What Is Passwordless Authentication?

How many times have you clicked the “Forgot Password” link this month? Or received a ticket from an end user who needed help doing this? How many times did you reset your password to one you’ve used before (or had to scold an end user for wanting to do the same thing)?

If your numbers are high, we don’t blame you for experiencing password fatigue. More and more applications require passwords, making it harder and harder to create and memorize unique ones. The problem is, once a cybercriminal discovers the password you like to use, they have the keys to your information 一 and potentially your company’s and customers’ information, too.

Verizon’s 2021 Data Breach Investigations Report revealed that 61% of breaches involved credential data. So it’s no surprise that organizations are turning to other password solutions, namely, passwordless authentication. In this piece, we’ll explain what passwordless authentication means, how passwordless authentication works, and how to implement passwordless authentication to safeguard your business.

What Is Passwordless Authentication?

Also, is passwordless authentication safe? As its name indicates, passwordless authentication is a method of verifying identity without using a password. Instead, users authenticate with safer (and more convenient) factors like secure tokens and magic links, delivered via email, text message, or an authenticator app.

Other popular passwordless authentication methods are facial recognition or fingerprint scanning. With passwordless authentication, employees aren’t forced to make up and remember hundreds of passwords, which can have a huge impact on productivity and decrease the likelihood of password misuse.

Without passwords to steal, bad actors can no longer leverage credential stuffing, a technique by which they try logging into multiple sites at once with hijacked credentials, waiting for a hit.

Besides these additional protections, passwordless authentication also helps companies enforce their Zero Trust policy with more specific access control. And further, passwordless protection reduces the overhead and cost of ensuring that employees change their passwords every few weeks or months.

How Does Passwordless Authentication Work?

So, how can you log into something without a password? Well, when you break it down, a password is simply a “knowledge factor,” meaning something you know. But, as we’ve seen, this type of factor is prone to sharing, misuse, and theft. Passwordless authentication replaces that knowledge factor with something harder to steal or replicate, such as a possession or biometric factor.

• Possession factor – This is something you own or have. A possession factor could be an email address, phone, FIDO (Fast IDentity Online) authenticator, or RSA key (digital signature). These things don’t require memorization and are difficult for someone to hack. 

Use case: Receiving an email with a magic link or receiving a push notification via an authenticator app.

• Biometric factor (also called “inherence factor”) – This is something you are or is intrinsic and unique to you. A biometric factor could be an iris scan, voiceprint, or facial recognition. These are extremely tough to replicate and cannot be forgotten, as they are a part of you. 

Use case: Signing into your phone with Face ID or using your fingerprint to access an application containing sensitive material.

Is Passwordless Authentication Safe?

Like any cybersecurity tactic, passwordless authentication is not foolproof. Some skeptics point out that magic links can be compromised. Others note there are ways for attackers to clone voices, bypass fingerprint locks, and use machine learning to create realistic facial images. 

But password reset emails can also be intercepted, and the time and effort required to circumvent biometric checkpoints are substantially higher than the strategies hackers currently use to decipher employee passwords. Plus, passwordless authentication technology continues to get stronger over time, limiting the damage hackers can do.

Even as it stands today, passwordless authentication can significantly improve a company’s security posture in several ways:

1. Eliminating unsafe passwords. The most obvious benefit to passwordless authentication is that there are no more “123456,” “password,” or “abc123” passwords in your organization. The most inexperienced hackers can crack those, but evading biometric or possession factors requires far more sophistication.

2. Preventing brute force attacks. One of the more common ways hackers get into company systems is through trial and error. In a brute force attack, attackers use scripts to guess tons and tons of username and password combinations and patiently wait for a hit. While companies turn on limited login attempt features to stop these attacks from happening, hackers have ways to get around that too. But when a company no longer uses passwords, brute force attacks are no longer an option.

3. Protecting against password spraying. Password spraying is similar to brute force attacks — hackers try the same password for multiple user IDs. Their scripts paste and paste and paste until they get a match. But, also like brute force attacks, spraying can’t work without passwords to exploit.

4. Evaluating credentials based on context and policies. Modern passwordless authentication platforms don’t just assess biometric and possession factors. They also examine other user attributes like location, number of attempts, and application usage. With machine learning, passwordless authentication solutions can learn what “normal” behavior looks like and how to spot anomalies. AI-driven passwordless authentication tools can also help IT managers create dynamic access rules and automatically deploy identity and access management policies that identify and discourage privilege misuse.

5. Encouraging a Zero Trust Policy. A Zero Trust framework requires all users to be continuously vetted and authenticated — in layman’s terms, it’s a “trust no one” policy. The biometric and possession factors in passwordless authentication promote this approach, allowing security teams to confirm that anyone attempting to access an organization’s network, applications, or data will be verified through means other than a password.

How Do You Implement Passwordless Authentication?

Passwordless authentication sounds ideal in theory 一 you get extra protection along with an enhanced user experience and reduced IT costs. But going fully passwordless isn’t so simple in practice. Take a moment to think about how many applications employees use at a business (Hint: it’s a lot). And for each application that requires a password, you’ll need to implement new forms of authentication using a possession or biometric factor. All in all, it’s a huge project.

To make implementation less daunting, many companies split this process into several phases: 

1. Centralize authentication. By consolidating logins to various applications, you immediately decrease the number of passwords users need to remember. A good example of this is single sign-on (SSO).

2. Enforce multi-factor authentication (MFA). MFA takes the security enhancement of SSO a step further in that someone attempting to authenticate is now faced with multiple factors they must verify. Once those are verified successfully, users are granted access to the application. MFA is a fantastic precursor to passwordless authentication because it still has a stored password, and users grow accustomed to the verification factors typically used in passwordless authentication at the same time. Learn more about passwordless authentication vs. MFA.

3. Implement FIDO2 passwordless authentication and scale it across the business. Because this is a complex, costly process, many companies opt to implement passwordless authentication one element at a time (i.e., first SSO, then MFA, and so on), gathering feedback from developers and end users along the way. This step-by-step approach allows them to pay more attention to change management and plan for future passwordless authentication maintenance.

Get Started with Passwordless Authentication

Forcing employees to remember multiple complicated passwords and hoping they don’t reuse or accidentally share them is essentially asking for a breach. And breaches are costly. Although most small to midsize enterprises (SMEs) estimate the cost of a breach to be less than $10,000, the true average cost of a breach for these companies is $149,000.

In this day and age, you need a convenient, cost-effective, secure method of protecting your information without overburdening your employees, clients, or IT department. The answer is passwordless authentication. Gartner predicts that 60% of large and global enterprises and 90% of midsize companies will implement passwordless methods by 2022. But, as we’ve discussed, implementing passwordless authentication is no small feat.

Assuming you already have a robust SSO solution in place to centralize authentication, layering MFA everywhere is the next step toward a passwordless future. JumpCloud’s frictionless authentication can prevent unauthorized access and bring you closer to a Zero Trust security model. Even better, you can consolidate your identity management, SSO, and MFA tools into our comprehensive cloud directory platform and free up your IT resources. 

To learn more, sign up for a free trial of JumpCloud today to test out the full functionality of our platform in your own IT environment.