passwordless authentication on mobile device

What is Passwordless Authentication?

Passwordless Authentication — Your Questions, Answered

Security paradigms are changing, and companies need to balance robust protection with employee convenience. One of the main pain points for end users is passwords — having to manage multiple passwords across hundreds of websites and accounts can create significant frustration. Increasingly, security experts are focusing on passwordless authentication — authorizing users to access business networks and services without a password while maintaining high levels of protection.

We’ll explore the main issues with passwords as they exist now, explain what passwordless authentication is, how it solves problems, and some best practices for implementation.

What Are the Main Issues with Regular Passwords?

Passwords cause significant problems for end-users and security managers:

  • Every website account, online asset or secure service typically requires a password, meaning users need to track and manage dozens or hundreds of passwords
  • Different accounts have different password rules — some may require certain amounts of uppercase and lowercase letters, while others may not allow symbols
  • Difficulties remembering passwords mean they are often extensively duplicated and reused across services, leading to significant security vulnerabilities and data breaches
  • Previously hacked passwords appear on the Dark Web where hackers can gain access and use them in future attacks
  • The majority of cybersecurity attacks rely on using passwords to breach company systems and data

In short, passwords are a major compromising factor in security, hence the shift to passwordless authentication.

What is Passwordless Authentication?

Passwordless authentication allows identity and access management platforms and individual systems to verify and authenticate users without the need for a password. Instead, users prove their identities using alternative methods like security tokens or biometrics. Typically, multi-factor authentication provides an extra layer of protection to the password — passwordless authentication goes beyond that and removes the need for the password altogether.

What Are Some Common Ways to Achieve Passwordless Authentication?

Every business has unique requirements for identifying authorized users — the depth and breadth of access, sensitivity of data, and type of user all contribute to authentication rules. Cybersecurity managers have various approaches for password alternatives:

  • Unique device fingerprints that can be compared to a known baseline
  • Authentication apps installed on a user’s device
  • Security tokens that generate unique login information based on public key cryptography
  • Biometrics such as face recognition, voice analysis, fingerprints, or various other techniques

Each business can decide on the right mix of authentication approaches, and they can be used regardless of whether passwords are required or not.

How Does Passwordless Authentication Solve Security Team and End User Problems?

Passwordless authentication provides several advantages:

  • Security teams can avoid many of the issues of accounts being hacked via duplicate passwords, as there are no passwords to hack
  • Passwordless authentication is hard to fake. Authentication factors such as cryptographically generated authentication tokens change all the time, and it’s difficult to duplicate biometric information.
  • End users don’t need to remember many different passwords, instead they only need their alternative passwordless means of authentication

What Are Some Passwordless Authentication Best Practices?

Here are some general principles on getting your passwordless authentication right:

  • Use an integrated Identity and Access Management platform to manage authentication from all types of users and endpoints
  • Collaborate with users on introducing passwordless authentication so you can identify and resolve any potential friction or resistance
  • Use out of band authentication (i.e. a secondary secure channel for authentication, that is separate to the primary communication channel) to guard against phishing attacks
  • Combine a device generated cryptographic OTP with a device managed PIN, known only to the user
  • Consider multiple authentication techniques and combine them according to the sensitivity of the data and systems your users are accessing
  • Use adaptive authentication to provide extra challenges to users who differ from their usual patterns when logging in (e.g. a different location, time, or device.)

Ready to move toward passwordless authentication with a solution that makes your entire organization happy? Learn how the Crescendo Portfolio makes it easy.

Milan Khan is a Product Manager within the Identity and Access Management Solutions business area at HID Global. Responsible for the HID Cloud Authentication Service, he’s successfully launched the product and continues to champion the improvements. Milan has worked within the IT security industry for over 16 years, primarily in customer-facing roles, understanding customer needs and drivers. He is keen to solve customer’s identity, access and authentication problems while innovating and improving customer experience.