Passwordless Authentication

Passwordless authentication is any method of verifying the identity of a user that does not require the user to provide a password.

Instead of passwords, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, face, retina, etc.). It is also possible to authenticate based on something the user knows (e.g. knowledge-based authentication), so long as that something is not a password.a

What are the benefits of Passwordless Authentication?

  • User Experience (UX): passwordless authentication means no more user memorized secrets, streamline the authentication process
  • Better Security: User controlled passwords are a major vulnerability, users reuse passwords, are able to share them with others. Passwords are the biggest attack vector and are responsible for %81 of breaches, they also lead to attacks such as credentials stuffing, corporate account takeover (CATO)  Password Spraying, brute force attack
  • Reduction in Total Cost of Ownership (TCO) : Passwords are expensive, they require constant maintenance from IT staffs, removing passwords will reduce support tickets and free IT to deal with real problems
  • IT Gains Control and Visibility: Phishing, reuse, and sharing are common issues when relying on passwords, with passwordless authentication IT reclaims its purpose of having complete visibility over identity and access management – Nothing to phish, share or reuse, the user is no longer the wild card in the organization identity scheme.

passwordless authentication - Secret Double Octopus

With passwords out of the picture, both user experience and security improve.

The security of passwordless authentication systems depends on the proof(s) of identity required in lieu of passwords and their implementation. For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. SMS codes to the account holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.

See how Secret Double Octopus implements passwordless authentication:

Learn more about passwordless authentication 

Frequently Asked Questions
How does passwordless authentication work?

Passwordless authentication is any method of verifying the identity of a user that does not require the user to provide a password.

Instead of passwords, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, face, retina, etc.). It is also possible to authenticate based on something the user knows (e.g. knowledge-based authentication), so long as that something is not a password.a

Which authentication methods are used for passwordless authentication?

In passwordless authentication, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, face, retina, etc.). It is also possible to authenticate based on something the user knows (e.g. knowledge-based authentication), so long as that something is not a password.

The password alternatives available on the market today cover a pretty broad spectrum.

These system types include:

• Software tokens

• Biometrics

• SMS delivered codes

• Hardware authentication devices (“hard” tokens)

While all of these systems offer a leg up on security relative to passwords, each one of them has been shown to possess serious vulnerabilities. From a security perspective, the strongest passwordless solutions consist of multi-channel and out-of-band authentication mechanisms.

This feature is what makes Secret Double Octopus’s technology resilient to the full range of known attacks.

Authentication methods compared - Secret Double Octopus

Is passwordless authentication more secure than password authentication?

The security of passwordless authentication depends on how it is implemented and what sort of proof-of-identity is deployed. For example, using secure push notifications to the account-holder’s mobile device is generally considered more secure than passwords. SMS codes to the account-holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.

Is passwordless authentication more secure than MFA?

Passwordless authentication solutions can incorporate multiple factors of authentication and therefore be considered multi-factor authentication (MFA). For example, authenticating users via secure push notification to an application on a registered mobile device that is also protected by fingerprint authentication is an example for how passwordless authentication can also be MFA.

How does passwordless authentication work?

What makes passwordless platforms unique is that authentication credentials are never fixed within the system.

Every time a user sends a request for access, a new authenticating message has to be generated.

This is what occurs for instance when a system sends you a confirmation link (magic link) to your email address. When you click on the link, it indicates to the server that the user has been verified. A similar process occurs with one time passwords send via email or SMS. Once the code is entered, the application confirms it’s in fact the one it generated shortly before and delivered to you. This allows the requested session to start.

Will the move to a passwordless solution be costly to my organization? Does more secure means more expensive?

One of the most commonly misunderstood points on going passwordless is the cost of implementing such a platform.

This is most often because users look at the expense of an actual platform, without comparing it to the total cost (TCO) of maintaining a password-based scheme.

The truth is, passwordless systems overall can drastically cut IT costs for an enterprise. There is a broad spectrum of costs associated with keeping password-based authentication. These include managing, setting policies and encrypting passwords. Additionally, going passwordless means eliminating helpdesk tickets and password resets, which according to Forester, can run anywhere between $25 to $70 a call.

Will enrollment require IT involvement? If so what type of maintenance will be required from IT?

The degree to which IT will be involved in your passwordless authentication scheme depends on the type of platform you choose.

On-premises solutions usually require on-site hardware and designated servers. This means that the company will be responsible for maintaining these machines and repairing them if need be. Additionally, going with an on-site system may put the onus on company IT to address any malfunction that may arise with the system itself.

Solutions that offer identity as a service (IdaaS)on the other hand, come with their own virtual architecture, eliminating the need for in-house servers. Part of subscribing to these services means the solution provider will address malfunctions and other troubleshooting issues. These benefits will, of course, have to be weighed against monthly or yearly subscription payments and security considerations.

Is passwordless authentication user-friendly? What type of pushback should I expect?

For many companies, the obstacle in front of leaving a password-based system is simply lack of familiarity.
Passwords have been around forever. People know how to use them. Managers often think that moving to a new platform will take a serious toll on user experience and disrupt workflow.

In reality, the overwhelming majority of corporate employees today prefer passwordless technologies specifically because of the ease of use they provide. Solutions such as push notifications, for instance, are revolutionizing authentication by providing not just a substantial increase in security, but also relieving users of the burdens of remembering and securing passwords.

Which is the fastest passwordless solution to implement? (for 500 users)

The vast proliferation of personal smart devices has made passwordless solutions highly scalable, even for large company workforces.

The fastest platforms for an enterprise to switch to will be the ones that harness employee mobile devices and turn them into mobile authenticators.

The Passwordless Push notification method utilizes Phone-as-a-Token and supports a Bring Your Own Device (BYOD) approach has proven cost-effective and better serves cases of legacy software and remote workforce.

The high penetration rate of smartphones, combined with a passwordless user experience (UX) is making adoption easier and results in a reduction to password related cost, making passwordless push authentication an easy decision for IT professionals from cost, user experience, and security perspective.

Can passwordless solution be implemented in a hybrid enterprise (Cloud/on-premises) ?

Yes. Due to the increase in the integration of on-premises and cloud-based identity management systems, many authentication solutions have adapted themselves to this model.

The Octopus Authenticator is fully integratable with network services such as Microsoft’s Active Directory and other cloud platforms making it a suitable solution for hybrid enterprise.

Is passwordless authentication an enforceable company policy?

he use of passwordless authentication methods like biometric and facial recognition has become a norm on mobile devices. But many organizations still struggle on deploying the technology on their corporate networks.

Whether you can deploy passwordless authentication on your network depends on the infrastructure that supports it. Fortunately, the developers of most prominent operating systems and authentication standards acknowledge the need to integrate the option of passwordless authentication into their software. Microsoft recently announced the support for passwordless sign-in on both its individual Windows products and networks running on the Microsoft Active Directory. Users will be able to use FIDO2 keys equipped with fingerprint scanners or fingerprint scanners integrated on their laptops to login to their Microsoft and AD accounts instead of passwords.

Linux also supports passwordless SSH logins for several years now. Network administrators can configure their servers to use software keys in addition or instead of passwords.

This means that both systems can enforce a policy where users can only login with passwordless authentication technology.

Both directory services on Windows and Linux also support SAML authentication, an open standard that enables network administrators to implement their own authentication mechanism. This means you can integrate a mobile-based out-of-band authentication technology like Secret Double Octopus into your network.

Can I use a passwordless solution with my current SSO?

Single sign on (SSO) authentication is a good way to reduce the authentication attack surface, simplify the management of passwords and provide a better user experience. The idea is to use one service (Google, Microsoft Azure, Active Directory, Amazon AWS…) to sign in to multiple accounts.

However, many organizations would also want to be able to integrate the convenience of SSO with the added security of passwordless authentication. Most prominent SSO technologies are based on SAML, which is flexible on the authentication technology.

Secret Double Octopus provides a passwordless SSO technology based on SAML that organizations can implement into their online services. It also has a passwordless implementation for several popular SSO technologies, including Google’s G-Suite and Amazon’s AWS.

Will I be able to replace “service accounts” with passwordless authentication?

No, In Microsoft Windows, service accounts are accounts that are explicitly used to run services in the background. All versions of Windows come with a few default service accounts such as Local Service, Network Service, and Local System, which have different levels of access to local and network resources. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.

For organizations and users that want to customize the security of various services and applications, they can use Managed Service Accounts like CyberArk, which provides better administration and password management.

You can further enhance the security and ease of use of your Managed Service Accounts by integrating a passwordless authentication technology with your Active Directory (AD) installation. This gives you the flexibility of managed service accounts plus the convenience of passwordless authentication.

Is passwordless authentication compliant with regulatory standards?

In the past years, regulatory bodies have come to understand and acknowledge the weaknesses and security threats associated with the storage and use of passwords. That’s why they’re constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles) as well as making it mandatory to add two-factor authentication in many settings.

The NIST, the body that sets technology standards in the U.S. and acts as a point of reference for many other countries, requires that in many settings services secure user identities through multi-factor authentication (MFA). This means the service must support at least two of the following:

  • Something you know (passwords)
  • Something you have (mobile device or FIDO key)
  • Something you are (biometric data)

In some settings, such as financial service, the standards body explicitly requires the use of biometric data as one of the authentication factors. This means that a technology such as Secret Double Octopus, which combines out-of-band mobile and biometric authentication, is a good choice to make sure your organization is compliant with security standards and regulations while also using convenient, user-friendly technology.

Can I implement a passwordless solution in the server level?

both Windows and Linux support passwordless authentication. In a 2018 update to its Active Directory LDAP service, Microsoft added native support for passwordless authentication through FIDO2 keys. This means that with the proper server-level configurations, AD users can walk up to any domain-connected workstation and insert their key to login to their accounts without making changes at the machine level.

Linux also has native support for software keys, which can replace passwords. When passwordless authentication is implemented on a Linux server, users can remotely login to their SSH consoles by presenting their software key instead of typing in their password.

Also, organizations that want to use security solutions like Secret Double Octopus can use the SAML implementation of the technology which integrates with their respective server technology. This enables organizations to use the added benefit and security of Single Sign-On (SSO) and mobile authentication on their networks.