Passwordless authentication is the process of verifying someone’s identity without the use of the typical claim (username) and password. Tools that inject traditional credentials into a login prompt are not passwordless.
The most common passwordless authentication methods are biometrics, such as fingerprint and facial recognition, and out-of-band apps, which are common on smartphones. These smartphone apps often require a biometric ID verification combining multiple factors into a single authentication process.
Why Is Passwordless Authentication Popular?
While the promise of passwordless authentication replacing traditional credentials has been alive for over three decades, the technology available today has made it a reality. In 2022, the passwordless market was $15.6B, but it is expected to grow to over $53B by 20301. A large part of today’s passwordless adoption is made possible through smartphones.
During this past decade, compliance with government mandates has been the motivating force for organizations to adopt passwordless technologies:
Healthcare—Healthcare breaches in the U.S. and worldwide inflict more financial pain onto organizations in this market than any other, even finance. Government institutions have responded with specific passwordless and two-factor authentication requirements.
Financial Services—While government regulations mandate the protection of their customer’s private financial and personal information, maintaining consumer trust is an even more impactful driver of securing data. While financial services have been a leading adopter of multifactor authentication, smartphone platforms have further pushed passwordless adoption for identity verification.
Identity verification for the workforce
Historically, the use of passwordless technology as part of workforce security has been relegated to specialized applications and users. It's only this past decade that the four most significant barriers to them have dissolved:
Hard tokens, company-grade fingerprint readers, and other biometric devices have been too expensive for enterprise-wide use.
The cost of enrollment was prohibitive for mass adoption, especially for remote offices that were too small to justify onsite IT support, as well as remote employees. Without remote administration, the devices required physical touches for setup.
The ongoing remote administration of authentication devices was impossible. Remote users had to send in their appliances to perform resets and reconfiguration.
Security teams, their management, and especially their users lacked confidence in passwordless technologies. The recent proliferation of use cases where passwordless users have become mainstream has generated a wave of authentication modernization and planning.
Beyond the devices evolution, authentication use cases and requirements around them have also changed beyond government mandates.
More than ever in the past, field workers are connected and often access private information using mobile platforms. In addition to the typical road warriors, the adoption of telecommuting has seen significant growth during the past three years. While telecommuting had already been experiencing steady growth before the pandemic, new remote work policies have gained widespread adoption across all industries.
Structured and unstructured private data is increasingly stored and accessed from the cloud rather than the data center. As the data center has lost critical mass of hosting corporate services, routing remote traffic through the data center has dramatically diminished. This means that typical firewall security techniques are becoming irrelevant.
Personal device use
Further eroding security control, bring-your-own-device (BYOD) continues to gain traction. Remote access to cloud-hosted resources from BYOD devices shifts the rudimental reliance away from managed devices to identity-based security. This reliance translates to a heightened exposure to phishing and other identity attacks that circumvent identity verification.
This move away from managed networks, in-house digital resources (services and unstructured data), and devices mean that security teams can no longer depend on them as part of their strategy. Instead, building off identity necessitates a verified strategy that is highly resistant to imposters. And while adoption of multifactor authentication will continue to grow, single-factor passwordless raises the security bar over username and password while simplifying the authentication process. An employee enjoys the quick experience of facial recognition, verified fingerprint, or some passive experience. And at the same time, the organization has increased its protection against the most prominent vulnerability, and frequent breach technique, which is phishing.
Consumers moving to passwordless
The core passwordless enabler is the smartphone. While it’s true that these devices pack a hefty amount of computing power in such a small package, the fact that they’ve become an extension of so many is what makes them a passwordless game-changer. People use them for anything, from texting to social media to online shopping and banking. They take pictures at a moment’s notice, look for directions, or search for answers. Consumers tying themselves to a handheld computing device has provided an authentication paradigm shift never seen:
Universal connectivity allows out-of-band verification of someone’s identity during authentication.
The portable processing power can generate seeds and keys that can act as one-time pins.
Biometric and passive authentication methods will advance as smartphones advance, allowing verification to evolve and become more sophisticated.
Consumers are becoming more aware of the threats that traditional authentication poses to them. Organizations recognize this shift and see opportunities to enhance their digital services.
How Secure Is Passwordless Authentication?
Verizon's data breach team has identified spear phishing as the dominant way criminals poach credentials. Spear phishing is initiated when the attacker sends an email that appears to be from a trusted source, such as a bank, a colleague, or some other source that sends victims to a mock website. This website will require authentication, thus duping victims into revealing their credentials, entering credit card numbers, or providing some other set of private information.
A variation of this attack offers a link that, when clicked, installs malware on the victims’ computers.
Passwordless technology is well suited to protecting against these types of attacks. For platforms configured to eliminate passwords, none can be captured via entry or keystroke capture. For platforms that offer passwords as an option in addition to passwordless, it can be reinforced with a passwordless multifactor authentication, such as something they have—like a smartphone—or something they are—biometric.
All this reliance on smartphones brings their vulnerabilities front and center to the security discussion. Suppose hackers and other malicious players get hold of these mobile devices. There is a risk of them being able to intercept PINs, OTPs, and out-of-band push approvals, as well as reconfiguring biometrics to match themselves. SIM card theft poses an SMS/OTP risk too. Even if users are careful, their security can be breached if attackers can manipulate service providers into canceling and transferring crucial information from legitimate SIM cards.
While it's clear that there is no way that an organization can thwart all threats, it is true that simply moving to a passwordless paradigm protects against the most common threats. Even for single-factor authentication, moving away from typed-in credentials starts at a higher security level, but more can be done. Organizations can elevate their security levels by augmenting their strategy with risk-based authentication (RBA). RBA has a long-proven track record of controlling when additional steps are needed to verify someone's identity. Organizations can invoke a second-factor authentication under pre-defined conditions, such as:
Organizations can use this type of criteria to determine how many levels of identity verification are necessary. For example, an organization could define a policy requiring a fingerprint to access most of its information. Still, there is a more sensitive subset requiring multifactor authentication when the measured risk is elevated per the criteria listed above or the resource's sensitivity.
How Can Passwordless Authentication Differentiate a Business?
The answer stated above in the previous question lists the advantages and the security limitation that passwordless authentication can offer a business. In short, passwordless methods—such as biometrics (e.g., fingerprint or facial recognition) or through something you have, such as a smartphone—offer more robust security than traditional password-based methods, especially against spear phishing. This section reviews some of the business values that added security offers.
When organizations are better able to control the risk inherent in engaging with their digital customers, they’re able to engage more effectively, allowing more meaningful interactions to take place under a more comprehensive set of circumstances.
A healthcare provider can engage in better remote care by sharing ePHI information and specific instructions from a clinician. While two-factor authentication is required, the patient doesn’t have to remember complicated credentials if they’re both passwordless. Passwordless is also simpler to use on mobile devices without a keyboard. Simplified yet secure access can become a game changer for impaired patients who are frustrated with a complex authentication scheme.
A financial portfolio manager shares highly sensitive information with clients. Investment and account information regularly involve large amounts of money. Typically, these types of portals require complex passwords for identity verification. Passwordless authentication allows these organizations to provide fast and secure access to their clients, which goes a long way to achieving customer satisfaction.
eCommerce services are the most common spear phishing attack points. These attacks erode consumer trust in conducting business electronically. Passwordless authentication allows eCommerce retail to minimize the effects of risk-based authentication with passive methods when used to respond to measure threats. More so than other industries, unacceptable friction in retail transactions leads to lost customers who gravitate to retailers that are easy to do business with. One of the most effective ways to avoid barriers to new digital customers is to use passwordless authentication to avoid complex passwords or multi-step authentication processes.
Universities and other organizations securing users who are constantly on the go—FIDO (Fast Identity Online) is a standard that allows the use of standards-based, not to be confused with older expensive and proprietary options, physical keys, or tokens to verify one’s identity. These phishing-resistant methods pose a notable barrier for attackers to bypass, keeping valuable student information private. Students, staff, and faculty can plug their small portable FIDO devices into computers with a Bluetooth port. It can deliver fast access to secured resources or be part of a multifactor authentication configuration.
The scenarios of increased security and convenience through passwordless authentication, which is the future of authentication, are far more expansive than these few examples. Passwordless authentication also provides an excellent security foundation for the broad adoption of single sign-on (SSO). SSO delivers seamless access to secured resources with a single authentication instance. Even more so than passwordless technologies, SSO lowers or eliminates the friction that users would otherwise experience. Because SSO is more about convenience rather than security, some security teams are wary of broad adoption because a single authentication can potentially allow access to all the user’s digital resources. Passwordless’s resistance to the most common breach attacks significantly reduces that risk, freeing up IT to configure an environment that vastly reduces interruptions and delays for its users.
NetIQ Powers Your Business
OpenText™ NetIQ™ offers a comprehensive set of identity and access services, allowing workers to securely access resources from anywhere, on any device, at any location, and at the right time. NetIQ also empowers organizations to interact with their consumers effectively and securely.