Passwordless Authentication is an authentication method that allows a user to gain access to an application or IT system without entering a password or answering security questions. Instead, the user provides some other form of evidence such as a fingerprint, proximity badge, or hardware token code. Passwordless Authentication is often used in conjunction with Multi-Factor Authentication (MFA) and Single Sign-On solutions to improve the user experience, strengthen security, and reduce IT operations expense and complexity.
The Problem with Passwords
Today’s digital workers rely on a wide variety of applications to perform their jobs. Users are forced to memorize and track a dizzying array of frequently changing passwords. Overwhelmed by password sprawl, many users take risky shortcuts like using the same password for all applications, using weak passwords, repeating passwords, or posting passwords on sticky notes. Bad actors can take advantage of lax password management practices to mount cyberattacks and steal confidential data. In fact, compromised account credentials are a leading cause of data breaches.
Simple authentication methods that require only username and password combinations are inherently vulnerable. Attackers can guess or steal credentials and gain access to sensitive information and IT systems using a variety of techniques, including:
- Brute force methods – using programs to generate random username/password combinations or exploit common weak passwords like 123456
- Credential stuffing – using stolen or leaked credentials from one account to gain access to other accounts (people often use the same username/password combination for many accounts)
- Phishing – using bogus emails or text messages to trick a victim into replying with their credentials
- Keylogging – installing malware on a computer to capture username/password keystrokes
- Man-in-the-middle attacks – intercepting communications streams (over public WiFi, for example) and replaying credentials
Passwordless Authentication Reduces Risk and Improves User Satisfaction
Passwordless Authentication strengthens security by eliminating risky password management practices and reducing attack vectors. It also improves user experiences by eliminating password and secrets fatigue. With Passwordless Authentication, there are no passwords to memorize or security question answers to remember. Users can conveniently and securely access applications and services using other authentication methods such as:
- Proximity badges, physical tokens, or USB devices (FIDO2-compliant keys)
- Software tokens or certificates
- Fingerprint, voice or facial recognition, or retina scanning
- A mobile phone application
Passwordless Authentication is typically deployed in conjunction with Single Sign-On, so an employee can use the same proximity badge, security token, or mobile app to access all their enterprise applications and services. Passwordless Authentication is also often used as part of a Multi-Factor Authentication solution, where users are forced to provide multiple forms of evidence to gain access to enterprise applications and systems. For example, to access a mobile phone app, a remote user might be required to tap a fingerprint sensor and enter a one-time, short-lived SMS code sent to their phone.
The latest MFA solutions support adaptive authentication methods, using contextual information (location, time-of-day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a specific situation. Adaptive MFA balances convenience with security. For example, an employee accessing an enterprise application from a trusted home computer might be required to provide only one form of authentication. But to access the application from a foreign country over an untrusted WiFi connection, the user might also have to enter an SMS code.
Passwordless Authentication Benefits
Passwordless Authentication provides a variety of functional and business benefits. It helps organizations:
- Improve user experiences – by eliminating password and secrets fatigue, and providing unified access to all applications and services.
- Strengthen security – by eliminating risky password management techniques and reducing credential theft and impersonation
- Simplify IT operations – by eliminating the n.eed to issue, secure, rotate, reset, and manage passwords.
