Forget about Passwords with Passwordless Authentication

New technologies offer new solutions to existing challenging tasks and issues. Paradoxically, the most widespread and old way to enter a system used by individuals and businesses remains the least cyber-safe option - passwords. They can easily leak, be seen, found, stolen, hacked, transferred and so on. Every day enormous lists of stolen passwords emerge on the dark web. At the same time, passwordless authentication is approved to be one of the safest and most convenient identity technologies by leading cyber security and IT companies. It can prevent most cyber attacks (brute force methods, credential stuffing, phishing, keylogging man-in-the-middle attacks, etc.). And, fortunately, with cyber security being highly prioritized during pandemic times, cyber-conscious businesses opt for going passwordless.

What Is Passwordless Authentication?

Passwordless authentication transforms the login process; however, the general idea remains the same - you use some data to access a system. For password authentication, you need to enter some information you have and know or store - email, phone number, PIN, password, etc. Passwordless authentication requires the information you don't memorize or store; you just have it.

How Does It Work?

The passwordless authentication factors are divided into two types:

• ownership or possession factors
• inherence authentication factors

Ownership or possession factors are based on the availability of some technologies, gadgets, software, etc. A user has it and can log in with its help to verify their identity. These factors include mobile phones or other devices, tokens, cards, emails, one-time passwords, badges, FIDO2-compliant keys, etc.

Inherence factors focus on the data that belongs to a particular person only and can be instantly read. This unique data includes biometric features. A user is verified via fingerprint, voice, or facial recognition, retinal scans, etc.

No matter which authentication factor, besides an asymmetric encryption method, there are always two parts or steps of verification if we speak about passwordless authentication. A cryptographic key pair consists of a public key (identifier like a phone number, ID, email address, etc.) and a private one (the authentication factor). Such a procedure makes it more difficult for malicious actors to hack systems. It doesn't make you or your organization 100% cyber safe (unfortunately, with current hackers' aggressive strategies and attacks, nothing does). Still, it’s an excellent foundation for building robust multi-strategy cyber security.   

However, passwordless doesn't necessarily mean that there will be no password at all. It means that the risk of spreading hacking is minimized since users don't need to or can't access, remember or store passwords. So, it's now more about reducing reliance on passwords - not their complete elimination. There are many types of passwordless authentication - email-based authentication, identity access management (IAM) software, biometric authentication, etc. For example, IBM utilizes the best cyber security measures and adopts innovative IT world's practices, including Single Sign-On (SSO) in IBM Cloud Identity to secure user productivity. 

Why Go Passwordless?

The benefits of going passwordless include high cyber security, IT visibility and operations simplification, advanced convenience, scalability, and cost efficiency. Major IT companies, like IBM, Google, Microsoft, have implemented various types of passwordless authentication and systematically report about its efficiency and improve services.

Passwordless Authentication NOT Similar to Multi-Factor Authentication

Many people confuse, even, or misunderstand the terms "passwordless authentication" and "multi-factor authentication.” Passwordless authentication doesn't mean Multi-Factor Authentication (MFA). However, the authentication technologies are connected. Passwordless authentication strictly obeys the rule that users don't fill in passwords but use some mediator that knows it. Multi-factor authentication can use passwordless authentication as the first or second step. However, MFA can also do without it. MFA is more about a number of sequential steps to verify a user rather than eliminating passwords known by users from an authentication method. Learn more about multi-factor authentication here.