The truth about passwordless authentication

What it is and how it works

Passwordless authentication

Passwordless authentication is the new buzzword in secure authentication for identity and access management (IAM) solutions. With good reason. Passwords remain a weakness for consumers and those trying to secure customer and corporate data. In fact, 81 percent of breaches involve weak or stolen passwords. And passwords are the number one target of cyber criminals.

For IT departments, passwords are a burden in multiple ways. First, they have to store the passwords securely. Failure to do so risks a breach, which can have a huge impact on the bottom line, share value, and the organization’s reputation for years to come. Second, when you’re the keeper of passwords, you’re tasked with supporting them, too. That often means handling password resets that flood the helpdesk.

So, there’s good reason for organizations to want to dump passwords and move to passwordless authentication.

How does passwordless authentication work?

Passwordless authentication is a type of multi-factor authentication (MFA), but one that replaces passwords with a more secure authentication factor, such as a fingerprint or a PIN. With MFA, two or more factors are required for verification when logging in.

Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key. Although they are both called keys, think of the public key as the padlock and the private key as the actual key that unlocks that padlock. There is only one key for the padlock and only one padlock for the key. An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition. It can only be accessed with this gesture. The public key is provided to the website, application, browser, or other online system for which the user wants to have an account.

Passwordless authentication relies on a private and a public key Passwordless authentication relies on a private and a public key

Passwordless authentication brings freedom and security

Today’s passwordless authentication relies on the FIDO2 standard (which encompasses the WebAuthn and the CTAP standards). Using this standard, passwordless authentication frees IT from the burden of securing passwords. Why? Because while as a service provider, you may store people’s public keys, the public keys are just that, public. Like a padlock, if a hacker gets the public key, it’s useless without the private key that unlocks it. And the private key remains in the hands of the end-user or, within an organization, the employee.

Another benefit of passwordless authentication is that the user can choose what tool he or she uses to create the keys and authenticate. It might be a mobile app like OneLogin Protect. It might be a biometric or a physical device, such as YubiKey. The app or website to which the user is authenticating is agnostic. It doesn’t care how you create your key pair and authenticate.

In fact, passwordless authentication relies on this. For example, browsers implementing passwordless authentication may have JavaScript that is downloaded when you visit a page and that runs on your machine, but that script is part of the website and does not store your critical information. It and the website aren’t trusted with your private key, hence they aren’t a profitable attack surface for cyber criminals.

As a multi-factor authentication method, passwordless authentication will continue to evolve. Most organizations still use traditional passwords as their core authentication method. But the wide and known issues with passwords is expected to increasingly drive businesses using IAM toward MFA and toward passwordless authentication.

Related Resources:

5 reasons relying on passwords is a recipe for disaster

Passwords alone are not enough to protect your corporate data. Here are five reasons why.

Read More

How MFA helps prevent common cyberattacks

See how Multi-Factor Authentication (MFA) helps to prevent some of the most common and successful types of cyber attacks.


SmartFactor Authentication

See how SmartFactor Authentication uses machine learning to automatically adjust authentication behavioral patterns.

Read More