Citi Ventures & Goldman Sachs have joined as additional investors in our record-breaking $543M funding! Read more

What is passwordless authentication?

Passwordless authentication refers to any identity verification method that doesn’t use a password. Some examples of passwordless authentication include physical security keys, specialized apps, email magic links and biometrics. Passwordless authentication solutions vary in terms of features and implementation, but all of them enable users to log in without creating or memorizing a static password.  Going passwordless means eliminating passwords from the login process to reduce friction, increase security and provide a better user experience.

Passwordless authentication is used in both commercial and industrial applications. For example, some enterprises use physical security keys to protect vulnerable digital assets, and customers of certain online merchants can use their fingerprint to confirm a purchase on their mobile devices. Passwordless authentication isn’t limited to these methods or use cases, though — it includes a wide range of implementations with varying feature sets and advantages. 

Why are passwords weak in authentication?

Password-based authentication is inherently vulnerable to attacks that target the weakest link in the security chain — the user. People are ultimately going to make a mistake with their passwords, either using them multiple times across many services or not making them secure enough. In a phishing attempt, they might even hand over their passwords willingly. 80% of successful hacks are performed using stolen credentials, and very few breaches are due to security holes found elsewhere in a system. 

Line graphs showing the number of data breaches per year, the count of the total number of records compromised per year and the average number of records compromised per breach per year from 2017-2020.
A constant increase in the number of data breaches. Source: Imperva

Passwordless authentication is an attempt to solve the problem that passwords present. While there is no perfect way to secure an account, passwords alone are often recognized as the “old way” of doing things, with multiple additions created to make them less vulnerable. Multi-factor authentication (MFA), for example, is often used adjunctively with passwords to address the issues credential-based authentication creates. Of course, these bolt-on efforts only complicate things further and create extra steps for customers who are forced to use passwords in the first place.

The 6 types of passwordless authentication are not all equally effective

Although passwordless authentication has been around for decades, there are still emerging methods that continue to innovate and alter the identity industry’s landscape. For example, as TPM (Total Platform Module) requirements become more common, it’s possible to achieve certificate-based authentication on a huge range of platforms with minimal user prompting.

However, opinions vary on whether all the methods vendors describe as “passwordless” are truly what they claim to be. For instance, some solutions that offer biometric authentication simply bolt it onto a password-based architecture that doesn’t incorporate FIDO2 standards — which, unfortunately, leaves that data vulnerable to hackers who can intercept it.

The industry consensus is that these three methods are categorically passwordless:

  • Biometric authentication (i.e. fingerprint, facial recognition and voiceprint)
  • Dedicated hardware security tokens (i.e., YubiKeys)
  • Certificate-based authentication

The second tier of passwordless authentication methods aren’t necessarily bad; they’re just arguably not completely passwordless. These three methods are:

Why would someone argue that OTPs, email magic links, and authenticator apps are not truly passwordless? As long as the vast majority of email providers require only a password, verification that involves an email account can’t be completely passwordless. Because of this, email OTPs fall prey to the fact that they’re a pseudo-password gated by another, weaker password. OTPs via SMS are even less secure because they are vulnerable to SIM swap attacks in which a hacker will divert text messages to their own device.

The same is true for magic links. Anyone with access to the email account in question can use the link. While they are extremely convenient, they still invite passwords to part of the process. 

Authenticator apps that generate constantly changing OTPs or use other PIN-based methods are certainly more secure than relying on email account security, but they aren’t truly passwordless. An authenticator app is only as secure as the device it’s running on, and there are many ways to defeat a device’s security: malware, man-in-the-middle attacks and outright theft are all options that a hacker could take. Since there’s nothing intrinsic linking the account to the user, targeting the device that holds the authenticator is all that’s required.

How passwordless biometrics work

Device biometrics refer to the biometrics readers embedded in endpoint devices. There are two main types of readers available in the market today: face readers and finger readers. Both include special hardware and sensors embedded in the device itself.

Face recognition in modern devices works by projecting and analyzing over 30,000 invisible dots to create a depth map of a user’s face while simultaneously capturing an infrared image. It then transforms the depth map and infrared image into a mathematical representation which is compared to the enrolled facial data.

Fingerprint scanning in modern devices uses advanced capacitive touch to capture high-resolution images of your fingerprint. The sensor reads fingerprints in 360-degrees of orientation, analyzes the sub epidermal layers of the skin and categorizes each fingerprint into arch, loop or whorl categories. 

It then maps individual details of fingerprint ridges, including variations like pores, and compiles all of the data together. The reader then uses this data to match and recognize fingerprints. The technologies behind fingerprint scanning and face recognition make them the most accurate authentication technologies in the market today, with extremely high accuracy.

Many passwordless solutions rely on the FIDO2 (Fast IDentity Online) standard, which is a combination of WebAuthn and CTAP (Client to Authenticator Protocol). FIDO2 uses pairs of cryptographic keys — a public key and a private key — instead of transmitting the data used to authenticate. If you use a FIDO2-based solution to log in with biometrics, the scan of your fingerprint or face would never leave your device. The biometric data actually unlocks your private key, which subsequently pairs with the public key. The recipient doesn’t even know what method you used to unlock the private key, only that it was sent.

Passwordless biometric authentication is highly secure, and when supported by the FIDO2 strong authentication standard, it’s impossible for users’ private data to be sent without their authorization. 

Passwordless authentication methods

The benefits and advantages of passwordless authentication

Passwordless authentication is beneficial for a number of reasons, but the most significant impact is on customer experience and security. Benefits to different organizations can vary depending on their unique needs. For example, a large customer-facing enterprise will reap the benefits of a better customer experience, but they’ll also find it’s the only way to execute their zero-trust policy at scale when working with a FIDO2-certified passwordless solution. 

Here’s a short list of what you can expect from implementing passwordless authentication:

  1. A smoother and more convenient customer experience
    Compared to passwords, passwordless authentication is typically much easier to navigate and use for customers. Not only are they no longer required to create and remember complex passwords, they’re also able to quickly authenticate and get back to shopping without the potential for getting locked out of their accounts. 
  2. Recovered revenue from reduced customer attrition
    According to Mastercard, up to a third of customers will simply abandon their carts if they forget their passwords. If companies can reduce that margin by any amount, that’s revenue back in their pocket that they would have otherwise lost completely. Similarly, a more convenient identity experience will encourage customers to keep coming back thanks to its ease of use and mobile friendliness.
  3. Dramatically improved security that eliminates the threat vector of passwords
    Unlike passwords, it’s impossible for hackers to crack passwordless biometrics. They can’t steal the biometric information and trick a service into accepting it, either. Not only does the biometric data remain locally on a user’s device, but FIDO2-based solutions use cryptographic key pairs that are impenetrable to outsiders. Likewise, if a password is stolen from another account, it can’t be used in a “credential stuffing” attack in which fraudsters try out one login across many services.
  4. Long-term savings from lower total cost of operation (TCO) and reduce infrastructure
    Maintaining a password-based authentication system is expensive, both in terms of IT support and upkeep. Not only does it cost money to reset a user’s account, it can be a huge drain on resources to automate account recovery, staff call centers and maintain a support ticketing system. Large enterprises might spend millions every year on password-related support, and the long-term savings of eliminating passwords may easily be in the tens of millions for sizable companies.
  5. Significantly decreased complexity in the identity stack, making it easier to add and manage elements
    One thing that often irks CISOs and IT departments is the complexity of increasing security on a password-based authentication system. As security requirements continue to evolve, many companies have been forced to adopt a bolt-on approach in which they add piecemeal elements to their identity stack one by one. This usually results in a difficult-to-manage and unwieldy authentication system. Passwordless solutions make achieving MFA and meeting regulatory requirements simpler, meaning fewer elements are needed to obtain the same results.

Is passwordless biometric authentication safe?

We’re often asked if biometric authentication is actually that secure. It’s not only highly secure, it’s better than virtually any other method of authentication available. But how much more secure is biometric authentication than passwords?

First, let’s talk about how vulnerable passwords really are. The average user probably pictures cyber criminals based on their depictions in movies and television: rapidly typing script kiddies who crack government databases in real time, adjusting to obstacles with jargon-laced riposte. “They backtraced our IP address! I’ll hold them off by allocating more RAM.”

In reality, many hackers are not coding whizzes. They’re con artists, or perhaps they discovered some particularly effective malware that came with easy-to-follow instructions. The point is that hackers rarely “hack” passwords and usernames using complex scripts or machine language. Instead, they steal credentials by phishing, social engineering or otherwise intercepting a user’s input. It’s far easier for a criminal to rob someone standing at the ATM than to pry the machine itself open. 

Most so-called “hackers” aren’t executing complex attacks on reinforced databases — they’re walking in through the front door. Passwords are the most frequently targeted vector by fraudsters, and eliminating it gives them nothing to steal, manipulate or intercept. Compare that to biometric authentication, which to date has not been defeated in the wild. 

Even in the laboratory, researchers have only been able to defeat facial recognition under impossible-to-replicate conditions. Simply put, biometric authentication is both very secure and worlds apart from passwords.

Is passwordless biometric authentication safe?

Passwordless authentication vs. MFA

Multi-factor authentication, or MFA, is a term used to describe authentication that requires two or more factors. In the most common applications, this includes both a password and a one-time passcode generated by an authenticator app, sent by SMS or received via email. MFA is really just a way of describing how many factors are involved in verifying a user’s identity. For example, a mobile device that unlocks using a fingerprint is only single-factor, but it’s still technically passwordless. It’s also still more secure than just using a password.

To prevent threat actors from simply stealing and using the device associated with a passwordless account, many passwordless solutions use some form of multi-factor authentication (MFA). To achieve MFA without complicating the process, device fingerprinting provides a second, invisible factor that ensures only properly registered devices can be authenticated. By combining biometrics with device fingerprinting, it’s effectively impossible for a hacker to impersonate a user.

Is passwordless authentication MFA?

What can confuse some when it comes to passwordless MFA is where the second factor comes from. And, if the authenticator service uses the FIDO2 standard, it’s the private key on the device itself. In simplest terms, FIDO2 uses a technology called device fingerprinting to ensure that the right private key on the device is used in combination with biometric authentication. 

It’s possible to transfer trust to other devices, allowing them to also be used to authenticate the same user — but you can’t pick up just any unregistered phone and log in. This provides an additional layer of security that goes far beyond standard MFA. Even if hackers are somehow able to defeat the biometric authentication — which is virtually impossible — they still have to fool the device fingerprinting. For most cyber criminals, it’s not worth the effort. And, to date, no one has successfully pulled this off.

How do you implement passwordless authentication?

Only BindID provides totally passwordless authentication while protecting user privacy and offering omnichannel identity portability. As the first truly app-less password alternative, BindID creates  a frictionless identity experience without the need for complex changes at the web and application levels. BindID is also identity provider-agnostic, meaning that it can work with any IdP you use.

The most compelling aspect of BindID is the fact that it takes only days to integrate it into all your channels.  With ultra-fast implementation thanks to OpenID Connect standards, production can begin within weeks and with as little as one developer. 

Compare this to the more typical identity management transformation programs which can take months and sometimes years. For organizations looking to quickly deploy a passwordless, strong biometric solution for their customers, now is the perfect time to explore BindID.