Skip to content

Passwordless Authentication

Passwords are one of the most confusing concepts in secure authentication for typical users.

In the past, people still commonly believed that users should change their passwords often, such as once per month. Changing your passwords on a timed schedule was common wisdom among many IT professionals. The practice was even incorporated into many enterprises' password policies. Bad ideas about password security went all the way to the top because former NIST (National Institute of Standards and Technology, a US government agency) manager Bill Burr published that misconception in NIST Special Publication 800-63 (Appendix A) in 2003. Some of the other bad password advice in that standards document included that passwords should contain irregular capitalization, special characters, and at least one numeral. This encouraged some people to make l33t speak style passwords like Pa55w04d!!, where lookalike numerals are used to substitute alphabetical characters. Many of the dictionaries that attackers use to brute force passwords contain l33t speak words.

Today, the common wisdom is that passwords should only be changed if and when a data breach is suspected. Online services allow users to be notified if the passwords associated with their email addresses have been compromised following a breach. When a cyber threat actor has compromised an account, it often results in unauthorized purchases, emails being sent, or unauthorized changes to the account. These events should trigger the user to change their password immediately.

Requiring users to change passwords regularly can result in less secure passwords with fewer characters and increased password reuse.

Passwords are a widely used method of authentication, but they have many problems. One major issue is credential stuffing attacks. These attacks happen when an attacker has access to a user's password for a specific online service and they try using it for the user's other accounts as well. Attackers can use applications to automate this process. To prevent credential stuffing attacks, users should avoid reusing passwords. 

Password managers are a useful tool in preventing password reuse. They automatically generate secure passwords that meet password standards for new accounts or password changes, eliminating the need for users to remember their passwords. However, some popular password management platforms have experienced major data breaches, and password managers may not always be an option for every password situation. Password manager developers estimate that the typical user has anywhere from 100 to several hundred passwords for online accounts.

Many cybersecurity experts recommend using multiple factors of authentication for both consumers and enterprises. This strategy, known as multifactor authentication, involves a combination of "something you know" (like a password), "something you have" (like a keycard or token), and "something you are" (like biometrics). However, the ultimate goal is to eliminate passwords and adopt a passwordless authentication strategy. But how does passwordless authentication actually work?

Well-designed passwordless authentication systems use multiple factors of authentication but not passwords. There are many ways to implement passwordless authentication. They can use any combination of the following methods:

  • "Keycards and tokens" fall under the "something you have" authentication category. This type of authentication is quite popular among consumers and enterprises alike and is often facilitated by OTP (one-time password) applications. OTP systems are generally available as mobile apps, such as Google Authenticator or Microsoft Authenticator. Once a user installs the app, an OTP is sent to their device, which usually expires within a few minutes. While OTP is also available through text messages and emails, these methods are less secure as they can be easily intercepted.
  • Biometric authentication is commonly used by consumers as face or fingerprint scans on their phones. Enterprise biometric authentication, on the other hand, often utilizes dedicated devices and can incorporate face scans, fingerprint scans, iris scans, and voice identification.

  • Risk-based authentication, or RBA for short, analyzes the history of a user’s behavior when they use computer systems. If a privileged user’s behavior doesn’t fit in with their usual patterns of behavior, their authentication and access can be rejected.

Multiple factors of authentication make passwordless authentication solutions more secure, as they eliminate the risk of a single point of failure. Even though many people currently use passwordless authentication systems, completely eliminating passwords has been a challenging and frustrating task. Therefore, it is recommended to implement more passwordless authentication solutions to contribute to the elimination of passwords.