Find the Right Passwordless Authentication Method for Your Business

More and more companies and customers are choosing passwordless authentication because it’s user-friendlier and safer than traditional passwords. While passwords are vulnerable to data breaches and require extra mechanisms like one-time codes to reinforce security, passwordless authentication methods do not. Plus, passwordless authentication eliminates the need to remember dozens of passwords, which can reduce customer attrition.

This post showcases today’s most popular passwordless authentication methods, such as biometrics, hardware, and certificate-based authentication. All true passwordless methods are safe, but to find out which one is right for your business, read the following password authentication examples.

What Is Passwordless Authentication?

Authentication systems use various factors to prove a user’s identity to the system. The three main factors are:

• Something You Know: Knowledge-based factors like passwords require a shared secret to access an account.
• Something You Have: Possession-based factors use smartphones and other physical devices to prove identity.
• Something You Are: Inherence-based factors like biometrics authenticate a user based on unique features like fingerprint or facial recognition.

Password-based authentication systems and other knowledge-based authentication systems (something you know) have significant security issues.  These include the potential for hackers to steal weak and reused passwords and compromise insecure authentication factors via phishing or malware attacks.

Passwordless authentication uses other factors to prove a user’s identity: possession and inherency, or something you have and something you are. Making access decisions based on something you have or are creates a more secure and user-friendlier authentication system.

The Benefits Of Passwordless Authentication

Passwordless authentication provides numerous benefits to an organization and its customers.  Some of the most significant benefits of passwordless authentication include:

• Security: Password-based authentication is notoriously insecure, resulting in many account takeover attacks and the development of supplemental protections such as multi-factor authentication (MFA).  Most passwordless authentication mechanisms offer more robust security than the password and eliminate the risks of password data breaches that put customers at risk.
• Convenience: Passwords require users to recall and type in long, complex, and unique passwords to access online accounts.  Many password authentication mechanisms require no user input, making them faster and more convenient for users.
• Scalability: Password-based authentication requires users to retain many unique passwords, which creates tradeoffs between the number of unique accounts and their security. Passwordless authentication systems avoid this issue because user identification determines the possession of a device or a user’s physical attributes.
• Overhead: Password-based authentication systems create significant overhead as IT and help desk personnel deal with lost or forgotten authentication information.  Passwordless authentication eliminates the overhead and inconvenience of password resets.

Cross-Channel Authentication: Password-based authentication often requires a user to sign in multiple times if they switch between browsers, devices or channels. With passwordless authentication, it’s much easier to segue between these different channels and keep customers engaged throughout their journey. Similarly, passwordless makes it possible to authenticate users through non-digital channels, like call centers, kiosks, or brick-and-mortar stores.

What Are Examples of Passwordless Authentication?

The passwordless authentication process can use a variety of different methods.  Some passwordless authentication examples include:

• SMS-Based OTP: A common form of passwordless authentication is to have a one-time password (OTP) sent to the user over SMS.  This PIN, usually 4-8 digits, proves that the user has access to a trusted phone that received the text.
• Email-Based Authentication: Email can also receive authentication information for a user.  This information may be an OTP, as with SMS, or a magic link that contains security keys.  Entering the OTP or clicking the link provides access to the email account. Magic link login examples include clicking “login by email” instead of entering a password — especially during a password recovery flow.
• Authenticator Apps: Authenticator apps like Authy or Google Authenticator can generate OTPs on a smartphone.  These apps use a synchronized algorithm so that the server and smartphone both calculate the same OTP simultaneously.  Entering the right OTP proves possession of the trusted smartphone.
• Hardware Tokens: Hardware tokens like Yubikeys connect to a computer via USB, Bluetooth, or NFC or generate an OTP entered into the authentication page. These tokens prove identity by demonstrating control over the physical token.
• Digital Certificates: Digital certificates prove ownership of a particular public key used to verify digital signatures.  If a user can generate a valid digital signature in response to a request, they must control the corresponding private key and are the account’s legitimate owner. These key pairs are a part of a larger authentication methodology known as PKI, Public Key Infrastructure, also known as public-key cryptography. 
• Biometrics: Biometric authentication uses the unique physical features of a user to prove their identity.  Standard examples of biometric authentication include fingerprint and facial recognition, but voiceprints, iris scanning, and other mechanisms are also commonplace.

Is Passwordless Authentication Secure?

All methods of passwordless authentication provide stronger security than a password.  Eliminating the potential for reused and weak passwords decreases the probability that a user will undermine authentication security. Additionally, authentication systems that require possessing a particular object or the presence of a legitimate user are more challenging to defeat remotely.

However, not all passwordless authentication systems are created equally and offer the security that companies and customers need.  For example, SMS-based OTPs have not been recommended as an authentication factor by NIST since 2017.  Passwordless authentication systems that depend on the user typing in an OTP are also vulnerable to real-time phishing attacks.

Often, these systems are not considered true passwordless authentication because they rely indirectly on a password. For example, passwords for user authentication are common in email systems, so a “passwordless” system that uses OTPs or magic links transmitted by email still uses passwords for its security, just not one stored and managed by the application.

Other passwordless authentication mechanisms offer more robust security.  For example, passwordless authentication based on digital certificates or biometrics provides robust authentication and protection for user accounts.

Passwordless Authentication vs. MFA

Many of the passwordless authentication mechanisms described here may be familiar due to their use in multi-factor authentication (MFA) systems. For example, a common MFA system combines a password with an OTP. However, passwordless authentication and MFA, while related, are distinct. 2FA, or two-factor authentication, is similar to MFA, but it typically isn’t used when referring to passwordless systems. While there isn’t a technical distinction, MFA tends to imply a higher level of sophistication than two-factor authentication.

Multi-factor authentication’s name comes from the fact that it uses two or more different factors for authentication. The main goal of MFA is to bolster the poor security provided by passwords; passwordless authentication solves this problem by avoiding the password entirely. Possession-based and inherence-based factors can provide strong security, and the password’s contribution is negligible.

For additional security, organizations may choose to implement passwordless MFA. Passwordless MFA combines a “something you have” with a “something you are” factor to provide stronger authentication. A user may use fingerprint or facial recognition to unlock a digital certificate stored on a trusted device. Only the right person with the right device can authenticate.

Passwordless Authentication Is The Future

Attempts to kill the password have been ongoing for years due to its notoriously poor security. However, the belief that passwords are easier for consumers and companies has hindered these efforts.

The reality is that many passwordless authentication systems are far more user-friendly, requiring only a tap of a finger or a quick glance at a camera to authenticate rather than recalling and entering a long, complex password. Additionally, the integration of open standards and fingerprint readers and cameras into many devices means that implementing secure, usable passwordless authentication is possible for companies of any size.

While passwordless authentication is a powerful component of any identity framework, it’s just one step in comprehensive CIAM (Customer Identity Access Management) modernization. For many companies, achieving CIAM modernization often proves challenging due to multiple vendors, legacy code, and expensive change management.

Transmit Security’s cloud-native CIAM platform combines leading-edge passwordless authentication with end-to-end fraud detection — all without the complexity of traditional decentralized architecture. Consolidating the identity environment with Transmit Security is ideal for businesses looking to rapidly implement passwordless authentication while gaining increased visibility across their entire identity landscape. Request a demo today to learn more about how you can deploy passwordless CIAM in your organization’s applications.