Passwordless authentication: what is it and why do it?

Image credit: Shutterstock
(Image credit: Shutterstock)
About the author

Shimirit Tzur David is the CTO & Co-Founder of Secret Double Octopus and holds an MSc and PhD from the Hebrew University in Computer Science.

As the corporate world gradually awakens to the security dangers of relying on easily stolen and shared passwords, alternative security systems have taken the spotlight. There are several alternative authentication methods that do not involve passwords – such as a hardware token (an object the user has that verifies their identity) or biometric methods or devices such as a physical feature belonging to a user, like their thumbprint.

And while these methods all include a different approach to passwordless authentication, they have one thing in common: The user's authentication data is never stored within the system, as a password would be. It is this crucial element that gives passwordless solutions their security advantage.

The case for passwordless systems

Why are passwordless security systems better than password-based systems? Here are some reasons:

User Experience (UX): Passwordless authentication means no more user-memorized secrets, streamlining the authentication process. Removing passwords from the picture means users no longer have to devise and remember a password for each of their accounts. Nor do they have to type them in every time they log on.

Better Security: User-controlled passwords are a major vulnerability. Users reuse passwords and can share them with others. Passwords, the biggest attack vector, also are vulnerable to credentials stuffing, corporate account takeover (CATO), password spraying, brute force attacks, and more.

Reduction in Total Cost of Ownership (TCO): Passwords are expensive; they require constant maintenance from IT staff, who have to update systems when users change their passwords, and, they need to be changed on a regular basis. According to industry research, password resets account for as much as half of all help desk calls, which places a tremendous burden on company IT. According to Forrester, the cost of a single password reset averages $70.

IT Gains Control and Visibility: Reuse, and sharing are common issues in password-based authentication. With passwordless authentication, IT reclaims its purpose of having complete visibility over identity and access management. Without passwords, there is nothing to phish, share, or reuse. The user is no longer the wild card in an organization’s access scheme.

Image credit: Shutterstock

Image credit: Shutterstock

(Image credit: Image Credit: Ai825 / Shutterstock)

Why passwords just don't cut it anymore

Regulatory bodies have come to understand and acknowledge the weaknesses and security threats associated with the storage and use of passwords. That’s why they’re constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles). In many cases, regulators require the use of two-factor authentication.

For example, NIST - the body that sets technology standards in the U.S. and acts as a point of reference for many other countries, requires that multi-factor authentication (MFA) be used in many scenarios, such as for financial institutes. And many web services (such as Google and Facebook) have adopted MFA in order to protect users. MFA authentication involves ensuring the identity of users with at least two of three factors:

  • Something you know (password/username)
  • Something you have (mobile device or FIDO key)
  • Something you are (biometric data)

MFA is certainly better than relying on a password for security, but eliminating passwords altogether would be even better. A password-plus-second-factor policy retains the inherent flaws of passwords; users are still required to memorize and safeguard secrets, so the security risk of password reuse still exists, and the costs of maintaining passwords also remain. In fact, according to researchers at Proofpoint, hackers can even use passwords to bypass the second authentication factor altogether. Indeed, it appears that in many cases, the second factor is just a “band-aid” organizations use to strengthen the main security protocol – passwords. They're making a big, and potentially expensive, mistake.

Image credit: Shutterstock

Image credit: Shutterstock

(Image credit: Shutterstock)

A future without passwords

Passwordless authentication is already quite common on many devices, which use biometric and facial recognition, so it's clear passwordless is ready for prime time, whether on desktops or servers. Powered by Apple, Linux, or Microsoft, passwordless authentication is becoming a reality.

Technologies and implementations exist for all of these, so there's no reason not to take advantage of them. There's no question passwordless authentication is more secure than password-based security, and it's clear that employees, IT, and management will all benefit from the ease of use and cost-reduction that results from implementing  passwordless authentication. When it comes to security, the time to act is now.

Shimirit Tzur David, CTO & Co-Founder of Secret Double Octopus