Passwordless authentication is the new buzzword in secure authentication for identity and access management (IAM) solutions. With good reason. Passwords remain a weakness for consumers and those trying to secure customer and corporate data. In fact, 81 percent of breaches involve weak or stolen passwords. And passwords are the number one target of cyber criminals.
For IT departments, passwords are a burden in multiple ways. First, they have to store the passwords securely. Failure to do so risks a breach, which can have a huge impact on the bottom line, share value, and the organization’s reputation for years to come. Second, when you’re the keeper of passwords, you’re tasked with supporting them, too. That often means handling password resets that flood the help desk.
So, there’s good reason for organizations to want to dump passwords and move to passwordless authentication.
Passwordless authentication is a type of multi-factor authentication (MFA), but one that replaces passwords with a more secure authentication factor, such as a fingerprint or a PIN. With MFA, two or more factors are required for verification when logging in.
Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key. Although they are both called keys, think of the public key as the padlock and the private key as the actual key that unlocks that padlock. There is only one key for the padlock and only one padlock for the key. An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition. It can only be accessed with this gesture. The public key is provided to the website, application, browser, or other online system for which the user wants to have an account.
Today’s passwordless authentication relies on the FIDO2 standard (which encompasses the WebAuthn and the CTAP standards). Using this standard, passwordless authentication frees IT from the burden of securing passwords. Why? Because while as a service provider, you may store people’s public keys, the public keys are just that, public. Like a padlock, if a hacker gets the public key, it’s useless without the private key that unlocks it. And the private key remains in the hands of the end-user or, within an organization, the employee.
Another benefit of passwordless authentication is that the user can choose what tool he or she uses to create the keys and authenticate. It might be a mobile app like OneLogin Protect. It might be a biometric or a physical device, such as YubiKey. The app or website to which the user is authenticating is agnostic. It doesn’t care how you create your key pair and authenticate.
As a multi-factor authentication method, passwordless authentication will continue to evolve. Most organizations still use traditional passwords as their core authentication method. But the wide and known issues with passwords is expected to increasingly drive businesses using IAM toward MFA and toward passwordless authentication.
Passwords alone are not enough to protect your corporate data. Here are five reasons why.Read More
See how Multi-Factor Authentication (MFA) helps to prevent some of the most common and successful types of cyber attacks.Learn
See how SmartFactor Authentication uses machine learning to automatically adjust authentication behavioral patterns.Read More