Passwordless Authentication

What is Passwordless Authentication?

The phrase might sound weird, but Passwordless Authentication is actually a more secure way to authenticate users that traditional password methods. The term describes ways of knowing someone is who they say they are by way of something you have, something unique about you or something you know. It is common to use more than one of these methods, also known as Two-factor Authentication (2FA) or Multi-factor Authentication (MFA), at a time.

Types of Passwordless Authentication

Something You Have

Something you have, is a physical device such as a phone (authenticator app, SMS text), a keyfob, or possibly some other proprietary device that only you have.

Something About You

This is typically some physical trait or characteristic about you that is unique to you (also known as biometrics). The most common of these is fingerprint and face. Less common are also things like retina scans and your unique voice "fingerprint".

Something You Know

This is something that only you would know or more specifically, something that a nefarious user would NOT know. Things that fall into this category are security questions like your favorite pet, your best friend's name or where you were born. More commonly, this is an actual password that you know and remember.

Why are Passwords Bad?

Passwords that are memorable are typically less secure, which means they are prone to dictionary attacks. These types of passwords are also common to be reused across multiple sites or logins. This increases the chance of a password being discovered and exploited across multiple services for a given user.

Less memorable passwords tend to be stored somewhere in a password manager like 1Password, or worse, a text file or note taking app. Password managers are worlds better (as they are encrypted), but they can still be potentially hacked or coerced in some way or another.

In addition, using a password only means that a hacker only needs to overcome a SINGLE attack vector. This means that if they get your password, they now have your account.

Why is Passwordless Better?

Passwordless is better for the following reasons...

1. Easier to use - Even though passwords are still used for an initial method of authentication, they are typically not required repeatedly each time a user logs in. Passwords are annoying to users, so not having to enter a password on a regular basis means that users will tend to choose a more secure password (or use a password manager for a storing a long, randomly generated password).
2. More secure - Passwordless, in general, means that you are always using two or more forms of authentication. The most common is to use a mobile phone (something you have) along with either a phone pin # (something you know) or a face/fingerprint sensor (something about you).

The security reason deserves more attention. Not only are you using more than one form of authentication, but you are also reducing the risk of an attack SIGNIFICANTLY by requiring multiple attack vectors for a hacker to have to resolve. For example, if someone figures out your password, they still need to get your phone (or keyfob). Conversely, if they gain access to your phone, they still have to remember a password (or have you present).

Nothing is ever 100% unhackable, but enabling 2FA/MFA can reduce the chances, exponentially, of a successful attack.

Moving My Business to Passwordless

Are you ready to implement passwordless authentication for your existing website or app? While this is typically a developer-oriented task, it is usually relatively straight forward to implement over existing infrastructure. The most common way of adding 2FA or MFA to parts of your infrastructure is to integrate with larger providers such as Microsoft, OKTA, etc. in order to support SSO (Single-Sign On) which will also have the side benefit of enabling 2FA/MFA with their respective proprietary offerings.

In many cases, your situation may be simpler in that you just want to add basic 2FA (using a free phone app such as Google Authenticator). In this case, there are many libraries available for every language that will add support for "TOTP" (Time-Based One-time Password) specification. These libraries essentially allow you to generate one-time passcodes in the same manner that Google Authenticator (and other authenticator apps that support the RFC 6238 specification) does, so that users can authenticate with a one-time passcode on their phone (something they have) that is secured with a passcode (something they know) or a face/fingerprint (something about them).

Most, if not all, businesses should begin using 2FA/MFA today. Relying on passwords alone for security that is critical to your business is high risk in 2022.