Employees and internet users in general nowadays rely on a big number of online applications and sites, which are something, will lead to use a huge number of passwords for those platforms and the challenge is to remember those passwords with the needs to change them frequently.
Many users take risky shortcuts like using the same password for all applications, using weak passwords, repeating passwords, or posting passwords on sticky notes. Hackers can take advantage of these practices and steal confidential data. In fact, compromised account credentials are a leading cause of data breaches.
That’s why using only a username and password to login to our applications is considered as a weak method of authentication, bad actors can guess this credentials by using programs to generate random username/password combinations or exploit common weak passwords like 123456, also they can send a phishing emails trying to trick you and get your credentials, and so many hacking methods.
For that looking for a more secure way to protect our logins is a key nowadays, one of those ways is not to use passwords from early beginning.
What is Passwordless Authentication?
As we can understand from the name itself, Passwordless authentication means the ability to login without using any kind of passwords, same as MFA (Multi Factor Authentication)??No.
As we explained earlier, in MFA the user will firstly use his credentials then he will be asked to use another type of authentication to insure that he is the authorized person to login like OTP or Some kind of biometrics, but in Passwordless case, we don’t use any kind of credentials at all from the early beginning, and the verification process will depends completely on the biometrics or tokens or OTPs.
For that we can consider Passwordless Authentication as more secure than using the passwords against the cyber threats as we will explain later in this article.
Type of Passwordless Authentications
Passwordless Authentication as we explained don’t required to use any kind of passwords credentials, and there is several kind to do that, we can mention the below:
- Possession factors: and this case the user can use a certificate or token or an authentication device same like near field cards or USB. Also can use the one time OTP generated by one of the authentication applications like Microsoft or google authenticate.
- Inherence factors or something you are, like the biometrics, fingerprint, face scans, voice print, also Identification documents, such as birth certificates, government IDs or passports, can authenticate a person.
So how does this Works?
Passwordless as we explained replace the passwords with something else the user have or the user are, using an authentication applications or biometrics or security keys / cards.
Passwordless solutions need to be both scalable and based on specific standards. Solutions implementing passwordless authentication mostly rely on the FIDO2 standard.
FIDO2 (Fast IDentity Online 2) is an open standard for user authentication that aims to strengthen the way people sign in to online services to increase overall trust. FIDO2 strengthens security and protects individuals and organizations from cybercrimes by using phishing-resistant cryptographic credentials to validate user identities.
FIDO2 is the latest open authentication standard developed by the FIDO Alliance, an industry consortium of Microsoft and other technology, commercial, and government organizations. The alliance released the FIDO 1.0 authentication standards—which introduced phishing-resistant multifactor authentication (MFA)—in 2014 and the latest passwordless authentication standard—FIDO2 (also called FIDO 2.0 or FIDO 2)—in 2018.
Passwordless against cyber threats
Passwordless authentication can protect the users from different kind of cyber threats, as using the passwords is always considered less secure than the passwordless methods, hackers as we said have so many ways to steal the credentials and gain an unethical login to our data.
Some of the threats that passwordless authentication protects the users against are:
- Man in the middle attack: where Passwordless authentication use an asymmetric key and does not share any secrets so this type of attacks can’t steal those secrets.
- Phishing attacks: no passwords to be shared by the users.
- Auto generated Password: where some kind of programs used by the bad actors to generate and guess the weak passwords.
- Keyloggers: Well-implemented passwordless authentication does not allow the same code to be used twice, stopping keyloggers from being able to gather useful information.
Conclusion
Passwordless authentication can be more complex or expensive than using passwords, but for sure it is more secure, that’s why moving from passwords environment to passwordless one is not an easy decision but we need to consider it when we are working with then sensitive data and applications.