What is Passwordless Authentication?
Passwordless authentication is exactly what it sounds like: an authentication strategy to verify user identity without the need for the user to manually enter knowledge-based information.
As we outlined in the previous article in this series, passwordless methodologies have been in use since the 1980's, but were ultimately popularized in the 2000's as multi-factor authentication (MFA) and single sign-on (SSO) became standards.
From MFA and SSO to 'passwordless'
Multi-factor authentication requires users to provide multiple unique ways of identifying themselves, which can include:
- Something the user knows, like an ID number, user name, and/or password
- Something the user has, like a token, authenticator app, ubikey, email address, or phone number
- Something that's part of the user, like facial recognition, finger print, or voice print
With single sign-on, a third party verifies the identity of a user, relieving sites and applications of the burden of storing and tracking credentials. When users log into a website, it checks with an SSO provider to confirm if they've already verified.
SSO and most of the MFA methods described above do not require the user to manually enter any information, and are thus, "passwordless".
Common Passwordless Authentication methods
Below is a brief overview of some of the most popular passwordless authentication methods.
Social sign-up: Social sign-up means a user is authenticated via an existing third-party, pre-verified account (e.g., Google, Facebook, Twitter). Most businesses see over 50% of users opt for social sign-in when offered, and sign-ins completed 35% faster than password users. B2C companies may do better with social sign-in options, especially those with a younger audience (e.g., under 50). However, some B2B companies may still benefit from social options. For instance, Mailchimp saw a 66% drop in failed login attempts after implementing social sign-ins, though only 3.4% of their users chose to use it.
Security Assertion Markup Language (SAML): SAML means a user can use one set of credentials on various apps, which the service provider stores. This is most common in enterprise environments, like with Microsoft products. IT teams for large companies appreciate the lightened load of support tickets when only global sign-on is required.
Magic link: Slack is probably the most well-known user of the Magic link, which sends an authorized URL to a unique user's email address or phone number to log in. Methods like a magic link have to play nicely with email providers, though, or they may end up in spam.
One-time passwords by SMS or email: This authentication method prompts users from their device or email to enter a unique code for signing on. Tech companies are making it easier to do this, like iPhone's ability to paste passcodes from SMS. 2FA using a one-time password authentication is a common strategy for financial institutions.
WebAuthn: Web authentication (or WebAuthn) uses public-key cryptography instead of password-based credentials to create a keypair for the specific user. The encryption needs the private key for the public key and vice versa, so it's harder to unlock. The downside is it's not completely user-friendly, and browsers don't use the same terminology.
Time-based one-time password (TOTP): This 2FA method uses time as part of the unique identifying authentication criteria. The time-sensitive unique code is then sent via SMS or directly to a browser. The TOTP Authenticator app is easy for users to set up and use for websites or apps and has an added layer of password protection.
The YubiKey: Yubico's hardware-based "strong two-factor authentication" option called YubiKey looks like your average USB device but packs a big security punch. This tangible option provides device-generated and password storage instead of relying on system or software solutions. Businesses may opt for the YubiKey to prevent phishing and create a similar authentication strategy for their teams.
Biometric: Think of your smartphone or spy movies (e.g., Face ID, Touch ID, eyeball scan). Small companies typically don't need biometric identification because they're expensive and unnecessary; however, this option is on the rise in the passwordless security landscape.
A Few Caveats for Passwordless Authentication
One drawback with passwordless authentication is that it doesn't truly exist yet. Even sophisticated authentication workflows will require the use of a password at some point. Also, passwords and credentials still need to be used as a backup, failsafe, or initial verification method.
Aside from this, every authentication protocol has its own disadvantages, for example:
- Hardware fobs and physical tokens can be hard to implement
- Security hardware can be left incompatible with various software after updates
- Email accounts are not necessarily secure and phone numbers can be spoofed
- Social network accounts can be compromised
- Device-dependent biometrics can be useless if a device is lost or stolen
- SMS security protocols are outdated, leaving these communications vulnerable and unprotected