Passwordless Authentication

Passwordless authentication? Typical reactions to this phrase include “how is that possible?” or “how is that secure?” Passwords have been around since the 1960s and have become a daily staple in everyone’s lives. For each system a person accesses, there generally is a password associated with it, and a user’s passwords should be unique across all systems. If you’re like me, then you have more passwords than could ever be remembered in a lifetime. A big step toward helping keep complex passwords secure was the arrival of password vaults like KeePass or LastPass. These vaults allow you to use one extremely strong password to protect all of your other extremely strong passwords without having to remember each one of them on your own.

Having passwords as the only factor of authentication leaves applications and systems vulnerable to credential stuffing and brute forcing from malicious actors. Internal users can cause trouble as well by reusing credentials and sharing credentials with other users. The good news is, having a password serve as the sole factor for authentication is fading. Multi-factor authentication (MFA) has been on the scene for awhile now and helps reduce the risks involved with passwords being compromised. With MFA enabled, even if a malicious actor has a user’s username and password, they can be blocked on a majority of systems if they are unable to also provide the second authentication factor required, such as a one-time-password (OTP) or USB token.

What is Passwordless Authentication?

Passwordless authentication, simply put, removes the password from the authentication process and instead uses a different factor, such as an OTP, as the sole factor for authentication. Now, this does not need to be an OTP; it can be one of any number of factors. As a reminder, authentication factors fall into one of three categories:

  • Something you know (password, PIN, etc.)
  • Something you are (biometrics)
  • Something you have (cellphone, OTP token, etc.)

As an example, Microsoft Outlook now offers a passwordless authentication experience. Microsoft has developed a mobile application named Microsoft Authenticator. When a user goes to log in to Outlook, the login prompt will appear showing a number. The user then opens that mobile application on their device, where there will be three unique numbers displayed. Two out of the three numbers are random, but the third will match what was shown inside the login prompt. The user simply clicks on the correct number in the mobile application and then Microsoft logs them in.

Another quick example is an application that uses a simple mobile push. When a user goes to log in, the only item that the user will need to enter is their username. From there, a mobile push will appear on the user’s mobile device of choice, which the user confirms to continue the login process.

Increased Security Benefits

Moving away from passwords as a sole factor for authentication helps increase the security of an environment. In 2019, around 29% of breaches involved the use of stolen credentials. Passwordless authentication removes passwords completely, which means brute forcing, credential sharing, credential reuse and pass-the-hash attacks become things of the past. Many times, it is also more convenient for users as there are no passwords to memorize. As a note, this does not mean passwords will completely disappear. For privileged accounts, MFA should always be used, and passwords tend to be the easiest and most economical way to implement a second authentication factor.

So should your organization move to passwordless authentication? That is going to depend on the culture within your organization. There is little downside to moving from password-only to passwordless authentication. The challenge for many organizations is where this implementation will reside inside of the current priorities set for the organization. Most organizations have already gone through the growing pains of deploying MFA. If the vendor you utilized to implement MFA currently supports passwordless authentication, the amount of effort to deploy this change is low. However, if your vendor does not support passwordless authentication, your organization will want to do an analysis to make sure the costs associated with deployment are reasonable.

Have any questions about password security? Please contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author