Password policy adherence is no doubt gaining complexity. We hear this comment from client users, as well as the broader business and security community. Frustrations are associated with remembering and managing them, not to mention passwords are one of the most appealing targets for cybercriminals. But what’s the alternative to having a password for each your accounts? Exactly the opposite – going passwordless.
What is passwordless authentication?
Passwordless authentication involves proving one’s identity for accounts and systems without inputting a password. With an increasing rate of data breaches including passwords being obtained by unauthorised parties, these methods are considered the more secure alternatives, especially when part of a multi-factor authentication (MFA).
Different ways to go passwordless
There are many types of passwordless authentication. Let’s take a look at the most popular and widely used methods.
Otherwise referred to as inherence factors, biometric methods of authentication use our unique physical characteristics to validate our identity. Despite the increasingly advanced abilities of artificial intelligence (AI), imitating these characteristics is extremely difficult. This results in an extremely secure protection of an account.
As is commonly done with a password, biometric identification is collected at the point of account registration, available to use for all future access. Some of the more common biometric factors include facial recognition, fingerprint scanning, voice print and retina scanning.
Also known as ownership factors, this method of authentication provides access via a device belonging to the account owner. Most commonly, a mobile phone is used as the item in possession. Upon registering a user account, a single/one-time use code or authorisation request is raised to validate the individual’s identity.
Commonly used possession factors include using a hardware token or mobile device for single use codes, or an authenticator app for approvals. Access is only granted if the correct code sent to the account owner’s phone or generated by hardware token is input into the service for login, or a request is approved in an authenticator app.
One-time ‘magic’ links use the account owner’s registered email address to complete a login. When a user registers for a service, their email is collected and validated. Upon future logins, the service will authenticate the user’s identity by sending a single use, one-time link to the email address registered to the account. Access is granted once the provided link is clicked.
If unused, magic links will also expire after a set period time, anywhere between 10 minutes to 24 hours. After the expiry time has elapsed, a new link will need to be generated.
Advantages of going passwordless
There are a number of reasons why the safety profile of an individual or organisation can be significantly improved using passwordless authentication techniques, whether it be for account access via websites, applications or devices. The benefits include:
- Enhanced cybersecurity. By eliminating the use of a password altogether, users cannot share passwords with other parties, and it also prevents an account holder from using the same password across accounts. This in turn stops any potential hacking or breach leading to the compromise of other accounts. Additionally, a platform using passwordless methods of authentication becomes a less attractive target for hacking due to the increased difficulty involved.
- Sign-on simplification. The process of registering accounts and signing in becomes simpler for both a user and organisation. For the user, it eventually becomes impossible to remember so many passwords. For organisations and employers, the procedure for changing/updating passwords on a regular basis can be streamlined or eliminated, leading to ease of security compliance and lowered human resource cost dedicated to the password resets, support tickets and related compliance.
- Improved user satisfaction. A streamlined and convenient sign-up process improves the overall user experience for any platform or service. It’s simpler to validate identity in a passwordless method, as a user doesn’t need to think of or generate an appropriate password that meets a preset criteria and requirements. Businesses are also able to decrease the risk of potential customers abandoning the signup process due to frustration with any initial authentication conditions.
Passwordless authentication best practices
Although these methods are considered superior to their passworded predecessor, best practices should still apply, like any other means of authentication.
- Possession/ownership factors: Always use an accredited authenticator app or accept the latest single/one-time use code. Administrators should make the validity time of a code or authentication request as short as is reasonable.
- Biometric factors: Needless to say, user shouldn’t share their fingerprints or facial data. A backup method is a good idea to deal with potential malfunctions. If possible or available, a service should prioritise the more difficult to spoof biometrics, such as palm vein scanning.
- Magic links: Ensure the email delivery service can send the one-time links quickly. Similar to possession factors, the expiry period of a magic link should be as short as is reasonable. Avoid potential message threading frustration for the user by having unique subject lines generated along with unique links.
Combine with multi-factor authentication (MFA): Combining passwordless methods with secondary or additional authentication factors will exponentially increase the security of your service/application.
With society’s technological advancements moving forward to keep up with evolving cyber threats, it has become critical to implement less traditional and more secure methods of authentication and identity validation.
Businesses and organisations employing passwordless authentication processes are a step ahead of their competitors by not only providing a more robust security environment, but also a simpler and more seamless user experience.
To learn more about MyEmpire Group’s services, including how we can help you enhance and protect your business’s methods of user authentication, reach out to our team of cyber security specialists.