Forget ‘Forgot Password?’: The Growth of Passwordless Authentication and How It Can Protect You and Your Customers
Passwords have been around a long time — and so have their vulnerabilities. They’re hard to remember. Easy to misplace and vulnerable to theft if you write them down. And a prime target for cyber criminals. In fact, four out of five breaches involve weak or stolen passwords. But there’s a path to eliminating these problems: eliminate passwords themselves.
What Is Passwordless Authentication?
Simply put, passwordless authentication is a way to verify a user’s identity without using a password. Instead, more secure methods like one-time passcodes (OTPs), biometrics (fingerprints, retinal scans), and other factors are used to make sure the person is who they say they are.
A Brief History of Passwords
Passwords have been around for centuries. Early passwords were primarily spoken — secret words that would get you past a military sentry or into a Prohibition-era speakeasy.
The password as we know it today got its start in the early ‘60s, when an MIT computer science professor created the first digital password, designed to limit access to a particular project. Password use and popularity grew from there.
But over time, their weaknesses — the difficulty of remembering often hundreds of passwords, the tendency to share passwords with friends or family (hello, Netflix) — and the need for better security led to two-factor authentication (2FA) and multi-factor authentication (MFA), which added an extra layer of protection on top of the password. For example, after entering your password, you might be directed to enter an OTP that has been texted to your phone.
Now we’re seeing the growth of passwordless authentication options, which basically use multi-factor principles but without the password.
Some Passwordless Authentication Methods
Biometrics — As the name suggests, biometrics involves physical traits like fingerprints and retinal scans, as well as behavioral traits like how you type or your touch-screen dynamics. (To a certain extent, artificial intelligence (AI) has made it possible for hackers to spoof some physical traits, but behavioral characteristics are harder to fake.)
Possessions — This includes things that the user owns or carries with them. For example, a code generated by an authenticator app, like Google Authenticator. Or an OTP received via a text. Or a hardware token, like a USB drive or a keycard.
Magic links — With this method, the user enters their email address, and the system sends them an email. The email contains a link, which when clicked, grants access to the user.
Other options include device authentication, geo IP location, single sign-on solutions, and more. Whatever the method used, passwordless authentication can improve your company’s security position while cutting the costs associated with password management. Passwords can be a hassle for users, slow down business productivity, and are an inherently weak form of verification. Passwordless authentication eliminates all that.
How Does Passwordless Authentication Work?
Like a password-based system, passwordless authentication works by matching one thing against another. But instead of comparing a password to one stored in a database, this method matches characteristics, codes, or other pieces of information. For example, a biometric system captures a user’s face, extracts numerical data from it, and then compares it with verified data present in the database.
A different type of comparison happens with an OTP. Here, a system sends a one-time passcode to a user’s mobile via an SMS or email or voice message. The user receives the code and enters it into the login box. The system then compares the user-entered passcode to the one it had sent.
How Secure Is Passwordless Authentication?
The simple answer is, very — especially compared to using passwords alone. But there are a few things to be aware of if you’re considering taking the passwordless path, including:
Eliminating the use of passwords can increase threats to biometric scanners and mobile devices, as bad actors look for new ways to access users’ data.
Insider threats can be a danger, usually involving former employees who still have access privileges, third-party vendors, and contractors.
Non-secure identity management or relying on an external identity access management solution can create risks.
Employees may have privacy concerns or worry about using their own devices for passwordless authentication. For example, they might believe biometrics violate their privacy.
Despite these threats, when done properly, a passwordless authentication solution can give your employees and customers a high level of security. Businesses should explore steps such as instituting identity and access management (IAM) solutions; adopting a zero trust approach, where everyone inside and outside the organization must be verified and authorized to access information; and using APIs to understand both users and potential risks.
Passwordless Solutions and Implementation
Vonage offers proven technology that businesses around the world trust every day — and that includes 2FA and MFA solutions AND passwordless authentication.
Two-Factor Authentication protects against fraud, builds trust, and increases conversion across multiple channels — and you only pay for successful verifications.
Multi-Factor Authentication takes that a bit further, requiring more verification factors to access an online resource.
Adaptive Multi-Factor Authentication is a more sophisticated form of authentication that uses contextual information and business rules to determine which authentication factors to apply in a particular situation for a given user.
Passwordless Authentication creates a better user experience, allowing them to do things like quickly and safely access your app with just their phone. It combines security and convenience, and again, you only pay for successful authentications.
(Vonage is currently working on another step in the evolution of access — Silent Authentication, which is designed to give the best possible verification experience without requiring any end-user input to authenticate. You can register your interest in knowing more about Silent Authentication with the button at the bottom of this page.)
If you’re ready to move beyond passwords in your efforts to protect against fraud and build trust, learn more about Vonage’s passwordless authentication.