Is passwordless authentication secure?
A traditional password has long been a central component of cybersecurity. However, according to many data breaches, the most popular passwords in the world are still "password" and "123456". Such findings make you doubt the safety of this type of authentication: most users know the risk of weak passwords, but prefer convenience over security. This encourages us to look for other ways to find a balance between password strength and ease of use. The solution to all of these problems might be passwordless authentication.
What is passwordless authentication?
Passwordless authentication uses alternative data that could confirm the identity of the user instead of relying on passwords made of an elaborate letter and digit sequences. In some cases, this could be using one service that already authenticated the user for ID confirmation. In others, it's dismissing the password altogether and recognizing unique users' data.
What are the passwordless authentication methods?
Passwordless authentication combines some form of public identifier (username, email address, phone number) and secure proof of identity. How this is proved generally fall into two categories:
Ownership – the fact that you own something proves that you are who you claim you are
Inherence – your biometrical data can prove that you are who you claim you are
Here are the most common examples of passwordless authentication methods.
Magic link through email
This method relies on email authentication by sending an URL that has a limited usage timeframe before it expires. If you ever forgot a password for some of your accounts, chances are that you've restored it using a magic link through the mail. This is a pretty simple method of authentication that could be a substitution for password use on its own. Still, to make this method the most effective, you have to make sure that your email has a strong and unique password. Otherwise, you might become a victim of malvertising attack.
Code through email
Code through the mail is a different spin on a magic link through the mail. Sometimes phishing attempts could be disguised as magic links from the websites in which you're registered. This method then sends only a sequence of random numbers and letters that you could use to confirm your identity without pressing URL links in your email.
Code through SMS
Code through SMS works identical to code through mail, the only difference is the used channel – cellular network. Instead of logging in to your email, you'll get an SMS message with a code that you'll have to enter to confirm. The efficiency of this method highly depends on your mobile carrier.
Instead of sending a code, it could be on a constant refresh. Authenticator apps automatically generate a sequence of digits in your smartphone app that you'll need to type in once you want to log in somewhere. Most often, this method is used alongside traditional passwords adding an additional barrier on top of a password. This adds some ease of mind in case of a data breach that could reveal your password to the public.
Similarly to authenticator apps, multi-factor authentication usually reinforces password-based security with additional questions, i.e., PIN, security questions, or any other piece of information. Rather than ever-changing authenticator digits, this relies on information that is more fixed and pre-defined by the user.
Hardware token authentication
Hardware token is a separate device built for authentication purposes only. Like authenticator apps, it uses ever-changing sequences of digits. Still, it's on a separate physical gadget, rather than on an app. It has a unique identifier that helps to track unusual user behavior, plus each generated code lasts for approximately 30 seconds before it expires, and a new sequence is generated. Its main selling point is being more off the grid, rather than a smartphone, which could be more easily infected by malware.
Biometrics is a broad term used to define recognition of users' biological properties to confirm their identity. The most widely available biometric data authentication methods are fingerprint scans, face scans, iris scans, and voice recognition. Each method can vary by its degree of implementation and the maximum amount of provided security.
Benefits of using passwordless authentication
The most apparent benefit of passwordless authentication is its name – it doesn't use a password. This alone is a plus because it mitigates the damage if someone got a hold up of your password. There are also additional benefits, as well.
Passwordless authentication makes the user experience more streamlined by eliminating the need to memorize overly complicated passwords. If you're using biometrics, the experience is as simple as merely placing your finger on a fingerprint reader. This dramatically reduces the required time that you use to log in and allows you to concentrate on your tasks right away, rather than to spend too much time to prove that you are who you claim you are.
If you're reusing the same credentials everywhere you go, you're creating a massive trap hole for your cybersecurity. However, this could be mitigated by replacing your weak passwords with passwordless authentication measures, that would be much harder to crack. Even when used alongside more insecure passwords, passwordless authentication can function as a component of 2FA, which drastically increases your account's security.
Reduced a cost of maintenance (if you're running a business)
Think of many times when you've forgotten your password. Now think that it happens every day, and IT support agents have to deal with "I forgot my pass, please reset" daily. This translates into countless hours of resetting credentials when it could be solved by just using the credential that it's pretty much impossible to forget or leave at home, i.e., your fingerprints, or iris. This streamlines the whole process saving support agents hours of tedious tasks.
So is passwordless authentication really safe?
On its own, passwordless login doesn't solve all security problems associated with passwords. Instead of a password, you're relying on something else.
● If you're using a smartphone authenticator or hardware token, you're log in depends on it. In case your device was stolen or broken, you could be locked out of your services for a while. This isn't foolproof, it's possible to accidentally confirm monetary transfers.
● When using biometric data, a high level of quality is necessary so that the system wouldn't accept photocopies instead of real faces in identity theft cases
● When it comes to biometric data, some users might be privacy-cautious, and naturally opposed to anything that collects such sensitive data. This issue popped up with microchip implants used to track Chinese workers.
Ultimately, if you’re thinking that passwordless authentication is the most secure authentication method that will solve all cybersecurity problems, you’re missing the point. Your cybersecurity is as strong as its weakest link: adding varied and multiple layers of authentication will help to create additional barriers. Still, it requires maintenance and good cyber hygiene to efficiently keep you safe from online threats.