Multifactor Authentication In The Passwordless Age



Multi-factor authentication (MFA) has been the prevailing solution to address the inherent vulnerabilities of passwords, but the added security it provides comes with a significant costs to own and operate, and is hated by users. Passwordless authentication is reshaping MFA and redefining what it means.

What is multi-factor authentication?

Combining multiple forms of authentication for identity proofing results in multi-factor authentication (MFA). Historically MFA was used as a way to improve the security of password-based authentication. Using a password (something you know) together with a dedicated key fob or registered mobile device (something you have) would provide multiple factors of authentication that are harder to phish, crack or hack, and therefore provide a higher level of assurance. 

Today, it is possible to use multiple factors of authentication without passwords as one of the factors, resulting in passwordless MFA. Most commonly used authentication factors for passwordless MFA are the user’s registered mobile device together with a user PIN or fingerprint provided via the device’s built-in fingerprint sensor. 

Common forms of MFA

Multi-Factor Authentication (MFA) is the use of multiple methods of authentication together to achieve a higher level of assurance that the user is who he/she claims to be. Additional methods of authentication were typically added to passwords to help overcome their inherent vulnerabilities. 

MFA can be implemented using different authentication methods, typically taken from two or more authentication domains. For example, a password belonging to the “something the user knows” domain – e.g. a password – and a one-time code generated from a hardware token belonging to the “something the user has” domain. Alternatively, the user can present a biometric print – like a fingerprint – belonging to the “something the user is” domain. 

Legacy MFA was used to provide additional security to passwords. So passwords were the first factor of authentication and the second factor was a hardware authenticator like a smart-card or OTP token. As smart phones became ubiquitous, the OTP capability migrated from a dedicated hardware device to an app on the user’s phone.

Side note: Two-Factor Authentication (2FA) is a specific case of MFA where the user has two forms of authentication. In the vast majority of cases, the first factor is a password and the second is either a smart-card or OTP device.

What is passwordless MFA?

Passwordless MFA means that passwords are not used as one of the factors/methods of authentication. So if MFA is the use of multiple methods of authentication together to achieve a higher level of assurance that the user is who he/she claims to be, then passwordless MFA uses a combination of authentication methods where passwords are not one of them.

Why is passwordless MFA better than legacy MFA?

Legacy MFA was conceived to overcome the inherent vulnerabilities of passwords. Relying on something the user knows meant that the authentication system was vulnerable to various forms of social engineering attacks that could easily cause unsuspecting users to give up their passwords to attackers. As a result, an additional form of authentication was added – one that could not be easily stolen by an attacker through simple phishing attacks. The additional authenticator was typically a smart card or OTP hardware token.

But the problem with legacy MFA is that passwords remain a valid means for authentication, and oftentimes the fallback method for authentication in cases where users lost their hardware tokens. This meant the security vulnerability created by passwords remained in place.

User experience also took a hit because in addition to the headache of recalling, entering and periodically resetting passwords, users now had to carry around their hardware authenticator, and key-in additional secrets when logging in (with smart card tokens it was the smart card PIN and with OTP tokens it was the OTP code). It is no secret that users hate hardware tokens.

Costs went through the roof because procuring the hardware tokens was expensive and distributing them to users was an exorbitant logistical headache. Imagine sending an OTP token to a remote worker via Fedex or orchestrating the distribution of tokens to ten thousand employees. 

With passwordless MFA, there are no passwords, so security is immediately improved. And with the right choice of authentication factors – for example a fingerprint (first form of authentication) on a registered mobile device (second form of authentication) – user experience can dramatically improve, and costs contained.