September 24, 2023
Passwordless Authentication Examples & Methods
What Is Passwordless Authentication?
Passwordless authentication, or passwordless security, is a method of verifying a user’s identity without requiring them to enter a password. So what exactly is passwordless authentication? Simply put, it’s a new way of verifying your identity without having to enter a password. Instead, you can use other factors, such as biometric data, hardware tokens, or one-time codes to prove that you’re really you.
How Does Passwordless Authentication Work?
Passwordless authentication works by using something the user “has” (a device) or something the user “is” (their biometric) to verify their identity and give them system access to a website, application, or network. This would be in contrast to a traditional password login, which would be something the user “knows.”
Passwordless Login Process
A passwordless login starts with the user going onto a device, entering a session, or opening an application and entering some type of identifiable information like their name, phone number, email address, or designated username.
From there, they need to verify their identity by inserting something they “have” such as a hardware token, smart card, fob, or clicking a link sent to a mobile device. If the identifiable information or registered device matches a given factor’s information in the authenticating database, they are given access permission.
Biometric Authentication Methods
Alternatively, they could use something the user “is,” which would be the equivalent of a biometric factor. So, when they try to enter a device or account on an application, they could simply be prompted to present a selfie, palm scan, fingerprint or voice sample.
Related Reading
Is SSO Passwordless Authentication?
SSO (Single Sign-On) and MFA (Multi-Factor Authentication) are what we consider semi-passwordless. They might help enable users to log in password-free, but their accounts are still password-protected. Users just aren’t physically entering their passwords on login. SSO is all about giving users a shared login across multiple services.
To sign in, users log in once, and then they’re authenticated across all services that have enabled SSO. MFA, on the other hand, is about adding an extra step to the login or customer authentication process. After users enter their password, they have to enter a code sent to their phone, for example.
Implementing Passwordless Authentication Solutions
A “true” passwordless authentication solution eliminates passwords entirely. This means that users create their accounts without using a password. They might instead use a biometric scan or security token. And since there’s no password in the first place, users can then continue to log in without needing a password. The challenge is to not only eliminate passwords at the login process, but across the entire customer lifecycle and this necessitates a solution that goes beyond the FIDO framework, where the biometric is stored and managed in a way that is not device-bound and can be leveraged for account recovery. Account recovery is the main attack vector for hackers because often times even if a passwordless solution is offered at login, knowledge questions are what are used to for account resets and these are easy to guess or exploit.
There are several ways to deliver passwordless authentication. Biometrics is one example, where users use their fingerprint or selfie to log in without entering a password. Another example of a passwordless authentication solution is a security key, which is a physical device users connect to their system to log in. Combining passwordless authentication methods adds significant layers of security than using only one method.
7 Common Passwordless Authentication Methods
1. One-time Authentication Link Sent to the E-mail
Through this method, the user enters their email, and a one-time link is generated and sent to the specified email address. Upon receiving the link through their mail application, the user simply needs to click on it to authenticate themselves. If an attacker is able to gain control of a victim’s email address, they will receive the authentication link.
2. One-time password via SMS or Push
This method is among the most commonly used for passwordless authentication. During the process, the user needs to input their phone number and then receive an SMS or push notification with a one-time confirmation code. Once the code is entered in the service, the user is authenticated. If an attacker is able to gain control of a victim’s phone number, they will receive the code.
3. HMAC and Time-based one-time password
HMAC-based one-time passwords, such as HOTP, are generated using an algorithm based on authentication attempts and a shared secret between the user, server, and client. A time-based one-time password is an advancement of HOTP and generates passwords based on system time, creating unique passwords for each authentication session. Like the above two, if an attacker is able to gain control of a victim’s account, they will receive the code.
4. Persistent Cookie
A simple and widely-utilized method for passwordless authentication is through the use of a persistent cookie. After the initial authentication, a specialized cookie is set in the user’s browser, which is then used for subsequent authentications. With malware, hackers are able to bypass the session cookie.
5. Using third-party Identity Providers (via Social Networks)
This method involves prompting users to authenticate using existing accounts from third-party Identity Providers, such as Google, Facebook, or LinkedIn, streamlining the authentication process. This method relies on the identity verification process of the social network, which is generally not strong enough for regulated industries or sensitive applications.
6. USB Token or other Trusted Device
By utilizing a USB token device, users can be authenticated through a cryptographic key unique to the device holder, providing a secure method for passwordless authentication. This is a strong possession factor, but it is not always feasible to provide hardware tokens and there needs to be a backup in place if the token is not available. Instead, mobile phones and other devices are sometimes used as a possession factor, but they are vulnerable to SIM swaps and may not be appropriate in a shared-device or kiosk scenario.
7. Biometrics
In this method, users provide identity confirmation through fingerprint scanning, facial recognition, and other biometric authentication methods, providing an additional layer of security for passwordless authentication.
Passwordless Authentication Examples
Possession-based Authentication Factors
Possession-based authentication factors include a mobile device, smart card, hardware token, USB device, fob, badge, or software token. One example of this would be a user receiving a text message with a one-time code to input into a site for verification purposes.
This is an example of the user possessing a mobile device as an authentication factor. Another example would be receiving a one-time code on a USB device.
Biometric Authentication
Biometric authentication examples involve the unique physical characteristics of a person such as iris or fingerprint scanning, voice, and facial recognition. Biometrics take advantage of the characteristics unique to each individual and are incredibly difficult to fake or steal. This makes biometric authentication a powerful tool in the quest for secure, passwordless authentication.
Related Reading
- Enterprise Authentication
- Passwordless Authentication Methods
- U2F Vs FIDO2
- Azure Ad Passwordless
- Passwordless Technology
- FIDO Standard Security Key
- Is Passwordless Authentication Safe
- FIDO2 Passwordless Authentication
- Implementing Passwordless Authentication
- Passwordless Multi Factor Authentication
- Benefits of Passwordless Authentication
- Passwordless SSO
- Passwordless vs MFA
- How To Implement Passwordless Authentication
- Common Authentication Vulnerabilities
- Passwordless Authentication UX
- Passwordless Authentication Benefits
What Are The Benefits Of Using Passwordless Authentication?
Better user experience
Passwordless authentication eliminates all of the troubles connected to remembering complicated passwords. Whether it is fingerprint scanning or device verification, you don’t need to keep a list of complex and hard-to-remember passwords for each and every of your accounts.
Improved security for users and organizations
It’s obvious that, since there are no passwords to hack, it will become much more difficult for a cybercriminal to get into your account.
Quicker authentication process
No one likes to fill out long forms, take complicated steps, and answer a whole list of questions. Fun fact, when calling into help desks, hackers know the right answer 50% of the time and the right person doesn’t remember their answers 33% of the time. Passwordless authentication makes everything quicker and easier.
Passwordless Authentication Best Practices
Implementing a passwordless authentication tool is a significant undertaking that organizations must prepare for. Without proper planning, you risk poor adoption, which opens the door to vulnerabilities rather than closing it on them. Your planning should center around enabling the entire customer lifecycle, fostering user buy-in, and planning for effective change management. To do that, you need to help users understand why the change is happening.
People in general are not big fans of change, especially when they don’t have context for it. If they don’t understand why passwordless authentication is important, they may resist the change, creating more problems for you and your team. Take time to document the problems with a password-driven culture and communicate why you are moving to a passwordless future and how it will benefit your customer base. For example, employees will want to know that .
signing into their applications with their face, a fingerprint, or a magic link will boost their productivity, not hinder it.
Pre-Rollout Steps for Users
Don’t leave users in the dark. Make any pre-launch steps abundantly clear through writing and videos, customize them to every device, platform, and operating system, send reminders before and during the launch, and host day-of training sessions to walk users through the setup process.