Several years ago, passwordless authentication would’ve sounded like something out of a spy movie. Somehow doors would open, or computers would reboot with the tap of a fingerprint or retinal scan. Today’s world is not too far off from that reality. Some of that “magic” is relatively mainstream.
But how does passwordless authentication work behind the scenes? What are the unique benefits of using certain modes of authentication over another? And is passwordless authentication safe?
In our previous post in this series, we gave a high-level overview of passwordless authentication and how it works. In this post, we will dive into the details of why you would use passwordless authentication, the pros and cons of various methods, and how to apply them.
Why Use Passwordless Authentication?
There are several reasons to use passwordless authentication (beyond getting the feeling that you’re James Bond).
First, generally speaking, passwordless authentication is a more secure option than password-based. Many employees don’t want to have to remember hundreds of individual passwords, so they use the same or similar numbers and letters every time. And if hackers can find out one password, they are bound to unlock more they can use through password spraying, credential stuffing, or phishing attacks. Without a password to decipher, hackers are flying blind.
Passwordless authentication is also more convenient for employees. Accessing an application based on something they have or something inherent to them doesn’t require them to remember anything. Employees can log into devices faster by presenting a code, security token, magic link, or body part and never have to worry about forgetting their passwords again.
Finally, passwordless authentication reduces overhead, saving IT time and eliminating the need to remind employees to change their passwords every month or deal with the never-ending flow of password-related support tickets.
Passwordless Authentication Factors
Typically, you use something you know, like a password, to log into a platform. But, as we’ve discussed, knowledge-based authentication factors like passwords are prone to misuse, making them easy to steal. Passwordless authentication removes the need for a password altogether by using other forms of authentication, including possession factors, biometric factors, or magic links.
Possession factors 一 otherwise known as ownership factors 一 grant access through something you own, like a cell phone. With that device in hand, you can receive one-time passcodes via email or SMS or receive push notifications from an authenticator app. Responding to those notifications or entering codes will automatically log users into the platform. Because hackers need the correct possession factor to react to the application prompts, cyberattacks are more challenging to execute.
Examples of possession factors:
- Mobile device
- Authenticator app
- Hardware token
- Smart card
How they work:
- When registering for a new application, the user will provide and verify their possession factor ID (for example, a mobile device number or QR code).
- The application generates a private key and associates it to that possession factor.
- Whenever a user attempts to log in again, the application will send a one-time passcode, PIN, or push notification to the possession factor provided during setup.
- The user receives the passcode, PIN, or push notification on their device.
- The user inputs the passcode or PIN or reacts to the push notification, taking them directly to the application.
Biometric factors, otherwise known as inherence factors, grant access based on biological characteristics. These are virtually impossible for hackers to imitate, plus they reduce user friction.
Examples of biometric factors:
- Retinal scan
- Facial recognition
- Fingerprint scan
How they work:
- When registering an account on a new application, a user will present some form of biometric ID. This ID will serve as a private key.
- Whenever users need to re-access the application, they present the biometric ID they signed up with.
- Biometric IDs are compared to authorized biometric features.
- When matches are made, private keys unlock, and users are logged into the platform.
Magic links require a user to enter their email address to log into an application. Once clicked, magic links instantly log users into their desired application.
Examples of magic links:
- Signing into a new Slack instance
- Signing into a Medium account
How they work:
- A user visits an application for the first time.
- Upon registration, the application prompts the user to enter their email address.
- The user enters their email address and clicks submit.
- The application creates a magic link and assigns it a specific token.
- Next, the application sends an email containing the magic link to the user.
- The user clicks on the link.
- The application parses the query parameters and searches an internal database for the token.
- When an entry with a matching token is found, the user gets authenticated.
Making Passwordless Authentication a Reality
While each of these methods seems relatively straightforward, the configuration and implementation on the back-end are more complex. Achieving passwordless authentication for just one application is tough; extrapolating that process to every single application your employees use is a substantial undertaking.
At the same time, there’s significant upside to using passwordless authentication: enhanced security, a better user experience, long-term reduction of IT workload, and thus, increased overall productivity. Trying to balance the need for passwordless authentication with its tricky implementation is overwhelming. Luckily, you can take baby steps.
Implementing multi-factor authentication (MFA) across your organization is a fantastic launchpad for passwordless authentication. By getting users accustomed to various passwordless MFA factors, you can speed up the education and training phases of passwordless authentication.
Also, MFA adds a significant boost to the security of every access transaction, which when realized can be a motivating factor to help implement true passwordless authentication across the organization.
JumpCloud’s MFA capabilities, including the authenticator app JumpCloud Protect, are built to provide a frictionless experience, reinforcing to employees that taking things one step further with passwordless authentication will improve 一 not detract from 一 their daily lives. Plus, IT can learn from any challenging parts of MFA implementation and apply those lessons to passwordless authentication projects.
To see for yourself how JumpCloud’s MFA tool can jumpstart your passwordless authentication future, sign up for JumpCloud Free today. Test out the full functionality of our platform for up to 10 users and 10 devices, no credit card required.