Passwordless Authentication, a Multi-Factor Authentication (MFA) subset, is trending up today. This essentially means there are two factors in the verification process, which can include fingerprints, magic links, or PINs that are sent directly to smartphones or email inboxes. Let’s take a closer look at the rise of Passwordless
What is Passwordless Authentication?
Passwordless authentication establishes a strong assurance of a user's identity without relying on passwords, allowing users to authenticate using biometrics, security keys or a mobile device. A passwordless future that balances usability with stronger authentication.
How Passwordless Works?
Passwordless authentication ideally involves less user interaction during the login process than traditional forms of authentication. It uses public key cryptography, which authenticates the user with a pair of cryptographic keys, a private key that’s a secret, and a public key that isn’t and it comes with relatively new acronyms and standards like FIDO2 standard (FIDO stands for Fast IDentity Online and FIDO2 is just an umbrella term for the combination of WebAuthn and Client to Authenticator Protocol [CTAP]).
Passwordless authentication methods:
There are the following passwordless authentication methods:
One-time link sent to the e-mail
One-time password sent by SMS or Push-notification
HOTP and TOTP (HMAC and Time-based one-time password)
Persistent Cookie
Third-party Identity provider (for example, log in via Facebook or via Google)
USB token device
Mobile application with biometric authentication.
Is Multi-factor Authentication the Same as Passwordless?
No, Multi-factor authentication provides a method of increasing the confidence that a user is who they claim to be by requiring an additional authentication factor to gain access to resources. In contrast, passwordless authentication is gaining access to resources with an authentication factor other than a password. Unlike MFA, passwordless authentication may involve only one factor, such as a biometric. If the authentication process requires more than one factor and none of the factors is a password, it’s then passwordless MFA.
Is Passwordless Authentication Safe?
In short, the physical safety of passwordless authentication is yes, it is safe. There is a very low possibility that even an invasive process like using a biometric scanning device will actually harm its users. In terms of security, this authentication method is only as strong as the infrastructure and program built around the solution. The Pros and Cons of Passwordless SSH Authentication
PROS
Brute Force Attack Immunity – More often than not, passwords tend to be weak. Human nature drives people to maintain the same password across all SaaS apps, which leads to an increased risk of password breaches.
Improved User Experience (UX) – Users do not need to remember passwords, nor do they have to change them constantly and follow strict password policy rules while doing so. Passwordless offers an easy flow.
Resource Friendly – Getting rid of passwords allows organizations to use up less resources, not to mention the cost saving that comes with it. There are also no password resets ($70 average cost per reset).
CONS
Hard to Implement – In most cases, email + passwords are very easy to implement but a flow where we need to maintain expirations on tokens and shipping out emails, makes the implementation complex and costly.
Still not an Established Standard – While users are used to email and password-based authentication, the “entry point” for passwordless authentication is somehow limited.
Dependency on 3rd Parties – Using password+email-based authentication means we can take care of activation immediately. When one of the users is not getting his activation email, the dependence makes it harder to integrate.
Less Relevant in the Case of IDP / SSO Authentication – With SAML/SSO, there is no need for passwordless SSO authentication (at least on the SaaS app side). Users have one password, the same one used for their email login.