Passwordless authentication is an emerging authentication method that has been gaining traction as of late. In this post, we’ll explore what passwordless authentication is, the usability and security challenges that passwords present, and the benefits of passwordless authentication.
What is passwordless authentication?
At a basic level, passwordless authentication is any method of verifying a user without requiring the user to provide a password.
Proving the user’s identity can instead be done using an alternative factor like a proof of possession factor (mobile authenticator apps, hardware token, one-time OTP), biometrics, or—in less than ideal cases—a knowledge factor (PIN, passphrase, etc).
You’re probably already familiar with some forms of passwordless from everyday use like logging into an app using FaceID on iOS, Android fingerprint authentication, and logging into your laptop via Windows Hello. But why is passwordless authentication gaining traction?
The problems with passwords
Passwords as a means of authentication have been under increased criticism as a means of authentication as of late for a few reasons:
Passwords hurt user experience
The average American internet user has 150 online accounts that require a password, and this number is expected to grow to 300 by 2022. Keeping track of all of these credentials is a significant challenge for the average user. And adding to the hassle is the fact that password complexity requirements often vary by application.
You’ve probably seen password requirements like:
Meanwhile, another tool has a completely different set of requirements:
We’re only human. And over time, the probability of us remembering the passwords to all these accounts decreases, which can seriously hinder user experience and productivity.
Analyzing data from 4,013 workers across the UK, France, and the Netherlands, Okta’s Passwordless Future Report discovered that nearly 50% of users feel annoyed or hassled by passwords. What’s more, when people forget their passwords, 19% experience a delay in their work, and 37% are locked out of their account completely. Not an ideal user experience.
Passwords can hinder user security
Ironically, passwords can actually be an inadvertent detriment to user security in the following ways:
Passwords are a common avenue for identity attacks: According to Verizon’s Data Breach Investigations Report in 2018, 81% of hacking-related breaches were as a result of weak, stolen, or reused passwords.
Threats like man in the middle attacks and man-in-the-browser attacks aim to take advantage of users by mimicking a login screen and encouraging the user to enter their passwords. By requiring a password, service providers inadvertently put users at heightened risk to these types of threats.
Password reuse is rampant and increases downstream risk: In Okta’s password survey, 34% of those surveyed say they use the same passwords for multiple accounts. But when major data breaches occur, such as with Marriott International (383 million users impacted) or MyFitnessPal (150 million users impacted), bad actors often purchase the username and password data of these compromised accounts on the dark web.
From there, they are free to launch credential stuffing attacks against compromised users, applying large volumes of these compromised credentials to other accounts en masse to see what other apps and services they can gain access to. Ergo, if your users reuse passwords, they are at a much higher risk of credential stuffing.
When breaches do occur, the consequences can be catastrophic. The average cost of a stolen record is $148, and the total cost incurred from a data breach averages at $3.86m.
The benefits of going passwordless
Passwordless authentication has gained traction because of its significant benefits in security and usability, including:
- Threat-resistant login options: Because there are no passwords to type, the likelihood of being phished is reduced. This also means users are protected from man-in-the-middle, man-in-the-browser, and other replay attacks that rely on passwords.
- Visibility and control for admins: Passwords are reused, phished, and stolen. When implementing passwordless authentication, admins control the security of their org and gain visibility into the specific factors in use per user.
- Scalability: Delivering a passwordless experience through factors that end users already possess, such as their mobile device (biometrics and mobile authenticator apps), or their laptop (i.e. Windows Hello and fingerprint on MacOS) means easier scalability for user within your workforce and customer-base.
- Lower total cost of ownership: Passwords require constant monitoring and maintenance (especially if you have not enabled self-service password resets). Eliminating passwords and allowing end users to recover their own accounts using factors they have enrolled in helps to reduce support ticket numbers.
- A great user experience: Users no longer need to remember and update complex password combinations just to be productive.
Look for more blog posts on how to get started with Passwordless Authentication soon! In the meantime, check out our whitepaper on Moving Beyond Passwords for more information.