No More QWERTY: We’re Moving Toward Passwordless
Passwordless authentication has become increasingly popular among security conscious digital natives in recent times.
It’s okay if you want to double check this. Yes it’s true. In fact, authentication without a password is not just possible, but can offer you enhanced security.
Without further ado, let’s dive right in and learn what is it that makes passwordless security so unique.
What is passwordless authentication?
In one of our previous articles, where we talked about two-factor authentication, we defined what authentication is.
It can consist of up to three different factors:
- Something you know
- Something you have
- Something you are
Further, we’ll explain what each of those means.
At a very basic level, passwordless is a way of working out if a user’s identity is authentic without the use of passwords or any other memorable secret, aka something you know.
But how do you verify your identity then? Well, there are at least two alternative ways:
- Possession factor, aka something you have
This method implies you use something you possess to verify your identity. It can be a registered mobile device, a hardware token or a one-time password (OTP).
- Inherent factor, aka something you are
This method requires you to provide your biometric signature, like your fingerprint, voice or retina scan, face ID, etc.
Different types of passwordless authentication exist. In fact, verification is possible through:
- Multi-factor authentication. This is a combination of several authentication factors (something you know, something you have, something you are) which a person uses to verify their identity.
- SMS. This is usually a unique OTP valid for up to 60 seconds. The code is sent to a user’s mobile device, then used to log them in.
- Email. This is a magic link (or in some cases an OTP) delivered to a user via email. A magic link includes a unique token created specifically for each user. Whenever a person clicks the link, the service will identify the token and let them in.
- Biometrics. Like we’ve already mentioned, this is authentication via a fingerprint scan, facial recognition or any other biometric method.
Perks of going passwordless
Now you know the wide range of authentication methods passwordless can offer, we’re ready to talk about passwordless benefits. They are:
- Better user experience
This one is rather obvious. Of course, logging in to an online account without a password takes less time than entering those 16 characters with title-case letters and numbers. With only an email or a mobile phone, it’s way easier to sign up.
- Multi-layer security
Passwords are not as secure as they are thought to be. Especially considering we live in the 21st century and spend so much time online or using our devices. But we use the same password for up to ten different accounts. And face data breaches day in and day out. Passwords are a major vulnerability these days and we can no longer rely on them alone.
- IT management costs
Believe it or not, managing passwords is now quite a luxury. In order to provide a secure infrastructure, each operating business needs to set up and manage password reset and expiration processes, detect breached passwords, implement secure password complexity policies, etc. So to reduce operation costs, a decision to give up on passwords could be made.
But, wait, what’s wrong with passwords?
It’s difficult to believe, but passwords are on their way out. Let’s take a deeper look at why this is happening.
Passwords hinder user experience
You can always create a crazy password idea you’ll never forget. But what if you had to come up with 150 of them?
Why? Well, this is the number of online accounts an average US internet user has to remember a password for. And of course, this number is only expected to grow.
Adding to this hassle is how password security recommendations vary from one app to another. Ending up with multiple variations of one single password for up to 10 online accounts, it’s unsurprising 50% of users feel annoyed or hassled by having to use them.
Passwords can put user security at risk
Sad but true. Though passwords should be secure by design, they are not always so. And here’s why.
- Identity theft. In fact, they often lead to identity theft. 81% of hacking-related breaches happened due to the use of old, weak or stolen passwords.
- Man-in-the-middle attacks (MitM). No one can be 100% protected from these, unless they use multi-factor authentication. Because MitM attacks work like this: bad actors take advantage of users by mimicking their login screen, then encouraging them to enter their passcode. That’s how the name of your pet used as a password gets leaked. Oops.
- Credential stuffing. Considering the fact many people tend to use the same passwords for multiple accounts, it should be obvious that bad actors succeed in credential stuffing attacks. Just remember the major data breaches, like those of Yahoo! or Marriott International - 383 million (!) people were affected in the latter. Once such breaches happen, cybercriminals buy stolen credentials and apply large volumes of those to other accounts en masse. This results in cybercriminals having a far larger volume of online services and apps they can instantly access.
Passwordless authentication: What the future holds?
Now you know authentication without a password can even be more secure than one with it, it’s time to face the sad truth: it is still not perfect.
Fraud attacks are possible even without the use of passwords. As even authentication via SMS has been reportedly targeted many times.
In addition, there’s still no protection from RAT-in-the-Browser (RitB) attacks, especially with passwords reused multiple times for different accounts. Fraudsters can easily create a normal-looking fake browser page where you’ll input your one-time password - with no sign it’s been compromised.
Speaking of devices you can use for authentication, this is not perfect either. Because to a certain extent, the information you share can also be captured, replicated, and reused.
What could be an effective solution is multi-factor authentication and behavioral biometrics. The latter relies on a certain behavioral pattern unique for each user (a move of the mouse, the typical way a user types, the unique angle they hold their phones at, etc.). But research still needs to be done to test out the convenience and security of this method. Only time will tell if this is the perfect form of authentication we’ve all been waiting for...