Passwordless Authentication: What It Is and Why It Matters
Cybercriminals don't break in—they sign in. Over 80% of hacks involve the use of lost or stolen passwords. Passwords are the number one target for hackers, with 921 password attacks every second. Passwords are a liability. Fortunately, passwordless authentication eliminates our reliance on passwords and verifies your identity with an alternative like a fingerprint or a retina scan. Switching to a passwordless login restricts hackers' most common entry attack point. Understand what passwordless authentication is and why you should make the change.
What is passwordless authentication?
Passwordless authentication verifies your user's identity without you needing to enter a username and password. Instead of requiring a password, modern or passwordless authentication uses more secure alternatives to verify your credentials, such as:
- Biometrics: fingerprint, facial recognition, or retina scan.
- Possession factors: USB security key or one-time passwords (OTP) through your phone.
- Magic Links: type in your email address to get a unique login link emailed to you. Click on it to log in.
You may already be using passwordless authentication without realizing it. Many banking apps authenticate users with voice or fingerprint recognition. Slack verifies users with magic links.
Passwordless authentication continues to grow in popularity — because it makes it easier to keep your data secure and private when logging in anywhere online. Sites and apps no longer store passwords, so there's nothing for cybercriminals to steal or phish. You won't need to remember your passwords, either.
The problem with password authentication
Passwords are the weakest link in cybersecurity, with over 80% of data breaches linked to weak or compromised passwords. According to LastPass's 2020 Report, 42% believe having an easy-to-remember password is more important than a secure one. And 66% use the same password or a variation for multiple accounts.
The average person needs to remember 100 passwords. Tracking and memorizing frequently changing app passwords is challenging and creates issues, which many people deal with by:
- Reusing the same password across multiple platforms
- Using weak passwords
- Writing passwords down
- Requiring a password reset
Bad actors use our lax password practices to mount cyberattacks and steal confidential data through phishing. Multi-factor authentication (MFA) can help as you get a heads-up notification when someone attempts to log in as you. However, switching to passwordless authentication increases security and improves user experience by removing friction from the login process.
Why should you go passwordless?
You might wonder why you should care about passwordless authentication instead of just password management. Going passwordless eliminates password-associated security issues:
- Phishing accounts for 36% of all data breaches. By eliminating passwords, phishing is no longer a threat, as you won't accidentally reveal your data if you respond to a phishing email.
- Eliminating passwords from the authentication process means cybercriminals can't misuse them. You're no longer vulnerable to brute force attacks or password data breaches.
- Using a USB security key reduces your vulnerability to phishing attacks.
Switching to passwordless also has many benefits for users and businesses.
For users, it gives you convenience and an easier login experience, reducing the chances of data breaches and identity theft. According to Verizon, in 2021, over 89% of account hacks involved brute-force password attacks or stolen credentials.
For businesses, 50% of all IT support tickets are password reset requests, and employees reuse corporate credentials as personal logins - 64% of Fortune 1000 employees reuse passwords across multiple sites. Account Takeover (ATO) through stolen or compromised credentials is the leading cause of data breaches. Switching to passwordless authentication can reduce IT costs and improve security by making it harder for unauthorized users to access business resources or data.
What are the types of passwordless authentication?
Passwordless authentication allows you to access an app or device without entering a password. Common types of passwordless authentication include:
- Email-based methods
- SMS-based types
- Multi-factor Authentication (MFA)
- Passwordless authentication for logged-in users
What are the three passwordless authentication factors?
An authentication factor is the type of evidence required to prove who you are. Passwordless authentication uses three factors other than a password:
- Possession Factors: something you have, e.g., fingerprint
- Biometric Factors: something you are, e.g., fingerprint
- Magic links: something sent to you, e.g., an email link
1) Possession Factors Authentication
Possession factors grant you access through the physical objects you own, such as a mobile phone or a USB token. You can log in to apps by responding to a one-time passcode (OTP) sent to your device or push notifications from an authenticator app. This makes cyberattacks more challenging to execute as hackers must react directly to the security prompts in real-time.
Possession Factor Types:
- Mobile Device: Mobile push notifications, SMS-based OTP, or a Phone Call
- Authenticator Apps: Microsoft Authenticator or Google Authenticator generates a one-time passcode to verify your identity on your mobile.
- Hardware OTP Token: Physical security devices that generate a single-use password.
- Physical FIDO keys: Replace your passwords with an external security key that plugs into a USB port and uniquely identifies the device holder.
How Possession Factor Security works:
- When you register for a new app, you provide and verify your possession factor ID (e.g., a mobile phone number or QR Code).
- The app generates a private key that links to your device.
- Whenever you attempt to log in again, the app sends your device an OTP, PIN, or push notification.
- You'll log in directly if you react correctly to the security message.
Possession Factor Pros:
- High security - stealing a phone or sim card is a difficult task.
- A mobile phone can help determine the hackers' location.
Possession Factor Cons:
- It can be annoying to always manually enter an SMS code.
- The device can be lost or stolen.
- You may need to carry an extra device around.
- To receive a push notification, you need to install additional mobile apps.
2) Biometric Factors Authentication
Biometric factors or inherence factors are a common type of passwordless authentication commonly found on mobile devices. They grant you access through the biological characteristics that are unique to you, are virtually impossible to hack, and are convenient.
Biometric Passwordless Types:
- Retina scan
- Facial recognition
- Fingerprint scan
How Biometric Security works:
- You present a biometric ID when you register for a new service. This ID serves as the private key.
- You sign in using that biometric ID to re-access the platform.
- When your biometric ID matches, the private keys unlock and grant you access to the app.
Biometric Security Pros:
- High security. Mobile phones are built to prevent unauthorized access to devices and data.
- Fast, frictionless login access without compromising precision.
- Almost everyone has a mobile.
Biometric Security Cons:
- You need to install and setup additional apps on your phone.
- Biometric security isn't 100% secure with fingerprints. TouchID and FaceID have been hacked successfully.
3) Magic Links Authentication
Magic links allow you to log in without entering a password via a unique web link sent to your email or SMS. Magic links provide a time-sensitive token to replace your password. Once clicked, magic links automatically log you into your platform.
Magic Links Examples:
- Slack app
- Medium account Sign-in
How Magic Links work:
- You register your username or email to access the app.
- The app generates and emails you a unique magic link token when you sign in.
- You click the link, and the app identifies the token and searches its internal database for a match.
- You get authenticated and logged in when a token entry matches.
Magic Links Security Pros:
- A faster and easier way to sign in.
- Easy authentication. You don't need to worry about password maintenance.
Magic Links Security Cons:
- Password security is dependent on your email. If a hacker accesses your inbox, they can log in to accounts with magic links.
- Emails with Magic links can end up in the spam folder.
- There is a risk of receiving phishing link emails.
Is passwordless authentication safe?
Yes. Passwordless authentication is generally safe and secure, but it's not risk-free. The risks associated with passwordless authentication are the same as those for other methods. If you are using magic links for passwordless authentication, a hacker can easily log in if they can access your email account. However, this risk is the same if you use password authentication - the hacker only needs to click 'reset password' to send the reset link to that email address.
Biometric factors, while more secure, aren't airtight, as they can be stolen or spoofed. If companies store your biometrics, a data breach can provide hackers with troves of data to impersonate everyone in them. In 2019, hackers infiltrated the fingerprint data of more than 1 million people in the BioStar 2 hack. Researchers have fooled fingerprint recognition by creating a synthetic fingerprint using wood glue and Photoshop.
What is Multi-factor Authentication (MFA)?
Multi-factor authentication (MFA) is a security measure that increases the level of protection by requiring two or more verification factors to log in. For example, to log into Gmail with MFA enabled, you'd need to enter your username and password first, then enter a one-time password (OTP) sent to your phone. The extra security decreases the risk of a successful cyberattack, as you'll need to input multiple authentication factors to gain access.
MFA is similar to passwordless authentication as it can use biometric or possessive factors, but MFA still requires a username and password. Passwordless is often faster and more convenient than MFA as it doesn't require a memorized pass.
Passwordless MFA combines passwordless with multiple factors for the best of both worlds, providing the highest security level.
How to go passwordless on Windows 10 or 11?
You can go passwordless when using your Microsoft account to sign into Windows with the following approaches:
- Windows Hello (PIN, facial recognition, or fingerprint)
- FIDO 2–compliant security key (USB key or an NFC device like a smartphone)
- Microsoft Authenticator app
The passwordless future is almost here, with all the major browser makers, Apple, Microsoft, and Google agreeing to support a standardized passwordless sign-on method. You'll be able to sign in the same way you unlock your phone with a fingerprint, face, or PIN. Passwordless authentication is emerging rapidly as the most secure, convenient approach, so get started today.
*The opinions reflected in this article are the sole opinions of the author and do not reflect any official positions or claims by Acer Inc.
About Robert Stark: Robert is a Taiwan-based writer and digital marketer at iamrobert design. He has a passion for helping people simplify their lives through tech.