Passwordless Authentication: A Primer


Passwordless Authentication: Definition

Passwordless authentication verifies user identity without using a password. Instead, it requires more secure options like one time password, enrolled devices, or biometric options like retina scan or fingerprint.

Passwords are known to be a weak factor. Over time, we started to need more passwords due to the increasing usage of applications and systems. We created more and more passwords, and it became very common to lose track of them. Luckily, passwordless authentication is becoming the new reality for businesses.


What is Passwordless Authentication?

Passwordless authentication – or modern authentication as known by many security professionals – has become the new standard to verify multiple identity verification methods without requiring passwords. For example, biometrics, hardware-based security keys, and mobile applications are all passwordless methods.

Passwordless brings us secure access for any type of application from on-premises, legacy apps to cloud apps. A true passwordless future would balance stronger authentication with usability.


Why passwordless authentication?

Passwords are both keys, used to access applications as a part of user accounts, and security obstacles, used to protect those accounts and therefore, application data, from bad actors. The distinction between a bad actor and a legitimate user — both of whom could have the right password — has become very crucial for account security and protection. Multi-factor authentication (MFA) has become the core of passwordless authentication. By using MFA without passwords, a frictionless user login experience can be implemented while allowing users to access applications securely. This method reduces the potential risk of compromise drastically. The remote workforce needs a variety of MFA options to meet user needs. It is essential that security teams deliver a better user experience while balancing the risks.


How does passwordless authentication work?

Password-based authentication relies on a user-provided password so that applications can check against user directories, e.g. a user database. Passwordless authentication works by using stronger methods, for example, biometrics where users’ unique characteristics would be captured and compared. These characteristics could include a user fingerprint or face.

In some cases, the comparison can be made using one-time password delivered to user mobile device via a text. The user selects this option during the login experience and one-time generated passcode is received which is then used to access applications.

Passwordless methods rely on the private and public key mechanism that has the same principle as digital certificates. The private key is kept on the user device which could be a mobile device and can only be accessed using an allowed method like fingerprint, face recognition or one time passcode. The public key is then provided to the system where user wants to have a secure authentication flow.


How do I implement passwordless authentication?

The answer to this question varies depending on the environment. Generally, a good approach starts with choosing a preferred authentication factor, e.g. magic links or hardware tokens. Also, choosing secondary factor is important. Relying on one factor is not enough. Factor chaining is a common concept to secure applications and eliminate the risk of being compromised. Knowing the standard MFA factors will require purchasing the necessary software and hardware, e.g. security token or mobile authenticator application. Finally, provisioning users will complete the process. Users need to enroll on the authentication systems. Having in-house custom development is becoming less and less popular to achieve this goal. Many IAM providers help customers speed up the process and reduce their costs.


Passwordless Authentication Methods

There are multiple passwordless authentication methods, let’s list them here.

  • Biometrics – facial recognition, fingerprints
  • Magic links – one time link sent to the email
  • One-time passwords – sent to user mobile device via SMS or delivered to user email
  • Push notifications- dedicated authenticator app received a push notification
  • Security keys – USB token device
  • Soft tokens – a token provided from dedicated authenticator app

Depending on the project you are working on, there are numerous choices to implement.

To learn more about passwordless authentication and how BeyondID can help you create your solution, fill out the contact form below.

Bahadir Dilber
Bahadir Dilber

Leave a Reply

Your email address will not be published. Required fields are marked *

Signup for our newsetter