If you're active in the Identity and Access Management (IAM) field, you've likely noticed the push in the market for passwordless authentication. Chances are you've heard of this movement, even if you're not directly involved in IAM.
Let's break it down. What is passwordless authentication? Why is it better than using traditional passwords? How can a passwordless approach be implemented?
What Is Passwordless Authentication?
On the surface, passwordless authentication is just that — authentication without using a password. There's no single specific way to implement passwordless authentication. Many passwordless technologies already exist, and new approaches are emerging in the market at a steady pace.
At its core, passwordless authentication verifies a user is who they say they are without prompting them to enter a secret string, the password. This process could involve a one-time code sent via SMS or email to the user. It could also leverage an authentication app, biometric inputs, or a hardware authentication device, like a YubiKey.
The Problem With Passwords
A password is a shared secret of sorts. It's a secret string of characters that should only be known by the user. Yet, the application or service must also know the password somehow. An application typically stores the password in a hashed or encrypted format. In the authentication process, the user enters the password. Then, the application uses the same mechanism to hash or encrypt the password and compares the hashed/encrypted representation with what it has stored.
There are several problems with passwords. One of the more prominent issues is that for a password to not be easily guessed, especially by a computer, it needs to be very complex. A computer used to break a password can leverage dictionaries to attempt to guess millions of passwords in just one second. The solution to this problem is to make the password much more complex, involving upper and lower case characters, special characters, and numbers. A critical factor in constructing strong passwords is using random strings without actual words — this prevents dictionaries from being used to guess them.
This solution, however, introduces a new problem. The passwords become long, random, and impossible for most people to memorize. Users must then store them somewhere, exposing them to an even higher risk of becoming compromised. Another outcome of complex passwords is that users tend to reuse the same string across many applications and services. This means that if one app is breached and the passwords are leaked, the attacker can potentially access multiple accounts used by the same person.
In addition, complex passwords increase the likelihood of users forgetting their passwords. This could force the user into a difficult and frustrating account reset flow resulting in lost productivity. Applications in some industries will even require the user to change the password regularly, making it even harder to remember and keep track of the password.
The use of password managers can somewhat alleviate these issues. Such managers keep track of all active passwords, so the user doesn't have to remember them. However, this requires the user to put all of their eggs in one basket — if the password manager is breached, all the passwords are compromised.
Simple passwords are easy to crack.
Complex passwords are hard to remember.
Reusing passwords amplifies security vulnerabilities.
Forgotten passwords can impact productivity.
Password managers can help but don't solve the underlying problem.
Passwordless doesn't imply we leave apps entirely open without any user authentication. Instead, several options exist to identify the user without using a password. The more common approaches include email and SMS authentication. With these options, a numerical code, QR code, or a link is sent to the user's registered email address or phone number, where the user then authenticates. These options are common and fairly trivial to implement. They are certainly better than a simple password, but they are also somewhat trivial to hack, such as in a phishing attack.
Not as common, but still implemented by many apps, is the use of an authenticator application. The most popular one is Google Authenticator, and there are also authenticator apps from Duo and Yubico. These authenticator apps constantly generate a One Time Password (OTP) code that the user uses to authenticate. The authenticator app is in sync with the user's account — the OTP is only valid for a short period of time, and once it expires, the specific code cannot be used by the user to authenticate.
Some authentication apps, like Duo, for example, take this a bit further where the app requesting authentication can initiate a push authentication request so that the user gets a notification prompt to authenticate in the Duo app.
A completely phishing-resistant passwordless option is to leverage a hardware token coupled with the WebAuthn standard. Yubico, with its YubiKey, is one of the leading technologies in this area and offers several types of hardware authenticators. With this option, a unique key pair is generated for each app the YubiKey is used for. This results in a solution where a "phishing app" cannot use the authentication details for the real app as the generated key pair wouldn't match.
More and more technologies are entering the passwordless market. For example, BeyondIdentity, Hypr, and Secret Double Octopus are a few other options to consider.
The Path Forward
Passwords are popular because they have historically been easy to implement over alternatives. They have no prerequisites — just set a password and start using the app. Alternative methods required some type of hardware or a device, making it difficult for organizations to implement.
These days, however, almost everyone has an authentication app, and users are increasingly carrying some type of authentication device or keyfob. This will make it easier for organizations to implement stronger authentication with less impact on user experience. Corporate users can typically be provisioned authentication devices by the IT department, which can pre-register the device for the different apps and services.
Passwordless options should be encouraged. As an organization transitions away from passwords, an opt-in approach could be used to alleviate the impact. Also, consider enforcing more robust mechanisms of authentication and passwordless options for critical services and data leveraging step-up authentication.