Passwordless authentication refers to any identity verification method that doesn’t use a password. Some examples of passwordless authentication include physical security keys, specialized apps, email magic links and biometrics. Passwordless authentication solutions vary in terms of features and implementation, but all of them enable users to log in without creating or memorizing a static password. Going passwordless means eliminating passwords from the login process to reduce friction, increase security and provide a better user experience.
Passwordless authentication is used in both commercial and industrial applications. For example, some enterprises use physical security keys to protect vulnerable digital assets, and customers of certain online merchants can use their fingerprint to confirm a purchase on their mobile devices. Passwordless authentication isn’t limited to these methods or use cases, though — it includes a wide range of implementations with varying feature sets and advantages.
Why are passwords weak in authentication?
Password-based authentication is inherently vulnerable to attacks that target the weakest link in the security chain — the user. People are ultimately going to make a mistake with their passwords, either using them multiple times across many services or not making them secure enough. In a phishing attempt, they might even hand over their passwords willingly. 80% of successful hacks are performed using stolen credentials, and very few breaches are due to security holes found elsewhere in a system.
Passwordless authentication is an attempt to solve the problem that passwords present. While there is no perfect way to secure an account, passwords alone are often recognized as the “old way” of doing things, with multiple additions created to make them less vulnerable. Multi-factor authentication (MFA), for example, is often used adjunctively with passwords to address the issues credential-based authentication creates. Of course, these bolt-on efforts only complicate things further and create extra steps for customers who are forced to use passwords in the first place.
The 6 types of passwordless authentication are not all equally effective
Although passwordless authentication has been around for decades, there are still emerging methods that continue to innovate and alter the identity industry’s landscape. For example, as TPM (Total Platform Module) requirements become more common, it’s possible to achieve certificate-based authentication on a huge range of platforms with minimal user prompting.
However, opinions vary on whether all the methods vendors describe as “passwordless” are truly what they claim to be. For instance, some solutions that offer biometric authentication simply bolt it onto a password-based architecture that doesn’t incorporate FIDO2 standards — which, unfortunately, leaves that data vulnerable to hackers who can intercept it.
The industry consensus is that these three methods are categorically passwordless:
- Biometric authentication (i.e. fingerprint, facial recognition and voiceprint)
- Dedicated hardware security tokens (i.e., YubiKeys)
- Certificate-based authentication
The second tier of passwordless authentication methods aren’t necessarily bad; they’re just arguably not completely passwordless. These three methods are:
Why would someone argue that OTPs, email magic links, and authenticator apps are not truly passwordless? As long as the vast majority of email providers require only a password, verification that involves an email account can’t be completely passwordless. Because of this, email OTPs fall prey to the fact that they’re a pseudo-password gated by another, weaker password. OTPs via SMS are even less secure because they are vulnerable to SIM swap attacks in which a hacker will divert text messages to their own device.
The same is true for magic links. Anyone with access to the email account in question can use the link. While they are extremely convenient, they still invite passwords to part of the process.
Authenticator apps that generate constantly changing OTPs or use other PIN-based methods are certainly more secure than relying on email account security, but they aren’t truly passwordless. An authenticator app is only as secure as the device it’s running on, and there are many ways to defeat a device’s security: malware, man-in-the-middle attacks and outright theft are all options that a hacker could take. Since there’s nothing intrinsic linking the account to the user, targeting the device that holds the authenticator is all that’s required.
How does genuine passwordless login work?
Passwordless authentication uses strong authentication and never shares any secrets, so everything relating to a user’s identity remains private. For this to happen, the system must use pairs of cryptographic keys.
A key pair is generated when a user initially registers a new account. The user holds a private key, and it never leaves their possession. The corresponding public key can be held by anyone. The pair required for logging in to a specific account will always include the same public and private keys.
Whenever they want to log in, a user has to unlock their private key by completing a challenge, such as a face or fingerprint scan. Once their key is unlocked, it pairs with the public key held by the service provider. Then, they’re granted access.
Passwordless login: a step-by-step look
Let’s take a closer look at the flow of genuine passwordless login by breaking it down step by step. First, let’s talk about how the factors of authentication work and what traditional, single-factor authentication looks like.
There are three factors of authentication, and you can mix factors for added trust. These factors are knowledge (something I know), possession (something I have), and inherency (something I am). When more than one of these factors is in use, it’s called multi-factor authentication or MFA. Here are a few examples of each factor of authentication:
- Possession: a hard token, USB key or mobile device with an authenticator app
- Knowledge: a password, PIN or answer to a challenge question
- Inherency: facial recognition, fingerprint or other biometrics
Most single-factor authentication requires a user to declare who they are (a username) and answer a knowledge-based challenge (a password). This low-security approach to authentication brings the burdens of security holes and a poor user experience.
However, the most critical thing to remember in single-factor, knowledge-based authentication is that the supposed “secret” is shared by both the user and the service provider. That means users have to trust their password with a company that may be vulnerable to cyber attacks — and may be unable to prevent that secret from getting out.
Genuine passwordless means no username, no password and no identifiers passed between parties. With genuine passwordless login, the goal is to keep a user’s identifiers under their control. The best way to achieve that is with the FIDO standard.
Unlike traditional MFA, which typically involves a combination of ownership and knowledge factors, FIDO-based passwordless authentication links a user’s private key to a cryptographic public key. Whenever the user tries to log in, they verify their identity using the locally stored key. When that matches up with a public key, they’re given access.
Let’s walk through it step by step using the flow chart below:
- When a user registers for an app or service, a registration approval request is sent to their device. They confirm this request using their biometric reader.
- A private key is generated for the user.
- A corresponding public key is sent to the app or service.
- The public key is registered. The only way to unlock the public key is with the private key.
- When the user tries to log in, a challenge is generated and sent to their device.
- The user approves the challenge by unlocking the private key with their biometric reader.
- The challenge is signed using the private key.
- The public key determines if the right private key was used, and the user is logged in.
And that’s it!
The most important thing to remember is that in genuine passwordless, a user’s private key serves as a buffer between them and the provider. Their biometrics never leave the device because they’re only used to unlock the private key.
The benefits and advantages of passwordless authentication
Passwordless authentication is beneficial for a number of reasons, but the most significant impact is on customer experience and security. Benefits to different organizations can vary depending on their unique needs. For example, a large customer-facing enterprise will reap the benefits of a better customer experience, but they’ll also find it’s the only way to execute their zero-trust policy at scale when working with a FIDO2-certified passwordless solution.
Here’s a short list of what you can expect from implementing passwordless authentication:
- A smoother and more convenient customer experience –
Compared to passwords, passwordless authentication is typically much easier to navigate and use for customers. Not only are they no longer required to create and remember complex passwords, they’re also able to quickly authenticate and get back to shopping without the potential for getting locked out of their accounts. In our latest report, covered by The Wall Street Journal in their Tech That Will Change Your Life in 2022 post, we found that consumers are 44% more likely to sign up for a service if they could use biometrics and 35% more likely if a no-password option was available.
- Recovered revenue from reduced customer attrition –
According to Mastercard, up to a third of customers will simply abandon their carts if they forget their passwords. If companies can reduce that margin by any amount, that’s revenue back in their pocket that they would have otherwise lost completely. Similarly, a more convenient identity experience will encourage customers to keep coming back thanks to its ease of use and mobile friendliness.
- Dramatically improved security that eliminates the threat vector of passwords –
Unlike passwords, it’s impossible for hackers to crack passwordless biometrics. They can’t steal the biometric information and trick a service into accepting it, either. Not only does the biometric data remain locally on a user’s device, but FIDO2-based solutions use cryptographic key pairs that are impenetrable to outsiders. Likewise, if a password is stolen from another account, it can’t be used in a “credential stuffing” attack in which fraudsters try out one login across many services.
- Long-term savings from lower total cost of operation (TCO) and reduce infrastructure –
Maintaining a password-based authentication system is expensive, both in terms of IT support and upkeep. Not only does it cost money to reset a user’s account, but it can also be a huge drain on resources to automate account recovery, staff call centers and maintain a support ticketing system. Large enterprises might spend millions every year on password-related support, and the long-term savings of eliminating passwords may easily be in the tens of millions for sizable companies.
- Significantly decreased complexity in the identity stack, making it easier to add and manage elements –
One thing that often irks CISOs and IT departments is the complexity of increasing security on a password-based authentication system. As security requirements continue to evolve, many companies have been forced to adopt a bolt-on approach in which they add piecemeal elements to their identity stack one by one. This usually results in a difficult-to-manage and unwieldy authentication system. Passwordless solutions make achieving MFA and meeting regulatory requirements simpler, meaning fewer elements are needed to obtain the same results.
Passwordless biometric authentication
How passwordless biometric authentication work?
To log in, a user must unlock their private key by completing a challenge, using device biometrics. As soon as the key is unlocked, it pairs with the public key held by the service provider. At that point, the user gets access to the service.
Device biometrics refer to the biometrics readers embedded in endpoint devices. There are two main types of readers available in the market today: face readers and finger readers. Both include special hardware and sensors embedded in the device itself.
Face recognition in modern devices works by projecting and analyzing over 30,000 invisible dots to create a depth map of a user’s face while simultaneously capturing an infrared image. It then transforms the depth map and infrared image into a mathematical representation which is compared to the enrolled facial data.
Fingerprint scanning in modern devices uses advanced capacitive touch to capture high-resolution images of your fingerprint. The sensor reads fingerprints in 360-degrees of orientation, analyzes the subepidermal layers of the skin and categorizes each fingerprint into arch, loop or whorl categories.
It then maps individual details of fingerprint ridges, including variations like pores, and compiles all of the data together. The reader then uses this data to match and recognize fingerprints. The technologies behind fingerprint scanning and face recognition make them the most accurate authentication technologies in the market today, with extremely high accuracy.
Many passwordless solutions rely on the FIDO2 (Fast IDentity Online) standard, which is a combination of WebAuthn and CTAP (Client to Authenticator Protocol). FIDO2 uses pairs of cryptographic keys — a public key and a private key — instead of transmitting the data used to authenticate. If you use a FIDO2-based solution to log in with biometrics, the scan of your fingerprint or face would never leave your device. The biometric data actually unlocks your private key, which subsequently pairs with the public key. The recipient doesn’t even know what method you used to unlock the private key, only that it was sent.
Passwordless biometric authentication is highly secure, and when supported by the FIDO2 strong authentication standard, it’s impossible for users’ private data to be sent without their authorization.
Is passwordless biometric authentication safe?
We’re often asked if biometric authentication is actually that secure. It’s not only highly secure, it’s better than virtually any other method of authentication available. But how much more secure is biometric authentication than passwords?
First, let’s talk about how vulnerable passwords really are. The average user probably pictures cyber criminals based on their depictions in movies and television: rapidly typing script kiddies who crack government databases in real time, adjusting to obstacles with jargon-laced riposte. “They backtraced our IP address! I’ll hold them off by allocating more RAM.”
In reality, many hackers are not coding whizzes. They’re con artists, or perhaps they discovered some particularly effective malware that came with easy-to-follow instructions. The point is that hackers rarely “hack” passwords and usernames using complex scripts or machine language. Instead, they steal credentials by phishing, social engineering or otherwise intercepting a user’s input. It’s far easier for a criminal to rob someone standing at the ATM than to pry the machine itself open.
Most so-called “hackers” aren’t executing complex attacks on reinforced databases — they’re walking in through the front door. Passwords are the most frequently targeted vector by fraudsters, and eliminating it gives them nothing to steal, manipulate or intercept. Compare that to biometric authentication, which to date has not been defeated in the wild.
Even in the laboratory, researchers have only been able to defeat facial recognition under impossible-to-replicate conditions. Simply put, biometric authentication is both very secure and worlds apart from passwords.
Passwordless authentication vs. MFA
Multi-factor authentication, or MFA, is a term used to describe authentication that requires two or more factors. In the most common applications, this includes both a password and a one-time passcode generated by an authenticator app, sent by SMS or received via email. MFA is really just a way of describing how many factors are involved in verifying a user’s identity. For example, a mobile device that unlocks using a fingerprint is only single-factor, but it’s still technically passwordless. It’s also still more secure than just using a password.
To prevent threat actors from simply stealing and using the device associated with a passwordless account, many passwordless solutions use some form of multi-factor authentication (MFA). To achieve MFA without complicating the process, device fingerprinting provides a second, invisible factor that ensures only properly registered devices can be authenticated. By combining biometrics with device fingerprinting, it’s effectively impossible for a hacker to impersonate a user.
Is passwordless authentication MFA?
What can confuse some when it comes to passwordless MFA is where the second factor comes from. And, if the authenticator service uses the FIDO2 standard, it’s the private key on the device itself. In simplest terms, FIDO2 uses a technology called device fingerprinting to ensure that the right private key on the device is used in combination with biometric authentication.
It’s possible to transfer trust to other devices, allowing them to also be used to authenticate the same user — but you can’t pick up just any unregistered phone and log in. This provides an additional layer of security that goes far beyond standard MFA. Even if hackers are somehow able to defeat the biometric authentication — which is virtually impossible — they still have to fool the device fingerprinting. For most cyber criminals, it’s not worth the effort. And, to date, no one has successfully pulled this off.
How do you implement passwordless authentication?
Only BindID provides totally passwordless authentication while protecting user privacy and offering omnichannel identity portability. As the first truly app-less password alternative, BindID creates a frictionless identity experience without the need for complex changes at the web and application levels. BindID is also identity provider-agnostic, meaning that it can work with any IdP you use.
The most compelling aspect of BindID is the fact that it takes only days to integrate it into all your channels. With ultra-fast implementation thanks to OpenID Connect standards, production can begin within weeks and with as little as one developer.
Compare this to the more typical identity management transformation programs which can take months and sometimes years. For organizations looking to quickly deploy a passwordless, strong biometric solution for their customers, now is the perfect time to explore BindID.
Solving the Password Problem Easily
Passwordless authentication and Passwordless login may still be relatively new concepts, but they are quickly emerging as the most convenient and secure options available. BindID represents a dramatic leap forward in the industry that both improves the customer experience and provides an ironclad layer of privacy and security.
Ready to learn more? Explore more about BindID and how it can help your organization rapidly achieve genuine passwordless authentication.