What is passwordless authentication and how does it work

Most people must remember a string of different passwords to log into various devices and accounts, whether for their phone and laptop or email and social media accounts. It becomes all too easy to become lazy about password hygiene, but that is when users become most susceptible to cyberattacks. And it has become incredibly easy for hackers to steal passwords through data breaches, phishing, and other attacks.

As a result, passwords have fallen out of favor in recent years. The trend is set to grow as myriad forms of passwordless authentication are adopted more widely, both by users and organizations. So, what exactly is passwordless security, how does it work, and what are the various passwordless authentication examples? Read on to learn more.

What is passwordless authentication?

In the simplest terms, passwordless authentication allows a user to verify their identity without needing a password. This can be achieved through various means. For example, a user can scan their face or fingerprint to gain access to their device or account, or they might use one-time passwords (OTPs), often used intwo-factor authentication (2FA), or URL links that are specifically generated for each login attempt.

Password logins have become increasingly popular in recent years, however users create  passwords with very weak security. Many users use the same password across different accounts, fail to create appropriately complex passwords and forget to change them regularly. Though, of course, a reputable password manager can help with this.

How does passwordless authentication work?

Passwordless authentication requires users to present something unique to verify their identity and gain access to a device or account. These are known as authentication factors, and there are several different types, including:

• Knowledge factorssomething the user knows, like a password
• Possession factors: something the user has, like a phone which can receive a one-time-password (OTP)
• Inherence factors: something that is unique to the user, usually this refers to biometrics such as fingerprints or facial recognition
• Location factors: the user requires a specific geolocation to gain access, such as their office or home
• Behavior factors: the user must perform specific actions to gain access, like the Windows 8 picture password

All logins require users to present at least one factor. Most commonly, this is a knowledge factor - usually a password. However, passwordless login eliminates the need for a password by taking advantage of the many other authentication factors to offer enhanced security. These are often possession factors, like OTPs, or inherent factors, like biometrics.

Is passwordless authentication safe?

Generally, passwordless sign-in is considered far safer than traditional logins that require a user to input their specific credentials. This is because by eliminating the need for a password, these login systems significantly reduce the risk of cyberattacks like brute-force or dictionary attacks, keylogging, credential stuffing, and Man-in-the-Middle attacks. They’re also far more immune to the risk of hacking and social engineering, and human inertia, which can result in using the same passwords across multiple accounts and forgetting to update them.

However, like most things, passwordless authentication is not completely foolproof. Determined attackers can still find ways to hack authentication systems, no matter how sophisticated they are. Hackers may be able to hijack email addresses, phone numbers, and even devices to intercept certain types of password authentication, such as OTPs and magic links.

MFA VS. passwordless authentication

Although they may appear similar, multifactor authentication (MFA) and passwordless authentication are slightly different. In many cases, MFA uses a password as well as another form of verification, such as OTPs or biometrics. However, as the name suggests, passwordless security eliminates the need for users to input a password.

However, there are situations where two or more forms of passwordless login are combined, and users must pass both verification processes to access their devices or accounts. This is known as passwordless MFA.

What are the common passwordless authentication examples?

Traditionally, most logins use a knowledge factor – a password – which all function the same way – users create unique combinations of numbers, letters, and/or symbols and use this with a username to gain access to their devices or accounts. Unlike passwords, passwordless authentication can take many different forms. As mentioned, passwordless security usually incorporates at least one authentication factor – usually not the knowledge factor – which is why it is more dynamic than passwords.

Certificates

Many apps and internet-connected software use digital certificates to verify users’ identities without passwords. In this case, the user’s personal device will hold a private key, while the server of the app or software stores a public key. The two need to correspond appropriately to enable passwordless authentication.

One-time passwords

If you’ve ever wondered “What is OTP authentication?”, here is your answer: Although users still must type these into their devices to access their accounts, one-time passwords are considered a form of passwordless authentication. This is because they are temporary codes that users receive through text messages or authentication apps; they are different each time and expire within several minutes, so are considered more secure than traditional passwords. This is a type of possession factor as – in theory – only the user has the means to generate or receive the OTP.

Biometrics

Many devices and software these days use biometrics for password logins. These are inherence factors as they grant access with a user’s unique physical traits – for example, fingerprints or retina scans. iPhones are a good example of biometric authentication as they allow users to enable facial recognition to access the device and sign into various secure accounts, including banking apps, helping to prevent online banking fraud.

Magic Links

Many popular internet-based software now offers passwordless authentication with magic links. These are essentially URL tokens that users can use to log into accounts by verifying their email address or phone number. When the user goes to log into an account that uses magic link verification, the system automatically sends a URL link to their registered email address or by message to their phone number – the user then clicks the link to automatically sign into the account. This is another type of possession factor as it assumes that only the user will have access to their email or phone.

Authentication apps

Third-party authentication apps, such as those by Google and Microsoft, have become popular for passwordless login. In this case, a user configures a specific authentication app – one that’s already been made compatible with the account service being used – with their login credentials. Once the system is properly set up, the user will receive a notification from the app every time they log into their account and will need to either provide an OTP or verify the login to gain access.

FIDO passkeys

Fast identity online (FIDO) passkeys operate on the same idea as digital certificates. When a user registers their login credentials, the system generates a cryptographic key pair – the public key is stored on the system server and the private key is stored on the user’s device. The system authenticates the private key on the user’s device to grant access to the account.

The pros and cons of passwordless security

Companies are increasingly turning to passwordless security to protect both internal and external stakeholders and keep data safe. However, as with anything in cybersecurity, it’s important to understand the benefits and disadvantages of passwordless authentication.

Advantages of passwordless login

Some of the positive aspects of passwordless sign-in include:

• It is more secure than passwords and is resistant to many cyberattacks.
• Users find it low maintenance as they do not have to remember complex passwords or regularly change them; it is also easier for users to enable on their accounts or devices.
• Companies that use passwordless authentication usually receive far fewer requests for support as there is less need for password resets or troubleshooting.
• These systems are scalable and usually very quick and easy to implement.
• It’s often enough to meet compliance requirements for data protection, including the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.
• Lower incidences of account lockout and abandoned shopping carts.

Disadvantages of passwordless Login

While passwordless authentication has become increasingly popular for the security it offers, there are some drawbacks, including:

• In some cases, it can be more complex and expensive than simple passwords.
• Systems using biometrics can be tricky, as biometric authentications cannot be reset if they’ve been compromised.
• There’s a presumption that the user will be using a secure channel while setting up a passwordless login, but this is not always the case – the setup process can be compromised.
• In some cases, these systems are not foolproof – for example, OTPs can be intercepted or stolen with SIM swapping.
• Some users, especially those with less technical experience, may be unwilling to use passwordless login if they struggle with the systems or do not understand them.

Implementing passwordless authentication

Most electronic devices or services now offer users options for passwordless authentication alongside traditional login methods. Each one will incorporate different forms, and most will recommend users to activate this as additional security. To enable passwordless authentication, users can simply navigate to the settings of the relevant device or account and select the appropriate options (some may offer more than one). Some of the most common examples of passwordless sign-in for consumers include:

• Facial recognition for iPhones and MacBooks
• OTPs for regular verification of Google accounts
• Magic links for various browser-based apps and software

For users who still want to use passwords but also want to benefit from a form of passwordless login, Kaspersky Password Manager can help. Not only can it generate complex, unique passwords for each account, it stores them all in an encrypted private vault which can’t be seen by anyone else. The program also offers secure sign-in by allowing users to auto-fill their details across various websites, apps, and devices, and has its own in-app authenticator that allows users to enable multifactor authentication on their accounts.

For businesses, it is important to choose and implement passwordless security – especially if they offer client-facing accounts and devices, as there is the additional need to keep clients’ information secure. There are several things to consider when doing this:

• Choose the most appropriate form of passwordless authentication, such as biometric authentication with fingerprints or magic links.
• Decide whether one factor will suffice or whether customers require passwordless MFA for additional security.
• Look for and acquire the necessary hardware and/or software.
• Ensure users can properly register and use the chosen system.

Implementing passwordless sign-in at an organizational level can be challenging and require significant investments in time and money. For this reason, many choose to work with third-party providers to quickly and effectively execute this particular form of cybersecurity.

A passwordless future?

With so many advantages and far superior security to traditional passwords, it appears that passwordless authentication has a bright future, particularly with artificial intelligence (AI) integration. It can help keep users and their information secure in an increasingly digital world and offer more secure options for remote work. 

However, there are some challenges that may need to be overcome if we’re to see passwordless security being taken up in increasing numbers. These include overcoming privacy concerns, especially around biometric authentication, streamlining the technical infrastructure, bolstering user trust, and ensuring regulatory compliance.

Related Articles and Links:

• Tips for creating a strong and unique password
• What can hackers do with your email address?
• The 10 biggest online gaming risks and how to avoid them

Related Products and Services:

• Kaspersky Premium
• Kaspersky Password Manager
• Kaspersky Security Awareness