The reason behind this? Two words. Password fatigue.
In 2017, one estimate found that an average person has 150 password-protected accounts. By 2022, we expect that number will double. It’s no surprise that users either duplicate or forget passwords entirely.
In this article, we talk about passwordless authentication—what it is, and its pros and cons.
What is passwordless authentication?
Passwordless authentication verifies a user’s identity and grants access to a network, application, or other systems that don’t require a traditional password, security question, or PIN.
Instead of an invented password that someone must create and remember, passwordless authentication relies on some alternate authentication factor unique to a specific user.
Passwordless authentication offers organizations a secure and user-friendly alternative, an increasingly popular substitute for traditional usernames and passwords (which are annoying for users, as they must be changed frequently and can be forgotten or confused easily).
What are the Types of Passwordless Authentication?
Traditional password-based authentication relies on something you “know”—a password, a PIN, or the answer to a security question (like “What was your mother’s maiden name?”)
On the other hand, passwordless authentication does away with the need to know or remember anything. Instead, it replaces what you “know” with either something that you “have” or something that you “are” to make for a unique identifier.
- Possession factors. Something you “have” authentication uses items like RSA tokens, a mobile device, a smart card, a hardware key, a fob, a badge, or a one-time password (OTP) token received via text or email.
- Biometrics. Something you “are” authentication relies on factors like fingerprints and facial scans to verify identity. This approach is increasingly common in the latest generation of mobile phones. More advanced systems can use retina or vocal scans or behavioral traits like typing and touch screen pattern analysis.
Some systems will also combine two or more such alternate factors to verify identities, such as a smart card and a fingerprint ID, to gain access to a network, application, or website.
Benefits of Passwordless Authentication
Many drawbacks with traditional passwords are due to the tediousness of secure password management. But there are more advantages to going passwordless, such as:
- Enhanced cyber security. If one of the passwords is breached through phishing, for instance, there is a high chance that cyber criminals can gain access to other accounts. Passwordless authentication eliminates passwords, thus offering protection against the two most prevalent cyberattacks: phishing and brute force attacks.
- Better user experience. It can be tedious to generate and memorize passwords for different platforms. On top of that, forgetting and resetting passwords are often clunky and time-consuming. With passwordless authentication, you create a seamless experience for your users.
- Reduced long-term costs. A 2018 report by Forrester showed that organizations in the US allocate over $1 million annually just for password-related support costs—not to mention password management and storage. Passwordless authentication eliminates these costs.
Challenges of Passwordless Authentication
When considering implementing passwordless authentication, there are drawbacks to keep in mind. These include:
Integration costs. While the long-term costs of passwordless authentication are attractive, the initial hardware and software costs are high and may pose a budget challenge for smaller organizations.
Training. Passwordless authentication requires a significant mindset change for employees accustomed to usernames and passwords and for IT staff who will administer the program.
Potential loss of access. Passwordless authentication is not a foolproof system. Lost phones or a hardware token will happen, preventing access for affected staff. Likewise, biometric factors like voice ID could potentially be faked with recordings.
Additionally, you may face resistance from employees uncomfortable with a requirement to use their biometric data to log into work applications and systems. Experts suggest that communication around the cost savings and cost-efficiency of passwordless authentication and ease of use can help win over reluctant prospects.
Is Passwordless Authentication Safe?
Despite potential drawbacks, passwordless authentication is another step toward enhancing your organization’s cyber security posture.
Lost, stolen, and cracked passwords have always been a security vulnerability. By replacing passwords with other authentication measures, you automatically strengthen your security posture and obsolete traditional credential-based attacks like phishing scams and brute force attacks.
Even with passwordless authentication, having more knowledge and real-world context is still the best defense against other cyber threats your organization will face. Terranova Security recommends taking the following precautions:
- Use proven security awareness training to keep employees’ cyber security awareness top of mind. Create internal cyber security heroes committed to keeping your organization cyber secure.
- Provide ongoing communication and campaigns about cyber security and phishing. These initiatives include reminding employees about attachments, emails, and URL risks.
- Establish network access rules that limit the use of personal devices and the sharing of information outside your corporate network.
- Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.
- Incorporate cyber security awareness campaigns, training, support, and education into your corporate culture.
Conclusion
Passwordless authentication can verify a user’s identity without the need for traditional passwords, security questions, or PINs. It also improves the overall user experience on your systems while simultaneously strengthening your security posture and providing cost savings.
Combined with adequate security awareness training, employees from executives on down will be better equipped to spot cyber security warning signs, report potential threats, and keep sensitive information safe.