What is Passwordless Authentication?
To start, we should define some key terms. Authentication is the process of determining the identity of a user. This is in contrast to authorization, which is determining what a user has access to (ex: base user vs. admin user). Within authentication, there are three types or “factors” that can be used: something you know, something you have, and something you are.
Something you know:
- Passwords/PINs
- Security Questions
Something you have:
- A device
- Physical security key
- Access to an account (email, phone number)
Something you are:
- Fingerprint
- Facial recognition
- Iris scan
Each of these factors come with a set of advantages and disadvantages, which is why multi-factor authentication is frequently used to increase security. By leveraging multiple factors to authenticate, there no longer exists a single point of failure in the system (i.e. a password being compromised or a device being stolen). However, this doesn’t mean that all factors should be treated equally, as some are much easier for attackers to bypass than others.
Problems with password-based authentication
Passwords have long been the standard of authentication on the internet for several reasons, including the relative ease of implementation for developers and user familiarity. This has resulted in users on average needing to remember 70-80 different passwords across all their accounts. In theory, a strong, unique password would provide relatively good security for users, as long as they are diligent about where they enter it.
However, this is where the password-based system begins to break down. People simply don’t have the ability or desire to memorize 70-80 unique passwords made up of sufficiently random characters. This leads to many users to either use the exact same password or slight variations of a base password between sites. The problem then is that now all of their accounts are at risk if their reused password is compromised.
Even if someone uses a unique password for every site, they still would be vulnerable to phishing attacks, where a user is tricked into entering their password or other personal information on a fake site designed to look like the original. This is often done using an email telling the user that they urgently need to reset their password to secure their account. These emails often contain a link to a site that looks similar upon first glance, but have a slightly different URL than the original site. The increasing prevalence of phishing attacks is yet another reason to move away from passwords, and an even stronger reason to never reuse passwords between sites.
A common objection to moving towards passwordless authentication is the adoption of password managers. While password managers certainly improve a user’s ability to use strong and unique passwords for all their accounts, still less than 50% of people in the US use one. This creates a problem for those designing a site’s authentication system: how do you prevent more than 50% of Americans from using weak passwords?
Current Passwordless & MFA Solutions
Passwordless authentication and MFA is often implemented in the form of authenticator apps such as Duo or Google Authenticator. These solutions prevent attackers from being able to gain access to a user’s account using only a compromised password and provide substantial security benefits from doing so. However, these solutions aren’t perfect, as they can leave users vulnerable to “MFA fatigue.” This is when an attacker sends the user so many requests to authenticate that the user will often approve it to stop the notifications, not realizing that they have accidentally given the attacker access to their account.
Other purely passwordless solutions use some form of OTP or one-time password to authenticate a user. These are usually sent via SMS or email and involve the user entering the code they receive or clicking on a “magic link” that contains the code and sends them to the site. The downside of these approaches is the cost associated with sending an SMS text every time a user attempts to sign in.
Future of Passwordless Authentication
As the internet moves away from password-based authentication, many companies look towards new solutions that leverage the capabilities of modern devices. One such solution is WebAuthn, a specification written by W3C and FIDO designed to use on-device biometrics to authenticate users. This approach greatly simplifies the user experience and is highly flexible across devices, as it can use whichever biometric sensor a particular device has (Apple Face ID & touch ID, Windows Hello, etc.). Additionally, it protects the user from phishing attacks, as the WebAuthn credential is tied to a specific website, meaning that the browser will only authenticate with the correct site.
Other biometric solutions that use the camera of a device can also be valuable, as they not only guarantee that the user is the person who created the account, but can also verify that the user is unique to the site (i.e. not a bot or spammer). This approach uses facial recognition/comparison as well as liveness detection to verify the identity of a user.
Another solution to authentication that acts as somewhat of a meta-approach is behavior-based authentication (i.e. dynamic risk assessment). This involves looking at several factors such as the device used, the location of the user, and many other factors related to the login attempt to determine the associated risk and thus the level of verification that the user must complete. The most basic example of this is remembering devices and requiring a user to verify using their email or phone when a login attempt is made on a new device. By tailoring the authentication steps that a user must go through to the level of risk, behavior-based authentication is able to avoid many of the problems like MFA fatigue while still creating sufficient barriers for potential attackers and limiting single points of failure.
What Should Companies Do?
The main challenge many companies face when it comes to authentication is that of priority. Most of the time, it simply isn’t a priority for companies to overhaul their authentication system and to continuously stay up to date with security best practices. This would cost significant engineering resources that likely would be better spent improving the actual product the company provides. If this is the case, it makes sense to use a third party authentication provider and avoid reinventing the wheel.
There are many campanies that provide various kinds of authentication services. A major factor in the decision of which provider to use is whether you are authenticating customers or employees, as the requirements for each are different. When authenticating customers, friction in the sign up process is a major concern, as too much of it can lead to a high drop off rate. In contrast, when authenticating employees it is important to have a high level of security, as they are likely accessing more sensitive information and friction is not as great of a concern.
In the end, the best solution will be highly dependent on the company and their specific needs. However, it is clear that the future of authentication is moving away from passwords and towards more secure and user-friendly solutions.