Is Passwordless Authentication Really Safe?

Most technologies now are not just geared towards efficiency and accuracy, but more importantly security. With data being considered the most valuable asset in the world, efforts to protect it have become a top priority for cybersecurity strategies across all industries. And with advancements in technology driving continuous innovation, traditional authentication and even password reuse policies are no longer enough. But is modern security like passwordless authentication really safe enough?

To answer the question, we first must take a look at the three authentication factors.

The Three Authentication Factors

An authentication factor is a type of evidence that a user needs to present as proof of their identity. In cybersecurity, there are three authentication factors:

1. Knowledge Factor

Something a user knows like a pin or a password

The Knowledge Factor is the most common type of authentication in which a security system will require a username or user ID and a password to log in, both of which are chosen by the user. Another example of a Knowledge Factor is in the form of security questions that a user can also set such as a first pet’s name or favorite color. While this kind of authentication is still commonly and widely used, it can be vulnerable to brute force attacks especially given the fact that most people have already shared a fair amount of deducible information through different social media platforms.

2. Possession Factor

Something a user has like a phone or a hardware token

The possession Factor is usually a piece of hardware that a user “possesses” which makes it much more challenging to hack or “crack”. This can be your actual device like a mobile phone or a SIM card both of which can be used for passcode authentication. A Possession Factor is usually used as part of MFA or multi-factor authentication systems by the financial industry on their online mobile banking. In this process, a user logs in using a Knowledge Factor- a username and password, but will then receive a One-Time Password or OTP that gets sent via SMS to their phone and SIM for a real-time second factor of authentication.

3. Inherence Factor

Something a user is like a fingerprint or facial recognition

Out of the three authentication factors, the Inherence Factor is widely regarded as the strongest. With this, users are required to confirm their identity by providing evidence that is inherent only to them. Fingerprint scan, retina scan, and facial recognition, collectively called as “biometrics” are few of today’s most common Inherence or Passwordless Authentication Factors. Biometrics are now ordinary in modern mobile phone models and applications- from banking and eCommerce to social media and utility.

What is Passwordless Authentication?

Passwordless Authentication, also known as Modern Authentication, is the term used to describe methods of identity verification that do not require passwords. In the context of cybersecurity, “passwordless” can be a broad term as some solutions that involve inherence authentication factors like biometrics are usually integrated as an addition to a password-based system.

Types of Passwordless Authentication

Passwordless Authentication can be categorized into two tiers:

1. True Passwordless

Security systems that fall under Truly Passwordless authentication require no passwords or pin codes such as:

Biometrics like a fingerprint, facial recognition, retina scan, voice recognition
Hardware Security Tokens like electronic key fobs, USB tokens
Certificate-based authentication like SSL certificate, Code signing certificate, Client certificate

2. Semi-Passwordless

Semi-passwordless methods are not entirely passwordless and typically involve a specific layer of security set outside of the main application such as:

One-Time Passcodes or OTPs: Requires a unique password that is sent in real-time and can only be used once
Email Magic Links: Functions the same way as OTPs but in the form of a one-time link usually sent via email
Authenticator Apps: Generates an additional login code through an app installed on a device

How Does Passwordless Authentication Work?

Passwordless Authentication leaves nothing for an attacker to steal since it requires verifying the user’s identity through either something they own (Possession Authentication Factor) or something they are (Inherent Authentication Factor).

In this scenario, each time a user tries to access an account or application, fixed credentials are either not required or not the sole authentication needed to log in. For instance, a username and PIN may still be asked, but before successfully being granted access, a facial or fingerprint scan will be mandatory.

The Advantages of Passwordless Authentication

There are many benefits to switching to Passwordless Authentication for both users and organizations alike:

1. Lower user friction

In terms of user experience, not having to memorize or type in a password makes logging in easier and faster.

2. Easier to manage

According to Security Boulevard, 20 to 50% of IT help desk tickets are password resets. Password reuse is also a common issue.

3. Stronger security

Password-based systems are easily compromised and are vulnerable to phishing and brute force attacks that end up with lost or stolen credentials.