All Research
Buyer's Compass

Why don't you like this?

I like this
I don't like this

Passwordless Authentication for Consumers

Alejandro Leal
Over the past few years, there has been a significant increase in the adoption of passwordless solutions in both enterprise and consumer use cases. Passwordless authentication is a term used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow, as well as d from the recovery process. Passwordless solutions should therefore provide an easy and frictionless user experience, but not at the expense of security. This KuppingerCole Buyer's Compass will provide you with questions to ask vendors, criteria to select your vendor, and requirements for successful deployments.
Optimize your decision-making process with KC Open Select! Passwordless Authentication is a topic already available as an interactive experience. Configure your individual requirements to find the right vendor for your business or follow the best practice recommendations.

1 The Challenge

The password is a remnant of an era before hacking and credential-based attacks became a widespread problem. Although the internet has changed significantly since the early days, passwords have only become longer and more complicated. In parallel, cybercriminals have targeted operating systems with increasing sophistication and frequency as computers have become more accessible worldwide. For years, IT professionals have discussed the idea of eliminating passwords because they can easily be stolen and compromised. In addition, passwords can be costly, time-consuming, difficult to manage, and result in poor user experience. Furthermore, the fact that password reuse is a common practice among customers and employees, only exacerbates the problem.

The most common types of password-based attacks are:

Account Takeover (ATO)

Account Takeover Fraud (ATO) occurs when fraudsters gain unauthorized access to a user's personal accounts using stolen usernames and passwords or credential stuffing attacks to execute unauthorized transactions. Other methods of account takeover fraud include malware attacks, such as man-in-the-middle and man-in-the-browser schemes, as well as the deployment of Remote Access Tools through Trojans or via social engineering scams.

Brute-Force Attacks

A brute-force attack is a type of password attack where attackers use trial-and-error to guess login info and gain access. Tools for brute force attacks simply try all possible combinations of characters until the correct one is found.

Credential Stuffing

In this attack, cybercriminals use stolen account credentials (usernames and passwords) from a breach at one organization or online service to access accounts at other organizations or services. This method exploits the common practice of using the same password across multiple sites. In addition, cybercriminals often use bots or automation to hit multiple sites with many username/password combinations from password breaches found or purchased on the dark web.

Man-in-the-Middle (MITM) Attacks

These attacks involve a type of interception while data is in transit. An attacker positions himself/herself in a conversation between a user and an application - either to eavesdrop or to impersonate one of the parties, making it appear that a normal exchange of information is taking place. Examples of MITM techniques involve targeting unsecured Wi-Fi hotspots, DNS spoofing, ARP spoofing, forging certificates, and SSL/TLS stripping. Man-in-the-browser attacks may involve trojans with keylogger or rootkit malware or that bypass TLS encryption. The goal is to steal personal information, such as login credentials, account details, or credit card numbers.

Phishing Attacks

These are attacks on users via email, voice calls and voicemails, and SMS texts. These generally are attempts to get users to give over credentials, personal information, or make monetary transfers. Many criminals are leveraging Artificial Intelligence (AI), specifically forms of AI based on Large Language Models (LLMs), to write more convincing messages to increase their chances of success. This makes it harder for individuals to discern whether these messages are legitimate or not.

Full article is available for registered users with free trial access or a paid subscription.
Log in
Become a Member and read on!
Create an account and buy a Membership package or use our 7-days free trial period to access this and 900+ other in-depth and up-to-date insights.
Register and request your 7-day free trial
Register
Already convinced? Check out our packages
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use