How Does Passwordless Authentication Work? (Part 1)
Being in the industry of authentication, we get quite a lot of questions on the topic, especially on how to get rid of passwords while maintaining a high level of assurance.
To make access to this information a bit easier, we decided to put out a blog series with answers to the most commonly asked questions.
Here’s the rundown of ongoing passwordless questions:
Q: How does passwordless authentication work?
A: What makes passwordless platforms unique is that authentication credentials are never fixed within the system.
Every time a user sends a request for access, a new authenticating message has to be generated.
This is what occurs for instance when a system sends you a confirmation link (magic link) to your email address. When you click on the link, it indicates to the server that the user has been verified. A similar process occurs with one time passwords send via email or SMS. Once the code is entered, the application confirms it’s in fact the one it generated shortly before and delivered to you. This allows the requested session to start.
Q: Will the move to a passwordless solution be costly to my organization? Does more secure means more expensive?
A: One of the most commonly misunderstood points on going passwordless is the cost of implementing such a platform.
This is most often because users look at the expense of an actual platform, without comparing it to the total cost (TCO) of maintaining a password-based scheme.
The truth is, passwordless systems overall can drastically cut IT costs for an enterprise. There is a broad spectrum of costs associated with keeping password-based authentication. These include managing, setting policies and encrypting passwords. Additionally, going passwordless means eliminating helpdesk tickets and password resets, which according to Forrester, can run anywhere between $25 to $70 a call.
Q: Will enrollment require IT involvement? If so what type of maintenance will be required from IT?
A: The degree to which IT will be involved in your passwordless authentication scheme depends on the type of platform you choose.
On-premises solutions usually require on-site hardware and designated servers. This means that the company will be responsible for maintaining these machines and repairing them if need be. Additionally, going with an on-site system may put the onus on company IT to address any malfunction that may arise with the system itself.
Solutions that offer identity as a service (IdaaS) on the other hand, come with their own virtual architecture, eliminating the need for in-house servers. Part of subscribing to these services means the solution provider will address malfunctions and other troubleshooting issues. These benefits will, of course, have to be weighed against monthly or yearly subscription payments and security considerations.
Q: What are the options I have for passwordless authentication? Which solutions are considered the most secure?
A: The password alternatives available on the market today cover a pretty broad spectrum.
These system types include:
• Software tokens
• SMS delivered codes
• Hardware authentication devices (“hard” tokens)
While all of these systems offer a leg up on security relative to passwords, each one of them has been shown to possess serious vulnerabilities. From a security perspective, the strongest passwordless solutions consist of multi-channel and out-of-band authentication mechanisms.
This feature is what makes Secret Double Octopus’s technology resilient to the full range of known attacks.
Q: Is passwordless authentication user-friendly? What type of pushback should I expect?
A: For many companies, the obstacle in front of leaving a password-based system is simply lack of familiarity.
Passwords have been around forever. People know how to use them. Managers often think that moving to a new platform will take a serious toll on user experience and disrupt workflow.
In reality, the overwhelming majority of corporate employees today prefer passwordless technologies specifically because of the ease of use they provide. Solutions such as push notifications, for instance, are revolutionizing authentication by providing not just a substantial increase in security, but also relieving users of the burdens of remembering and securing passwords.
Q: Which is the fastest passwordless solution to implement? (for 500 users)
A: The vast proliferation of personal smart devices has made passwordless solutions highly scalable, even for large company workforces.
The fastest platforms for an enterprise to switch to will be the ones that harness employee mobile devices and turn them into mobile authenticators.
Q: Can passwordless solution be implemented in a hybrid enterprise (Cloud/on-premises) ?
A: Yes. Due to the increase in the integration of on-premises and cloud-based identity management systems, many authentication solutions have adapted themselves to this model.
The Octopus Authenticator is fully integratable with network services such as Microsoft’s Active Directory and other cloud platforms making it a suitable solution for hybrid enterprise.