Passwordless Authentication – Overview, Types, and Challenges


The use of passwords as the primary means of verifying user identities when logging into computer systems dates back to the early 1960s at MIT. Despite their longevity, passwords’ susceptibility to a wide range of cyberattacks makes them unsuitable for authenticating users in an increasingly digitized world. Threat actors use brute force methods, stolen credentials obtained from the dark web, and social engineering tactics as part of a vast arsenal of weapons that make passwords increasingly vulnerable.

Many organizations are trying to adopt solutions that reduce reliance on passwords as the sole method of authentication. Often these overrides still rely on passwords as one of two or more categories of information required to verify user identities. Passwordless authentication attempts to move away from passwords altogether – read on to understand how it works, including examples and challenges.

What is Passwordless Authentication?

Passwordless authentication is any type of authentication that completely removes the need for users to enter passwords when logging into applications or computer systems. Verifying a user’s identity in passwordless authentication does not require any specific technology or process. Instead, passwordless authentication is more of a desired goal to be achieved using a range of methods or potential solutions.

It is important not to confuse passwordless authentication with multi-factor authentication (MFA). Multi-factor authentication (MFA) requires users to provide at least two distinct categories of information (factors) before being granted access to a computing resource. Passwordless authentication methods can fall into one or both of the categories required for MFA. Also, you can implement passwordless authentication using a single factor, but that factor should not require a password.

Passwordless Authentication Examples

Passwords are knowledge-based means of authenticating users because they rely on something the user knows. Passwordless authentication methods generally depend on something the user possesses (also called the possession factor) or something the user is (also called the inherence factor).

With that in mind, here are some examples of passwordless authentication:

  • Biometrics— users provide a retina scan, fingerprint scan, voice scan, or anything else biologically inherent to who they are.
  • Secondary devices— authenticating with a secondary device can mean entering a code generated on a hardware token (a small key fob), entering a one-time code sent to a registered smartphone, or approving an authentication request on a registered smartphone.
  • Public key cryptography—FIDO protocols use public key cryptography and a registered user device combined with biometric or secondary keys to authenticate to services.
  • Behavioral analysis— This type of passwordless authentication combines multiple unidentifiable behavioral attributes about users and uses artificial intelligence/machine learning to analyze these attributes and accurately differentiate between legitimate users and threat actors.

It should be noted that using passwordless authentication does not mean that you should abandon MFA. Requiring multiple categories of evidence to verify user identities remains a cybersecurity best practice. In fact, several passwordless authentication methods have built-in MFA; for example, biometrics often requires providing the fingerprint, retina, etc. (something the user is) on a specific registered device (something the user owns).

Benefits of Passwordless Authentication

Reduced risk of account compromise

The most compelling reason to eliminate passwords is that you can reduce the risk of user accounts being compromised. A survey of data breaches found that 81% of hack-related breaches stem from stolen or weak passwords.

The hybrid workforces that are now commonplace only add to the risk of password attacks. When working remotely, users must log in with passwords to access virtually all corporate computing resources. Passwordless authentication makes it much more difficult to compromise a user’s account.

Reduced user friction

Another disadvantage of passwords is the friction of the user having to create, remember, modify and reset combinations of letters, symbols and numbers. Organizations have tried to mitigate password-based attacks by requiring users to set even more complex passwords, but this has only increased user friction and worsened password hygiene. pass. Passwordless authentication is designed to be transparent and to relieve users of the burden of password management.

Importantly, this benefit extends to customer services. People want a smooth experience when using online services, whether it’s a banking app or an e-commerce site. Although not all passwordless authentication methods are feasible for clients, it is still possible to reduce friction when logging into client-based services using passwordless methods such as biometrics.

Cost savings

An interesting finding from research conducted by Forrester a few years ago is that password resets cost businesses an average of $70 per reset. These costs add up quickly if multiple users ask IT help desks every day to reset their password for an application or service. The sheer cost of IT support services supporting these resets can add up to a substantial portion of your annual IT budget.

In addition, the indirect costs associated with lost productivity must be taken into account. When employees are denied access to computing resources, they cannot perform work that depends on access to that resource. Passwordless authentication completely eliminates password reset costs.

Passwordless Authentication Challenges

Security limits

If there was only one way to provide 100% security to user accounts, all discussions around passwords would be dissolved. Alas, passwordless authentication is only useful if you recognize that it comes with its own security limitations.

While not relying on passwords greatly reduces the likelihood of account compromise, there are still ways around some implementations. Man-in-the-middle attacks and Trojans could be used to intercept one-time codes, for example.

Change of mentality

Changing the status quo is never easy. People have strong ideas and beliefs about what constitutes effective security. Logging in without any passwords requires an organization-wide mindset shift to embrace this idea rather than fear it. Communication is key here to get users to accept the idea that passwords are no longer secure and that alternatives are better suited to today’s threat landscape.

Go for defense in depth

Whether you’re ready to pass passwords or not, take a defense-in-depth approach to security. Recognize that no single type of solution or method will protect against the various modern cyber threats.

Along with strengthening authentication, consider zero-trust initiatives and seek to improve your detection and response capabilities so you can respond more quickly to ongoing threats. And don’t forget the power of outsourcing security capabilities to third parties who can provide the expertise and capabilities without the overhead.

The post Passwordless Authentication – Overview, Types & Challenges appeared first on Nuspire.

*** This is a Nuspire Security Bloggers Network syndicated blog written by the Nuspire team. Read the original post at:

Source link


Comments are closed.