Passwordless authentication has become a trending topic in IT over the past two years. This comes to no surprise, with all the password-related security incidents that happened in the past years. Passwords are known as a security risks, and passwords are inconvenient to the users. Passwordless authentication bears the promise of increasing security and reducing friction. Done right, this is true. Passwordless authentication can overcome the notion of “balancing security with convenience”, which factually says that convenience goes down when the level of security increases, to a win-win approach: Security increases, while convenience improves as well.
What is passwordless authentication?
It seems to be very clear what passwordless authentication means. But the fact that some vendors claim being “truly passwordless” already indicates that there are different flavors of passwordless authentication. At the end, it is a matter of definition what is perceived as being passwordless authentication, and what not.
From the perspective of the user, every approach for authentication where no password is needed is passwordless. But there are solutions such as traditional Enterprise SSO where a user could use a passwordless authentication to a password vault, from where the password then is sent to an application. The same happens in privileged SSO of PAM solutions, where administrators authenticate to a console and can start session with passwords being sent in the background. These types of solutions are not in the scope of passwordless authentication.
There are two elements that are required for passwordless authentication
- No password is required for user authentication (but a strong authentication is performed)
- No password (or password hash) is travelling over the network
Sometimes, there is a password used for authentication, but no password is travelling over the network (more frequently, a password travels anyway for initial authentication to a server). That does not qualify for being named a passwordless authentication solution.
Passwordless authentication means that there is a strong MFA (Multi-Factor Authentication), commonly 2FA( Two Factor Authentication) happening, and no password is travelling. “Truly passwordless” then means that there is no password needed neither for initial setup nor as a fallback solution. KuppingerCole Analysts uses the more generic definition, based on the two above-listed elements.
Is passwordless authentication safe?
When authentication becomes more convenient, this triggers the question of whether this is sufficiently secure. Passwordless authentication, by definition, must be about a strong authentication. This, by definition, means that there must be more than one factor.
The common factors involved in passwordless authentication are a smartphone and the user’s biometric. In the setup a binding between the device and the user takes place, where cryptographic information that is used for the authentication is placed in a secure element – a piece of hardware that securely holds encrypted information. Modern devices such as computers and smartphones come with such secure elements.
This binds the user to the device. With biometric authentication enabled at the device, such as fingerprint readers or face recognition via the camera, the user can authenticate without a password, while the device binding provides a second factor. Only if it is the specific user with a device associated to him or her, the authentication is valid.
There are other options such as FIDO2 tokens or smartcards that can be used for passwordless authentication. We also observe an uptake of wearables such as wristbands and smart watches, where biometric authentication even becomes continuous by for instance tracking the heartbeat.
Done right, passwordless authentication provides a strong level of security. Saying that it is safe anyway is problematic, given that there is no 100% security. But passwordless authentication commonly provides a significant higher level of security than traditional username/password authentication and even than many of the established 2FA approaches.
What should be considered when choosing passwordless authentication solutions?
There are two main groups of passwordless authentication solutions. One are the ones that are integrated into Access Management solutions such as the ones from Microsoft (Entra Azure AD), Okta, Ping, OneLogin or one of the many other vendors in this segment. Then there are the specialized solutions, provided for instance by Beyond Identity, HYPR or 1Kosmos, to name just a few.
An important differentiator is that integrated solutions serve every authentication to the Access Management solution and thus to the services that are integrated with that solution. In contrast, specialized passwordless authentication solutions are focused on either specific use cases such as customer/consumer authentication, or at serving a broader variety of use cases, starting with integrated desktop authentication and a common passwordless authentication approach across multiple Access Management solutions.
Integrated solutions are easy to implement and come with products that might already be in place, but are, in tendency, more limited in scope.
That scope is one of the important differentiators. Another one is the breadth of supported authenticators. The more flexible that is addressed, the more use cases within the organization can be served. Also important are the account recovery capabilities, which define how lost, stolen or just new devices are treated in efficient processes.
A comprehensive overview about passwordless authentication solutions and the criteria to consider when picking a solutions is provided by the KuppingerCole Leadership Compass on passwordless authentication.
When will passwords finally die?
“The password is dead” is a saying that exists for way over a decade. Unfortunately, passwords are still ubiquitous. They will not quickly disappear. A lot of websites for customers and consumers still only provide username and passwords for authentication. However, there is a trend towards utilizing passwordless authentication, and there is a significant uptake in adoption in enterprises. But with all the legacy applications and services in place that still expect passwords, instead of supporting federation protocols such as OIDC and OAuth2 or even direct passwordless authentication with the FIDO Alliance WebAuthn protocol, we will be able to reduce passwords. Like the mainframe exists still, passwords will be here at least for decades. We will need (way) less of them, and we are able to hide them. Most will be based on passwordless authentication approaches in the future. But somewhere, there will still be passwords around.