Is passwordless authentication for real?

(Image credit: Shutterstock / vladwel)

Picture this: it’s a beautiful sunny morning and since I’m working from home, I decide to take my work computer to a coffee shop with outside seating. As I turn it on, Windows Hello’s scary eye looks back at me, trying to identify me and grant access to my computer without typing in the password. After a few seconds, I start to wonder why it’s not working and remember that face recognition with a mask is not a thing, yet. So, I need to go back to old password authentication and hope that no one tries to guess my 6-digit unique PIN.

Passwordless authentication arrived promising no more passwords, and who doesn’t want that? Passwordless authentication provides more ease of use in an era where we log in everywhere and where we are constantly asked to come up with unique codes that we forget, forcing us to hit the incredibly annoying Reset Password button. The fact that weak passwords are a threat to users and organizations is not debatable.

Realistically speaking though, how close are we to being password-free? Passwordless authentication adoption is growing and that is a good thing, but we should focus on understanding the potential of this technology and how it protects against threats. Is it right for everyone? Let’s take a step back and look at the factors of authentication, the common passwordless methods, their benefits, and challenges they bring to users.

About the author

Alex Cagnoni is Director of Authentication at WatchGuard Technologies

Remembering the factors of authentication

  • Something you know: a password, a PIN
  • Something you have: a key, a smartcard, a token
  • Something you are: your fingerprint, your face

Passwordless authentication is about replacing something you know with something you are or something you have. In my early example, that would be face recognition, or something you have, like a physical token. In fact, several times, the password is not really replaced, but rather stored and passed transparently. It’s something that can improve the user experience, reduce friction, and depending on the method used, even improve security.

Facial recognition

Home users of Microsoft computers are probably used to this method. Enable Windows Hello, use your laptop camera, and with a blink, you will be logged in. Pretty convenient, and as experts say, the recognition algorithm and cameras are quite effective, being able to detect liveness, and prevent attacks using pictures or pre-recorded videos. While the issue I highlighted in scenario I described doesn’t need to be a common case, the fact that the backup plan is PIN-based authentication brings me a red alert. If an unauthorized user wants in on my computer, guessing the PIN might be a reachable (and vulnerable) way to do so. Another issue is remote access. Let’s say I’m accessing a virtual machine in the cloud, or a server using RDP. Face recognition is not an option anymore.

Mobile-based biometrics

Most mobile apps offer integration with the mobile device biometrics –usually fingerprint, and sometimes face recognition. Fingerprint authentication on recent smartphones is quite secure, as well as face recognition on newer iOS devices. Face recognition is not that strong on most Android devices, though. For example, Samsung newer devices such as S10 and S20 support it, but it is not as secure as the fingerprint. My advice: stick with the latter.

In any case, app integrations with the mobile biometric device are fantastic for the user. They make for a super convenient and user-friendly passwordless authentication experience that can, for example, let you into your banking app in a painless way. It is truly passwordless until you need to access your bank account, your phone carrier, or other service, using your laptop. What is your password again? If you use the phone most of the times, you might not remember, when you need to access the same service on another computer or device.

USB tokens

FIDO2 is an interesting industry standard that allows users to perform passwordless logins by using devices such as USB security keys. Just plug in your USB token into your computer, maybe put your finger to unlock it, and there you go. You can use it to login into your computer, and to access FIDO2 enabled web sites. It’s your key to the castle, no passwords, just stick it in. Just don’t lose it.

And don’t count on it if and when you need to login to an application on your mobile phone or tablet with no USB port. To make it work, you’d need to buy a token with Bluetooth support or NFC. From here, it starts to get complicated and rather expensive.

Computer or device assurance

Some solutions offer passwordless authentication based on your computer or device assurance. As long as you are accessing a website from a device that was previously defined as a ‘secure, well-known’ device – such as your personal mobile phone, your (not-shared) laptop - you could potentially log in into websites without a password.

While very convenient for the user, most of the times you are authenticating the device, and not the user. You cannot guarantee the right user is using that ‘secure’ device, nor that there is not a trojan installed on this device that is now enjoying passwordless access to the user’s accounts.

Going passwordless is exciting, for sure. It’s an interesting example of emerging authentication technologies and as a society with a growing focus on digital identities, it is important that we think this way. However, this is not a one size fits all situation.

Cybercrime is only getting smarter and those on the side of security need to continue to focus on developing technologies that are scalable, become more convenient for the user, and more importantly, improve security and interoperability. Until then, create strong passwords, rely on manager apps if it helps, and enable multi-factor authentication whenever possible.

Alexandre Cagnoni

Alexandre Cagnoni has 24 years of experience working in the cybersecurity and authentication market. He helped to plan and deploy MFA projects for banks and enterprises, from small corporate security, to multi-million user deployments. Alex was the co-founder, CTO and CEO of Datablink, a 10-year-old company acquired by WatchGuard in 2017. He is currently the Director of Authentication at WatchGuard, responsible for AuthPoint, a cloud-based Multi-Factor Authentication solution.