Most technologies now are not just geared towards efficiency and accuracy, but more importantly security. With data being considered the most valuable asset in the world, efforts to protect it have become a top priority for cybersecurity strategies across all industries. And with advancements in technology driving continuous innovation, traditional authentication and even password reuse policies are no longer enough. But is modern security like passwordless authentication really safe enough?
To answer the question, we first must take a look at the three authentication factors.
The Three Authentication Factors
An authentication factor is a type of evidence that a user needs to present as proof of their identity. In cybersecurity, there are three authentication factors:
1. Knowledge Factor
Something a user knows like a pin or a password
The Knowledge Factor is the most common type of authentication in which a security system will require a username or user ID and a password to log in, both of which are chosen by the user. Another example of a Knowledge Factor is in the form of security questions that a user can also set such as a first pet’s name or favorite color. While this kind of authentication is still commonly and widely used, it can be vulnerable to brute force attacks especially given the fact that most people have already shared a fair amount of deducible information through different social media platforms.
2. Possession Factor
Something a user has like a phone or a hardware token
The possession Factor is usually a piece of hardware that a user “possesses” which makes it much more challenging to hack or “crack”. This can be your actual device like a mobile phone or a SIM card both of which can be used for passcode authentication. A Possession Factor is usually used as part of MFA or multi-factor authentication systems by the financial industry on their online mobile banking. In this process, a user logs in using a Knowledge Factor- a username and password, but will then receive a One-Time Password or OTP that gets sent via SMS to their phone and SIM for a real-time second factor of authentication.
3. Inherence Factor
Something a user is like a fingerprint or facial recognition
Out of the three authentication factors, the Inherence Factor is widely regarded as the strongest. With this, users are required to confirm their identity by providing evidence that is inherent only to them. Fingerprint scan, retina scan, and facial recognition, collectively called as “biometrics” are few of today’s most common Inherence or Passwordless Authentication Factors. Biometrics are now ordinary in modern mobile phone models and applications- from banking and eCommerce to social media and utility.
What is Passwordless Authentication?
Passwordless Authentication, also known as Modern Authentication, is the term used to describe methods of identity verification that do not require passwords. In the context of cybersecurity, “passwordless” can be a broad term as some solutions that involve inherence authentication factors like biometrics are usually integrated as an addition to a password-based system.
Types of Passwordless Authentication
Passwordless Authentication can be categorized into two tiers:
1. True Passwordless
Security systems that fall under Truly Passwordless authentication require no passwords or pin codes such as:
- Biometrics like a fingerprint, facial recognition, retina scan, voice recognition
- Hardware Security Tokens like electronic key fobs, USB tokens
- Certificate-based authentication like SSL certificate, Code signing certificate, Client certificate
Semi-passwordless methods are not entirely passwordless and typically involve a specific layer of security set outside of the main application such as:
- One-Time Passcodes or OTPs: Requires a unique password that is sent in real-time and can only be used once
- Email Magic Links: Functions the same way as OTPs but in the form of a one-time link usually sent via email
- Authenticator Apps: Generates an additional login code through an app installed on a device
How Does Passwordless Authentication Work?
Passwordless Authentication leaves nothing for an attacker to steal since it requires verifying the user’s identity through either something they own (Possession Authentication Factor) or something they are (Inherent Authentication Factor).
In this scenario, each time a user tries to access an account or application, fixed credentials are either not required or not the sole authentication needed to log in. For instance, a username and PIN may still be asked, but before successfully being granted access, a facial or fingerprint scan will be mandatory.
The Advantages of Passwordless Authentication
There are many benefits to switching to Passwordless Authentication for both users and organizations alike:
1. Lower user friction
2. Easier to manage
According to Security Boulevard, 20 to 50% of IT help desk tickets are password resets. Password reuse is also a common issue.
3. Stronger security
Password-based systems are easily compromised and are vulnerable to phishing and brute force attacks that end up with lost or stolen credentials.
Is Passwordless Authentication Really Safe?
In comparison to traditional authentication methods, definitely yes. When incorporated into MFA or multi-factor authentication solutions, breaches caused by stolen passwords can be prevented 99.9% of the time according to the 2022 Verizon Data Breach Investigations Report.