Passwordless Authentication 101



Defining passwordless authentication

Passwordless authentication is any method of verifying a user’s identity that does not require the user to recall and enter a password. Instead of passwords, proof of identity is performed based on possession of something that is uniquely linked to the user (e.g. a one-time password generator, a registered mobile device, or a hardware token), or the user’s biometric signature (e.g. fingerprint, faceprint, voiceprint, retinal scan, etc.). It is also possible to authenticate based on something the user knows (i.e. knowledge-based authentication), so long as that something is not a password. Passwordless authentication can also use a combination of passwordless authentication techniques to achieve higher levels of assurance. For example, a finger print submitted using the fingerprint sensor from a registered mobile device.

Why should you go passwordless

The Verizon’s Data Breach Investigation Report (DBIR) published in 2017 has been somewhat of a watershed moment for perceptions on user authentication. The report made headlines throughout the IT world when it revealed that 81 percent of data breaches were the result of compromised passwords. This is when many businesses realized that passwords were not solving their security problems – they were causing a lot of them. This is when many businesses began to look at alternative user authentication options. This is the moment when passwordless authentication went from being a niche alternative pursued by forward thinking businesses to something everyone was talking about.

Since Verizon’s 2017 report, not much has changed; not much has improved. In its 2020 DBIR, Verizon finds that over 80% of breaches involve brute force or the use of lost or stolen credentials. 77% of cloud breaches involved breached credentials.

But passwordless is not just about solving a security problem.

While most things in life are a tradeoff, in the case of passwordless authentication there is no tradeoff. There are no pros and cons – it is simply a superior alternative to passwords. It offers better security, better user experience and is cheaper to own and operate. 

Better security. Passwordless authentication is actually the safer, more conservative solution security-wise when compared with traditional passwords. It is phishing resistant and offers better protection against other forms of credential access attacks, including man-in-the-middle, keylogging, credential stuffing, password spraying, and more. 

Better user experience. A passwordless authenticator removes the need to recall and key-in passwords, which translates into quicker logons and less failed attempts. And because there are no passwords to forget or reset, there is less downtime due to lost or forgotten passwords. 

Cheaper to own and operate. Passwords create a significant load on helpdesks. Users forgetting their passwords or losing their authenticator quickly make their way to the helpdesk for assistance in recovery. Alternatively, self-service password reset systems need to be acquired, deployed and operated to help users perform these recovery operations on their own.

Another significant cost associated with password-based authentication is the need to educate users and protect them from phishing. Phishing prevention solutions need to be deployed to try to catch as many phishing attempts targeting users from all channels – web, email, business chat applications (i.e. Slack, etc.), and more. Training systems to help employees avoid phishing scams also need to be acquired, deployed and operated.

Types of passwordless authentication

Commonly used passwordless authentication methods include: 

  • One-time code sent to a registered mobile device or email address. This is typically deployed by businesses to authenticate their customers (B2C). It is less commonly used for enterprise authentication – i.e. for authenticating employees.
  • Biometric print on a mobile device, laptop or desktop computer. This passwordless authentication method has become the norm for authenticating users to their mobile devices, with popular implementations of the technology in Apple Face ID, and fingerprint authentication ubiquitously available on even the cheapest mobile devices. It is primarily used to authenticate the user to the device itself and less often to resources that are accessed from the device.
  • Dedicated hardware security tokens, typically storing a Public Key Infrastructure (PKI) credential. In recent years, FIDO-compliant devices such as YubiKeys are growing in popularity as a high-assurance user authentication alternative to passwords. These devices offer a good level of security, as they are hard to forge and require physical possession, but they are also rather expensive and cumbersome for users to carry around and use.
  • Authentication credential pinned to a frequently used host device – i.e. a PKI certificate pinned to a personal computer. The credential is mostly used to authenticate employee workstations to business networks and resources. Here again, FIDO-compliant solutions are gaining popularity with the most notable example being Microsoft Hello for Business. Microsoft Hello is available on newer versions of Windows and combines a FIDO compliant credential together with a user PIN or biometric print to unlock access to the credential.

How does passwordless authentication work?

Passwordless authentication is any method of authentication that does not require the user to recall or enter a password. It can be implemented using different authentication methods used independently or in combination. 

Before authentication can happen, a passwordless authenticator needs to be registered by the authentication system and associated with the user. An authenticator can be a mobile device to which a one-time passcode is sent or on which cryptographic key material used for authentication (i.e a private key) is stored; a smart card/USB token device; or a fingerprint sensor embedded into a laptop or mobile device.  Other authentication methods can be used. For example, FaceID using an embedded camera or a voiceprint captured using the device microphone can also be used as passwordless authenticators.

Once registered and approved by the authentication system, the authenticator is used instead of a password. The precise sequence flow for each authentication mechanism may be a little different. For example, passwordless authentication using a random code sent to a registered mobile device would work as follows:

  1. User navigates to the login screen of the relying application and enters a username and mobile number. Alternatively the user enters only a username and the authentication server looks up the mobile number associated with the username.
  2. The authentication server verifies that the mobile number is in fact registered to the username or looks up the mobile number associated with the username.
  3. Server sends a random code to the registered mobile device.
  4. User enters the code received into the login dialogue and submits it to the server. 
  5. If the code sent by the server matches the one submitted by the user, then that proves to the server that the user is in possession of the device registered to the username. Spoofing the identity of the user would require the attacker to access the registered device or intercept the random code sent to the device during authentication. 

Stronger passwordless authentication can be achieved by requiring the user to provide a biometric print to authenticate. For example, the user needs to unlock an authenticator app deployed to a registered mobile device using a fingerprint captured by the device-embedded fingerprint sensor. In this case, the authentication flow would work as follows:

  1. User navigates to the login screen of the relying application and enters a username.
  2. The authentication server sends a push notification to the authenticator app linked to the username.
  3. User receives the notification to the authenticator app asking to approve access. Only users in possession of the app running on a registered mobile device will receive the notification. 
  4. To approve access, the user is required to successfully authenticate using the fingerprint sensor on the mobile device.
  5. Once the user is allowed to access the authenticator app, she taps to approve the authentication request, which sends an ‘approve’ notification to the authentication server.
  6. The relying app receives a notification from the authentication server that it successfully authenticated the users and logs the user in.

Additional variations on these basic flows exist. For example, see the section on FIDO for sequence flows using FIDO-compliant authenticators.

Passwordless sequence flows offer better security and usability, but many businesses work with legacy systems that require a password. Therefore, some passwordless solution vendors offer passwordless experience solutions to enable deployment of passwordless authentication across all business systems, even those that require passwords. Users do not have to recall and enter passwords. Instead, they perform passwordless authentication and in the background the passwordless authentication system provides a password to systems and apps that require one. Passwordless experience would work as follows:

  1. User navigates to the login screen of the application and enters a username.
  2. The passwordless authentication server sends a push notification to the authenticator app linked to the username.
  3. User receives a notification to the authenticator app asking to approve access.
  4. To approve access, the user is required to successfully authenticate using the fingerprint sensor on the mobile device.
  5. Once the user is allowed to access the authenticator app, she taps to approve the authentication requests, which sends an ‘approve’ notification to the passwordless authentication server.
  6. Authentication triggers the passwordless authentication system to provide the user password to the system requiring it.
  7. Once the password is used, an automatic password reset is typically triggered by the passwordless authentication system to prevent the possibility of someone knowing the password or using it again.

Passwordless authentication examples

Access to cloud apps has become mainstream even for the most traditional enterprises. While some standards are in place to facilitate interoperability between enterprise authentication systems and cloud services, they are not all fully baked. Competing standards and frequent revisions to existing standards means that supporting access to cloud services has been a moving target. SAML and OpenID Connect (OIDC) have become widely adopted and enable decoupling the cloud app from the authentication service used to authenticate its users. Through support for SAML or OpenID Connect, users are authenticated and an assertion is shared with the cloud app to let it know that authentication succeeded or failed. So it is up to the authentication service connected to the cloud app to support passwordless authentication.

Workstation logon, including Windows and Mac, and in some companies Linux, is also an important authentication use-case. This is often the most challenging use-case for many authentication solutions as it requires delicate integrations with operating systems and network domain management solutions. Windows 10 supports FIDO authentication through its Hello feature-set. But users of older Windows machines or Linux users require an add-on solution to enable passwordless authentication.

Remote access VPN has been a staple technology that enables mobile and remote employees to stay connected to their work. There are several technologies in use and a plethora of vendors offering solutions. Fortunately, over the years a set of standards has emerged to enable integration with authentication systems. Enabling passwordless authentication to remote access typically requires using an identity provider external to the VPN. 

Offline authentication has been the achilles heel for many authentication systems in general and multifactor authentication (MFA) particularly. It presents a difficult challenge because most solutions were designed for a connected world. When the network connection is down or unavailable, and the authenticating server not accessible, then elaborate workarounds are required to ensure that users can continue to authenticate to their computer and locally hosted resources. A typical example is working on an airplane (one without wifi connectivity). Most passwordless authentication vendors require the solution to be connected in order to work. But a handful invested in technology to overcome the offline scenario without reintroducing passwords.

The challenge with passwordless authentication

The number one challenge for businesses that decide to deploy passwordless authentication is usually their legacy systems and applications that were not designed for passwordless authentication. So while it is easy to buy into the vision of a passwordless workplace, getting there can be daunting when dealing with a heterogeneous IT environment that combines new and dated systems. One approach is to deploy passwordless authentication only for systems and apps that support it. This generally translates into deployment of passwordless authentication for cloud apps and sometimes also on newer operating systems (i.e. latest versions of Windows 10). But going passwordless is really an all or nothing effort – you either get rid of passwords or you don’t. 

To successfully deploy passwordless authentication for users, it is usually not enough to decide that passwordless is a better, cheaper, more secure option. It is important to choose  a technology that will work across an existing and heterogeneous IT environment, including new and legacy systems and applications, and supporting all authentication use-cases.