connect with us. And they won't subvert our systems by copying/pasting the same credentials in multiple sites.
But passwordless systems do come with significant drawbacks, including access difficulties if a user's items are stolen or hacked. There are many factors to consider when deciding if going passwordless is right for you and your organisation.
What Is Passwordless Authentication?
Almost every company out there is at risk of enduring a hack attack. To true believers, passwordless authentication is a strengthening method. Use it, and you will eliminate one of the main techniques hackers use to gain access to your assets.
In a typical system, you ask your users to create:
- Usernames. You might identify a similar system for everyone in your organisation (such as last_initial.first_name). Or you might let everyone come up with their own.
- Passwords. You may ask people to craft passwords that are 10+ characters long with numbers and symbols. And you might ask them to make new ones periodically.
- Security processes. You may have a series of questions people must answer to regain access to their accounts if they forget their usernames and passwords.
Some companies do even more and use multi-factor authentication (MFA). With this method, you ask people to verify identity by tapping in a code that comes to a phone or going through a fingerprint scan. In MFA, these secondary factors don't replace passwords. They enhance them.
You could think of MFA as a first step to a passwordless world. But if you take the plunge, you'll use a system like this alone to help verify users. No passwords will ever be required.
How Does Passwordless Authentication Work?
Your users may believe they have the strongest, best password combinations out there. But their data is easy to steal. In 2014, for example, hackers stole 1.2 billion username/password combinations. Even storing passwords securely won't help, as hackers need just minutes to jump past your security hoops and decode the data. Passwordless authentication reduces these risks.
A system like this relies on:
- Cryptographic keys. One key is provided to the server, application, or website during registration. The private version remains on the person's device.
- Factors. Something a person has (like a cellphone or smart card) or something the user is (like a fingerprint or retina scan) unlocks entry.
Registration is required on the first visit. A person might need to provide a clear retina scan, for example. Or the person might need to link a phone to an account. But once that work is done, the person has easy access to the system at any time.
Every time the person comes back on the verified device, some form of authentication may be required. But you could also set up your system to recognise that person during every visit on a registered device with no system checks at all.
Risks & Benefits of Passwordless Logins
Should you move away from tradition and into the future? Every company has an individual answer to this question. But looking over the pros and cons could help you make a smart choice.
Benefits associated with passwordless logins include:
- Cost. IT teams spend hundreds of hours each year dealing with password issues and associated security risks. Eliminating them could free up your team to tackle other crucial tasks.
- Customer experience. Passwords are hard to remember and easy to lose. Eliminating them removes a source of friction for your customers, and that could help your company to grow.
- Security. As we’ve mentioned, passwords are easy to steal and crack. Removing them means ensuring that your resources remain protected.
Limitations associated with a passwordless world include:
- Expertise. Your IT team must be prepared to develop a cutting-edge system that doesn't require passwords. Some of your staff may need training.
- Security. If a device associated with a passwordless system (like a phone) is lost, the thief has access to all files and servers. Blocking that access is very difficult. Some systems allow people to regain control if they enter usernames/passwords, which renders the benefits of passwordless systems moot.
Changing from a system you know and trust to something you've never heard of and haven't tested can be nerve-wracking. Work with a team and reduce your stress. At Okta, we've built strong and secure systems for companies both large and small, and we'd love to tell you how they work. Contact us to find out more.
References
The Era of Passwordless Authentication. (March 2019). Forbes.
Strong MFA: The First Stop on the Path to Passwordless. (July 2020). Cloud Security Alliance.
Password Hack Affects 1.2 Billion Accounts, More at Risk. (August 2014). CBC.
Anatomy of a Hack: Even Your Complicated Password Is Easy to Crack. (May 2013). Wired.
Passwords Are Slowly Becoming a Thing of the Past. (May 2017). Entrepreneur.
How Do We Get to a Passwordless World? One Step at a Time. (November 2019). Security Week.