Why Your Customers Need Passwordless Authentication

In today’s threat landscape, passwords have become increasingly ineffective for protecting customer authentication and data—and they’re also unintended inhibitors for user experience. As such, it’s not surprising that many organizations are exploring passwordless authentication as a more secure, user-friendly alternative.

In our previous post in this series on going passwordless, we explored the basics of passwordless as an emerging authentication method.

In this post, I’d like to specifically focus on how passwordless authentication can help customer-facing organizations. I’ll break down the security, business, and technical problems that password-based authentication exposes organizations and their customers to. I’ll offer some insight into how passwordless can help and some options to consider when rolling out passwordless authentication.

The authentication situation

As a customer-facing organization, you want your users’ experiences to be as pleasant and secure as possible. But passwords actually inhibit these goals in a number of ways.

Security problems

As counter-intuitive as it sounds, passwords can actually hinder the security of your users, making users vulnerable to techniques like phishing, credential stuffing, brute force, and dictionary attacks.

Upping the risk, many people use common or predictable passwords, use insecure methods to try and remember them, and leverage insecure account or password recovery mechanisms. In fact, 81% of breaches in 2017 were a result of weak, stolen, or reused passwords. Even security professionals are guilty of the bad password reuse habit; 45% of infosecurity professionals have admitted that even they recycle passwords across multiple logins.

Many users may think that this is a harmless way to remember their credentials, but in reality it makes them particularly vulnerable to credential stuffing, a hacking technique wherein credentials that have been compromised in data breaches are then used in automated brute-force attacks across several different accounts.

Business problems

Many businesses lose customers at their login page because their authentication methods are too clunky and don’t provide streamlined user experiences. In fact, 71% of customers will abandon a website at the first sign of friction. For example, users trying to access their e-commerce account might rethink their impulse purchase if they have to go through the hassle of entering their user credentials.

This reality makes usability a top priority for customer-facing businesses—78% of organisations believe customer experience is core to the success of their digital experiences. Otherwise, they face the possibility of negative customer interactions impacting their bottom line.

Technical problems

Not all passwordless authentication methods work for all users. The truth of the matter is that not all users have access to modern devices that support built-in FIDO2 authenticators like TouchID, and not all browsers support FIDO or WebAuthn.

On top of that, some mobile applications use embedded browser views that depend on legacy unsupported browsers. This makes it necessary for businesses to have a flexible, simplified approach to authentication that doesn’t disrupt the login experience.

Solving the authentication dilemma

Moving beyond passwords means adopting a number of authentication methods that address the needs of various users. As such, it makes sense to incorporate passwordless practices in a gradual approach that progressively addresses the considerations of your business. Start by considering the following factors:

• Threats: Assess the specific threats facing your organization, from credential breaches and password spraying to man-in-the-middle, man-in-the-browser, and brute-force attacks. Identify which passwordless methods could help you mitigate these concerns.
• Technology: Consider your company’s approach to technology and the specific technologies required to counter these attacks, such as browser support, platform authenticators, and external authenticators. How well would these work together
• Costs: As an organization, you need to factor in costs associated with authentication. These include support costs associated with credential management and the savings associated with going passwordless, security incident costs due to weak or compromised credentials, or even the value stored in compromised accounts.
• User journey: Evaluate the apps, devices, and browsers that users are employing when they engage with your service, and how they will navigate this technology.

Once you’ve assessed these three components, you can begin implementing approaches that provide customers with passwordless authentication experiences. These include...

Factor sequencing

With factor sequencing, users can bypass password usage completely and log into applications with just their username and any high assurance factor like Okta Verify, OTP codes, biometric authenticators, etc. Admins can even create a custom sequence of multiple factors that best suit their users.

WebAuthn

As the new global standard of web-based passwordless authentication, WebAuthn is a browser-based API that simplifies authentication with a public key cryptography and protects users from phishing and other common security attacks. Companies can use WebAuthn authenticators like TouchID or FaceID as a standalone solution or combine it with other non-password factors such as Okta Verify, depending on their security assurance needs.

Email Magic Link

This is an authenticated URL that can be sent to users and customers to authenticate their login attempts in one click. Email Magic Links provide seamless login experiences without the burden of passwords. This is ideal for applications that require infrequent authentication, for encouraging users to leverage higher assurance passwordless methods, and for bootstrapping users or for access without any device dependency.

Biometric factors

Biometric traits are unique, can’t be forgotten, and can’t easily be shared. Biometrics are also simple for users, who can provide secure authentication with a simple swipe of the finger or by looking into their phone camera. However, there are limitations, such as hardware dependency and the inability to change a biometric factor should biometric records be stolen.

Using centralized identity management solutions like Okta’s Integration Network, companies can integrate these third-party passwordless authentication factors as part of their broader security initiatives.

Embrace customer-friendly authentication

Digital services no longer have to make the tough choice between prioritizing user experiences or the security of their systems, networks, and data. Passwordless authentication using security keys is 100% effective against all types of identity attacks and faster than any other method, meaning there’s no need to forego security to ensure you have happy customers.

For more information on how Okta can get your enterprise started with passwordless authentication, read our whitepaper, Move Beyond Passwords.

For additional content on passwordless authentication check out these resources:

• What Is Passwordless Authentication? - Blog Post
• Passwordless Authentication: Where to start - Blog Post
• The Passwordless Future Report - Report
• Is Passwordless Authentication Actually Secure? - Blog Post
• How to Go Passwordless with Okta - Whitepaper