What does passwordless authentication mean?
Passwordless is an authentication scheme that uses possession factors (something the user owns) and inherence factors (something the user is) instead of knowledge factors (something the user knows) to verify someone’s identity. Popular possession factors include smart phones and security tokens. Popular inherence factors include physical and behavioral biometric data from fingerprint matches or keystroke analysis.
The purpose of passwordless authentication is to reduce the cyber risks associated with using a password. This is important because the majority of security breaches today involve some type of password theft. The danger of password theft is that once an attacker has stolen access privileges through social engineering or brute force strategies, they can move laterally across the target and look for ways to increase privileges.
Apple, Google, and Microsoft have all announced plans to support Zero Trust cybersecurity with FIDO passwordless authentication. According to research firm Gartner, 90% of midsize businesses and 60% of global enterprises will switch to passwordless authentication methods.
Passwordless authentication can also be referred to as zero-knowledge authentication or zero-knowledge password proof.
Techopedia Explains Passwordless Authentication
Passwords have always been the weakest security link because weak passwords can be easy to guess and strong passwords can be hard to remember.
Passwordless authentication strikes a balance between locking down security and improving user experience (UX). A passwordless approach to access management makes it harder (and costly) for attackers to steal identities, breach networks, and execute advanced persistent threats (APTs). it dramatically reduces the chance of a successful password-based attack by preventing credential theft through malware, phishing, or corporate email compromise strategies (BEC attacks).
How Passwordless Authentication Works
Passwordless authentication relies on the same cryptographic principles that support digital certificates and public-key cryptography. The difference is that instead of storing the private keys on a server, they are stored locally on the user’s computing device. Since private key management remains under the control of the individual user, potential attack surfaces are greatly reduced.
In the enterprise, passwordless authentication is typically deployed in conjunction with single sign-on (SSO) so employees can use the same proximity badges, security tokens, and authenticator apps to access all of their enterprise applications and services.
Approaches to passwordless authentication include:
Instead of a password, the user is prompted to enter their email address or mobile phone number, after which they receive an email or text message containing a “magic” link. Magic links are time-sensitive URLs that, when clicked, verify the user’s identity and grant access.
One-time access codes
During the authentication process, the user is given a time-sensitive numeric code to use instead of a password. Sometimes the code will need to be entered manually, and sometimes the code will be hyperlinked and work like a magic link.
When the end user wants to connect to a computing resource registered with an authenticator app, they start by entering their username as usual. This action will prompt the user to open the authenticator app to receive a one-time password or magic link.
A security token is a small physical device that the user must connect to their computing device. Once plugged in, the token will generate a one-time password for the end user to enter instead of a password.
Although passwordless authentication is a more secure type of authentication than passwords – and Microsoft, Google, and Apple have made this approach to implementing multi-factor authentication (MFA) easier than ever. , there may still be barriers to adoption. They understand:
- Incompatibility with legacy applications.
- Privacy issues that prevent widespread adoption.