The truth about passwordless authentication

What it is and how it works

Passwordless authentication

Passwordless authentication is the new buzzword in secure authentication. With good reason. Passwords remain a weakness for consumers and those trying to secure customer and corporate data. In fact, 81 percent of breaches involve weak or stolen passwords. And passwords are the number one target of cyber criminals.

For IT departments, passwords are a burden in multiple ways. First, they have to store the passwords securely. Failure to do so risks a breach, which can have a huge impact on the bottom line, share value, and the organization’s reputation for years to come. Second, when you’re the keeper of passwords, you’re tasked with supporting them, too. That often means handling password resets that flood the help desk.

So, there’s good reason for organizations to want to dump passwords and move to passwordless authentication.

How does passwordless authentication work?

Passwordless authentication is a type of multi-factor authentication (MFA), but one that replaces passwords with a more secure authentication factor, such as a fingerprint or a PIN. With MFA, two or more factors are required for verification when logging in.

Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key. Although they are both called keys, think of the public key as the padlock and the private key as the actual key that unlocks that padlock. There is only one key for the padlock and only one padlock for the key. An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition. It can only be accessed with this gesture. The public key is provided to the website, application, browser, or other online system for which the user wants to have an account.

Passwordless authentication brings freedom and security

Today’s passwordless authentication relies on the FIDO2 standard (which encompasses the WebAuthn and the CTAP standards). Using this standard, passwordless authentication frees IT from the burden of securing passwords. Why? Because while as a service provider, you may store people’s public keys, the public keys are just that, public. Like a padlock, if a hacker gets the public key, it’s useless without the private key that unlocks it. And the private key remains in the hands of the end-user or, within an organization, the employee.

Another benefit of passwordless authentication is that the user can choose what tool he or she uses to create the keys and authenticate. It might be a mobile app like OneLogin Protect. It might be a biometric or a physical device, such as YubiKey. The app or website to which the user is authenticating is agnostic. It doesn’t care how you create your key pair and authenticate.

In fact, passwordless authentication relies on this. For example, browsers implementing passwordless authentication may have JavaScript that is downloaded when you visit a page and that runs on your machine, but that script is part of the website and does not store your critical information. It and the website aren’t trusted with your private key, hence they aren’t a profitable attack surface for cyber criminals.

As a multi-factor authentication method, passwordless authentication will continue to evolve. Most organizations still use traditional passwords as their core authentication method. But the wide and known issues with passwords is expected to increasingly drive businesses toward MFA and toward passwordless authentication.

Thank you! We have received your details. Our sales teams will reach out to you shortly.

We’re passing along your contact information to our experts.

Something went wrong, please try again.

See Demo of OneLogin

All Fields RequiredFields Required*

  • Please enter your first name
  • Please enter your last name
  • Please enter company name
  • Please enter your job title
  • Please select number of employees
  • Note: Please enter a work email address only as we DO NOT accept web-mail addresses (gmail, yahoo, hotmail, etc.)

    Is that a correct business email address?
  • Please enter your phone number
  • By completing and submitting this form, I agree to the storing and processing of my personal data by OneLogin as described in our Terms of Service and Privacy Policy.

Related Resources:

5 reasons relying on passwords is a recipe for disaster

Passwords alone are not enough to protect your corporate data. Here are five reasons why.

Read More

How MFA helps prevent common cyberattacks

See how Multi-Factor Authentication (MFA) helps to prevent some of the most common and successful types of cyber attacks.

Learn

Together, SSO and MFA secure access and address the technology industry’s password problem

Find out how SSO and MFA together are key to protecting your tech company’s corporate data and intellectual property.

Download the Paper

3 lessons Game of Thrones can teach us about cybersecurity

Are there similarities between the defenses of the Night’s Watch and those of cybersecurity teams in the real world? You be the judge.

Read the Blog