Several years ago, passwordless authentication would’ve sounded like something out of a spy movie. Somehow doors would open, or computers would reboot with the tap of a fingerprint or retinal scan. Today’s world is not too far off from that reality. Some of that “magic” is relatively mainstream.
But how does passwordless authentication work behind the scenes? What are the unique benefits of using certain modes of authentication over another? And is passwordless authentication safe?
In our previous post in this series, we gave a high-level overview of passwordless authentication and how it works. In this post, we will dive into the details of why you would use passwordless authentication, the pros and cons of various methods, and how to apply them.
Why Use Passwordless Authentication?
There are several reasons to use passwordless authentication (beyond getting the feeling that you’re James Bond).
First, generally speaking, passwordless authentication is a more secure option than password-based. Many employees don’t want to have to remember hundreds of individual passwords, so they use the same or similar numbers and letters every time. And if hackers can find out one password, they are bound to unlock more they can use through password spraying, credential stuffing, or phishing attacks. Without a password to decipher, hackers are flying blind.
Passwordless authentication is also more convenient for employees. Accessing an application based on something they have or something inherent to them doesn’t require them to remember anything. Employees can log into devices faster by presenting a code, security token, magic link, or body part and never have to worry about forgetting their passwords again.
Finally, passwordless authentication reduces overhead, saving IT time and eliminating the need to remind employees to change their passwords every month or deal with the never-ending flow of password tickets.
Passwordless Authentication Factors
Typically, you use something you know, like a password, to log into a platform. But, as we’ve discussed, knowledge-based authentication factors like passwords are prone to misuse, making them easy to steal. Passwordless authentication removes the need for a password altogether by using other forms of authentication, including possession factors, biometric factors, or magic links.
Possession factors 一 otherwise known as ownership factors 一 grant access through something you own, like a cell phone. With that device in hand, you can receive one-time passcodes via email or SMS or receive push notifications from an authenticator app. Responding to those notifications or entering codes will automatically log users into the platform. Because hackers need the correct possession factor to react to the application prompts, cyberattacks are more challenging to execute.
Examples of possession factors:
- Mobile device
- Authenticator app
- Hardware token
- Smart card
How they work:
- When registering for a new application, the user will provide and verify their possession factor ID (for example, a mobile device number or QR code).
- The application generates a private key and associates it to that possession factor.
- Whenever a user attempts to log in again, the application will send a one-time passcode, PIN, or push notification to the possession factor provided during setup.
- The user receives the passcode, PIN, or push notification on their device.
- The user inputs the passcode or PIN or reacts to the push notification, taking them directly to the application.
Biometric factors, otherwise known as inherence factors, grant access based on biological characteristics. These are virtually impossible for hackers to imitate, plus they reduce user friction.
Examples of biometric factors:
- Retinal scan
- Facial recognition
- Fingerprint scan
How they work:
- When registering an account on a new application, a user will present some form of biometric ID. This ID will serve as a private key.
- Whenever users need to re-access the application, they present the biometric ID they signed up with.
- Biometric IDs are compared to authorized biometric features.
- When matches are made, private keys unlock, and users are logged into the platform.
Magic links require a user to enter their email address to log into an application. Once clicked, magic links instantly log users into their desired application.
Examples of magic links:
- Signing into a new Slack instance
- Signing into a Medium account
How they work:
- A user visits an application for the first time.
- Upon registration, the application prompts the user to enter their email address.
- The user enters their email address and clicks submit.
- The application creates a magic link and assigns it a specific token.
- Next, the application sends an email containing the magic link to the user.
- The user clicks on the link.
- The application parses the query parameters and searches an internal database for the token.
- When an entry with a matching token is found, the user gets authenticated.
Passwordless Authentication Best Practices
Implementing a passwordless authentication tool is a big undertaking that organizations have to prepare for. Without proper planning, you risk poor adoption, which opens the door to vulnerabilities rather than closing it on them.
Your planning should center around leadership, user buy-in, and effective change management. To do that, you need to help users understand:
- Why the change is happening. Most employees aren’t big fans of change, especially when they don’t have context for it. If they don’t understand why passwordless authentication is important, they’ll find ways to get around it, creating more problems for you and your team. Take time to document the problems with a password-driven culture and communicate why you’re moving to a passwordless future.
- How it will affect their day-to-day work. Employees usually equate security changes to more work on their end. Use the time before your rollout to emphasize the benefits of going passwordless — employees won’t have to memorize passwords or create new ones every day. Signing into their applications with their face, a fingerprint, or a magic link will boost their productivity, not hinder it.
- Steps users need to take before the rollout. Don’t leave users in the dark. Make any pre-launch steps abundantly clear through writing and videos, customize them to every device, platform, and operating system, send reminders before and during the launch, and host day-of training sessions to walk users through the setup process. Consider investing in a passwordless authentication platform with built-in training for admins and end users.
- Where to find information about the new solution. Consider creating and adding information about your passwordless solution setup, rollout, and support in your internal knowledge base or intranet. Make it easy for people to self-serve with FAQs, demos, troubleshooting tips, and portals to IT ticketing systems for more complex problems.
Spending time laying the groundwork for a successful launch upfront will help you lighten your IT support load, encourage adoption, and decrease the chances of security issues down the line due to lack of use or misuse.
Factor-Specific Best Practices
Companies must follow technical best practices as well. Broadly, the vendor you pick must work on the operating systems and devices your employees use. Double-check that’s the case for all versions of those tools. Then, ensure you abide by hygiene tips specific to each authentication factor.
- Use an accredited authenticator app.
- Minimize failed attempts and limit the time a code is valid.
- Only accept the most recent one-time-use code.
- Configure SMS messages with the application and user’s name to reduce their chances of clicking a link that turns into a phishing attack.
- This should be a given, but remind users not to share their fingerprint or facial data.
- Have a backup authentication factor in case of malfunctions.
- Use biometric factors that are harder for hackers to circumvent, like palm vein scanning, typing cadence, or gait recognition.
- Ensure your email delivery service can deliver magic links quickly and reliably. You don’t want them to end up in spam folders.
- Provide one-time use links that expire after a certain period.
- Enforce multi-factor authentication to prove the user is who they say they are.
- Work with your email provider to prevent message threading, as this confuses users.
Making Passwordless Authentication a Reality
While each of these methods seems relatively straightforward, the configuration and implementation on the back-end are more complex. Achieving passwordless authentication for just one application is tough; extrapolating that process to every single application your employees use is a substantial undertaking.
At the same time, there’s significant upside to using passwordless authentication: enhanced security, a better user experience, long-term reduction of IT workload, and thus, increased overall productivity. Trying to balance the need for passwordless authentication with its tricky implementation is overwhelming. Luckily, you can take baby steps.
Implementing multi-factor authentication (MFA) across your organization is a fantastic launchpad for passwordless authentication. By getting users accustomed to various passwordless MFA factors, you can speed up the education and training phases of passwordless authentication.
Also, MFA adds a significant boost to the security of every access transaction, which when realized can be a motivating factor to help implement true passwordless authentication across the organization.
JumpCloud’s MFA capabilities, including the authenticator app JumpCloud Protect, are built to provide a frictionless experience, reinforcing to employees that taking things one step further with passwordless authentication will improve 一 not detract from 一 their daily lives. Plus, IT can learn from any challenging parts of MFA implementation and apply those lessons to passwordless authentication projects.
To see for yourself how JumpCloud’s MFA tool can jumpstart your passwordless authentication future, sign up for JumpCloud Free today. Test out the full functionality of our platform for up to 10 users and 10 devices, no credit card required.