September 24, 2023

Anonybit Team

Passwordless Authentication Examples & Methods

Blog person unlocking his phone - Passwordless Authentication Examples

What Is Passwordless Authentication?

Passwordless authentication, or passwordless security, is a method of verifying a user’s identity without requiring them to enter a password. So what exactly is passwordless authentication? Simply put, it’s a new way of verifying your identity without having to enter a password. Instead, you can use other factors, such as biometric data, hardware tokens, or one-time codes to prove that you’re really you.

How Does Passwordless Authentication Work?

automation in Passwordless Authentication Examples

Passwordless authentication works by using something the user “has” (a device) or something the user “is” (their biometric) to verify their identity and give them system access to a website, application, or network. This would be in contrast to a traditional password login, which would be something the user “knows.”

Passwordless Login Process

A passwordless login starts with the user going onto a device, entering a session, or opening an application and entering some type of identifiable information like their name, phone number, email address, or designated username.

From there, they need to verify their identity by inserting something they “have” such as a hardware token, smart card, fob, or clicking a link sent to a mobile device. If the identifiable information or registered device matches a given factor’s information in the authenticating database, they are given access permission.

Biometric Authentication Methods

Alternatively, they could use something the user “is,” which would be the equivalent of a biometric factor. So, when they try to enter a device or account on an application, they could simply be prompted to present a selfie, palm scan, fingerprint or voice sample.

Related Reading

Is SSO Passwordless Authentication?

woman thinking about Passwordless Authentication Examples

SSO (Single Sign-On) and MFA (Multi-Factor Authentication) are what we consider semi-passwordless. They might help enable users to log in password-free, but their accounts are still password-protected. Users just aren’t physically entering their passwords on login. SSO is all about giving users a shared login across multiple services.

To sign in, users log in once, and then they’re authenticated across all services that have enabled SSO. MFA, on the other hand, is about adding an extra step to the login or customer authentication process. After users enter their password, they have to enter a code sent to their phone, for example.

Implementing Passwordless Authentication Solutions

A “true” passwordless authentication solution eliminates passwords entirely. This means that users create their accounts without using a password. They might instead use a biometric scan or security token. And since there’s no password in the first place, users can then continue to log in without needing a password. The challenge is to not only eliminate passwords at the login process, but across the entire customer lifecycle and this necessitates a solution that goes beyond the FIDO framework, where the biometric is stored and managed in a way that is not device-bound and can be leveraged for account recovery. Account recovery is the main attack vector for hackers because often times even if a passwordless solution is offered at login, knowledge questions are what are used to for account resets and these are easy to guess or exploit.

There are several ways to deliver passwordless authentication. Biometrics is one example, where users use their fingerprint or selfie to log in without entering a password. Another example of a passwordless authentication solution is a security key, which is a physical device users connect to their system to log in. Combining passwordless authentication methods adds significant layers of security than using only one method. 

7 Common Passwordless Authentication Methods

woman unlocking her profile - Passwordless Authentication Examples

1. One-time Authentication Link Sent to the E-mail 

Through this method, the user enters their email, and a one-time link is generated and sent to the specified email address. Upon receiving the link through their mail application, the user simply needs to click on it to authenticate themselves. If an attacker is able to gain control of a victim’s email address, they will receive the authentication link. 

2. One-time password via SMS or Push

This method is among the most commonly used for passwordless authentication. During the process, the user needs to input their phone number and then receive an SMS or push notification with a one-time confirmation code. Once the code is entered in the service, the user is authenticated. If an attacker is able to gain control of a victim’s phone number, they will receive the code. 

3. HMAC and Time-based one-time password

HMAC-based one-time passwords, such as HOTP, are generated using an algorithm based on authentication attempts and a shared secret between the user, server, and client. A time-based one-time password is an advancement of HOTP and generates passwords based on system time, creating unique passwords for each authentication session.  Like the above two, if an attacker is able to gain control of a victim’s account, they will receive the code. 

4. Persistent Cookie

A simple and widely-utilized method for passwordless authentication is through the use of a persistent cookie. After the initial authentication, a specialized cookie is set in the user’s browser, which is then used for subsequent authentications. With malware, hackers are able to bypass the session cookie.

5. Using third-party Identity Providers (via Social Networks)

This method involves prompting users to authenticate using existing accounts from third-party Identity Providers, such as Google, Facebook, or LinkedIn, streamlining the authentication process. This method relies on the identity verification process of the social network, which is generally not strong enough for regulated industries or sensitive applications.

6. USB Token or other Trusted Device

By utilizing a USB token device, users can be authenticated through a cryptographic key unique to the device holder, providing a secure method for passwordless authentication. This is a strong possession factor, but it is not always feasible to provide hardware tokens and there needs to be a backup in place if the token is not available. Instead, mobile phones and other devices are sometimes used as a possession factor, but they are vulnerable to SIM swaps and may not be appropriate in a shared-device or kiosk scenario.

7. Biometrics

In this method, users provide identity confirmation through fingerprint scanning, facial recognition, and other biometric authentication methods, providing an additional layer of security for passwordless authentication.

Passwordless Authentication Examples

flow of data for Passwordless Authentication Examples

Possession-based Authentication Factors

Possession-based authentication factors include a mobile device, smart card, hardware token, USB device, fob, badge, or software token. One example of this would be a user receiving a text message with a one-time code to input into a site for verification purposes.

This is an example of the user possessing a mobile device as an authentication factor. Another example would be receiving a one-time code on a USB device. 

Biometric Authentication

Biometric authentication examples involve the unique physical characteristics of a person such as iris or fingerprint scanning, voice, and facial recognition. Biometrics take advantage of the characteristics unique to each individual and are incredibly difficult to fake or steal. This makes biometric authentication a powerful tool in the quest for secure, passwordless authentication.

Related Reading

What Are The Benefits Of Using Passwordless Authentication?

man seems satisfied with Passwordless Authentication Examples

Better user experience

Passwordless authentication eliminates all of the troubles connected to remembering complicated passwords. Whether it is fingerprint scanning or device verification, you don’t need to keep a list of complex and hard-to-remember passwords for each and every of your accounts.

Improved security for users and organizations

It’s obvious that, since there are no passwords to hack, it will become much more difficult for a cybercriminal to get into your account.

Quicker authentication process

No one likes to fill out long forms, take complicated steps, and answer a whole list of questions. Fun fact, when calling into help desks, hackers know the right answer 50% of the time and the right person doesn’t remember their answers 33% of the time. Passwordless authentication makes everything quicker and easier.

Passwordless Authentication Best Practices

Implementing a passwordless authentication tool is a significant undertaking that organizations must prepare for. Without proper planning, you risk poor adoption, which opens the door to vulnerabilities rather than closing it on them. Your planning should center around enabling the entire customer lifecycle, fostering user buy-in, and planning  for effective change management. To do that, you need to help users understand why the change is happening.

People in general are not  big fans of change, especially when they don’t have context for it. If they don’t understand why passwordless authentication is important, they may resist the change, creating more problems for you and your team. Take time to document the problems with a password-driven culture and communicate why you are moving to a passwordless future and how it will benefit your customer base. For example, employees will want to know that . 

signing into their applications with their face, a fingerprint, or a magic link will boost their productivity, not hinder it. 

Pre-Rollout Steps for Users

Don’t leave users in the dark. Make any pre-launch steps abundantly clear through writing and videos, customize them to every device, platform, and operating system, send reminders before and during the launch, and host day-of training sessions to walk users through the setup process. 

Related Reading

Be the first to know the latest news, product updates, and more from Anonybit