Is Authentication Without a Password Secure?
Usernames and passwords have long been the standard when it comes to authentication, but it’s become very clear that this approach to security is fundamentally broken. The good news? Modern authentication technologies are making it possible to secure access in new ways and finally leave passwords behind.
MFA leads the way
The secret to doing away with the current approach to user access lies in multi-factor authentication (MFA). MFA reduces the security risks inherent to single-password authentication solutions by soliciting at least one more security factor. Common examples include a One-Time Pin (OTP) via SMS or voice, specialized mobile apps, and fingerprint scanners. When it comes to these factors, though, there is a sliding scale of assurance. Some of these are quite obviously more secure than others:
Least secure: Knowledge factors, like your password and secret question. If anyone knows, guesses, or harvests this information, your identity is as good as theirs. Users typically also reuse passwords across multiple apps, meaning that a single breach can have a ripple effect across networks and applications.
Less secure: Possession factors. These include OTPs, authentication apps, and hardware like tokens and USBs. These are safer than passwords, since you’re much more likely to uniquely “own” this security information
Most secure: Inherent factors—essentially, biometric traits. These are undeniably linked to a person’s unique identity, and are therefore the most reliable authentication methods. Examples here would be a fingerprint or retinal scanner
How secure is passwordless authentication?
Passwordless authentication is already a reality. Some devices have built-in fingerprint readers that provide users with immediate access to their mobile phone or laptop; Apple’s Touch ID is an excellent example. Windows Hello, meanwhile, uses a device’s built-in camera to authenticate users via facial recognition.
While authentication through factors like fingerprinting and facial recognition are a vast improvement over the typical approach of username and password, they don’t necessarily eliminate risk completely.
Possession factors, such as SIM cards and USB devices, can still be cloned, lost, or stolen.
Inherent factors can also end up in the public domain. We leave our fingerprints on every surface we touch, and our faces are in photographs and online images. Again, fooling a fingerprint reader or facial recognition camera may be more of a challenge than brute-forcing a password login screen, but it’s still possible—and it only has to happen once.
Authentication with a password is not secure. Traditionally, MFA solutions have been used in conjunction with passwords, but this doesn’t necessarily have to be the case. In fact, it shouldn’t be. We should be moving towards other variations of possession and biometric factors, combined with security context, to ensure that logins are secure.
Context is everything
The challenge, of course, is balancing user experience with security. MFA is great for keeping data secure, but it’ll drive users up the wall if two (or more) factors are demanded with each login. To make MFA as frictionless as possible, contextual access management is needed. It’s important to look at the behavior of a user, and to modify authentication policies to suit perceived risk.
Okta’s Adaptive MFA solution, for instance, analyzes the contextual elements of a login—like the device, network, location, and time of day, and then rates the risk. Based on a set of predetermined policies, and taking live threat metrics from Okta ThreatInsight into account, Adaptive MFA can grant or deny access, or prompt for an additional authentication factor.
Adaptive MFA has the ability to reduce login friction—and even provide a secure passwordless experience—by basing authentication on context. If someone logs in from a known device and location, Adaptive MFA can be configured to prompt for a single authentication factor. If the user signs in from an unknown location or device, however, Adaptive MFA can also prompt the user to provide a second selected authentication factor.
Authentication without a password can be secure, but it requires a new approach to security—one that looks at the context of every login and adjusts MFA to suit the situation.