The benefits and challenges of passwordless authentication
More and more organizations are adopting passwordless authentication. Gartner predicts that, by 2022, 60% of large and global enterprises as well as 90% of midsize enterprises will implement passwordless methods in more than half of use cases.
Passwordless authentication swaps traditional passwords for a system that identifies users by more secure methods such as “possession factor” or “inherent factor.” By switching to a passwordless approach, companies provide their employees with the same effortless and secure authentication methods that users experience on their smartphones (e.g., FaceID or fingerprint scanner). Sometimes this is confused with 2-factor authentication, because the second factor of 2FA is typically passwordless, but passwordless access is different.
There are different ways to implement passwordless authentication:
- Via a user’s email, which is considered to be a secure method to transmit a token that can be used by a person to confirm their identity
- Through the user’s smartphone, which is protected with a passcode and biometry. There are authenticator applications that may generate one-time passwords or receive push notifications asking the user to confirm the login
- Through a hardware token to be connected via USB, NFC, or BLE. Some hardware tokens can also generate one-time passwords and even have a keyboard to provide the ability to input data (e.g., an authentication challenge code).
Passwordless authentication is a relatively new method so it can be challenging to choose the type of implementation relevant to your needs. Below we compare the advantages and disadvantages of using email, a mobile authenticator, and hardware token.
Passwordless authentication can be used both for personal and business purposes. When it comes to personal use almost every user has multiple online accounts, making it hard to create and even harder to remember all passwords. Therefore, a device with fingerprint or face recognition is really useful.
For enterprises, the need for passwordless authentication is even more crucial, as it provides the ability to implement more granular access control with a stricter zero-trust policy. At the same time, it totally eliminates the burden of remembering new passwords every three months for users and reduces the cost of supporting the whole system for IT departments.
Although passwordless represents a more secure authentication method, there are still challenges in the deployment of this model. The biggest issues are associated with the total budget and migration complexity. The budget should include costs for buying hardware and expenses for setup and configuration. There is also the challenge of overcoming the old-school mentality when employees and IT leadership are resistant to a move away from familiar and conventional security methods.
We see that passwordless authentication is becoming more frequently used. Giants such as Microsoft, Google, and Slack have already implemented these solutions. There’s also a WebAuthn standard published which makes it possible to implement public key-based passwordless authentication with different levels of protection using both software and hardware-based cryptography modules on the client-side.
This standard has already been implemented for the most popular platforms and frameworks. All in all, passwordless authentication is an effective solution that ensures a more secure working environment for IT staff and employees by driving suspicious users to additional verification.