Passwordless authentication is a method of verifying users’ identities without the use of passwords or any other memorized secret. It is generally a form of multi-factor authentication or MFA, however simpler forms of passwordless authentication exist such as email-delivered magic links.
Instead of passwords, identity can be verified based on a “possession factor”, possession of an object that uniquely identifies the user because no other user would be expected to have the object (e.g. a registered mobile device or an issued hardware token). Identity can also be verified based on an “inherent factor”, like a person’s biometric signature (e.g. fingerprint, face, retina, etc.). Unlike possession or inherent factors, authentication that is based on something the user knows (such as a password, passphrase, or PIN code) is susceptible to easy theft, sharing or reuse by users, and requires constant management and handling by both users and IT managers.
Passwordless Authentication Benefits
- User Experience (UX): passwordless authentication means no more user memorized secrets, streamlining the authentication process.
- Better Security: User controlled passwords are a major vulnerability because users reuse passwords and are able to share them with others. Passwords are one of the biggest cyber attack vectors and have been responsible for 81% of breaches. They also lead to attacks such as credential stuffing , corporate account takeover (CATO), password spraying, and brute force attack
Phishing, reuse, and sharing are common issues when relying on passwords. With passwordless authentication, IT reclaims its purpose of having complete visibility over identity and access management – Nothing to phish, share or reuse, the user is no longer the wild card in the organization identity scheme.
- Reduction in Total Cost of Ownership (TCO): Passwords are expensive, and they require constant maintenance from your IT staff. Removing passwords will reduce support tickets and free IT to deal with real problems.
With passwords out of the picture, both user experience and security improve, and potentially overall costs of authentication related to passwords or password-based MFA decrease.
The security of passwordless authentication systems depends on the proof(s) of identity required in lieu of passwords and their implementation. For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. SMS codes to the account holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.
See how Secret Double Octopus implements passwordless authentication: