What is Passwordless Authentication?
Passwordless Authentication solutions should provide a consistent login experience across all devices, introduce a frictionless user experience, include an integrated authentication approach, and ensure that no passwords or password hashes are traveling over the network.
Passwordless Authentication, in a nutshell
Password-based threats must be addressed, and alternatives must be found without disrupting users or business processes. Fortunately, there is a growing number of technologies that organizations can implement to get rid of their reliance on passwords.
The Passwordless Authentication market is growing rapidly, with vendors offering mature solutions that support millions of users across different industries including finance, healthcare, government, insurance, manufacturing, and retail. Many of these vendors have developed specialized risk-based passwordless products and services, which can integrate with customers' on-premises IAM components and support the migration of legacy applications to modern authentication systems.
Some of the main capabilities of passwordless solutions include:
- Support for a wide range of authenticators
- Risk, context-based, and continuous authentication
- Support for legacy applications and services
- Integration with 3rd party authenticators
- Device trust on multiple devices
- Comprehensive set of APIs
- Support for industry standards such as FIDO2
- Strong reporting and device state analytics for security monitoring
- Integration to access management products via standards such as SAML or OAuth/OIDC
- Strong cryptographic approaches (Private/Public Key, Zero Knowledge Encryption)
Passwordless Authentication solutions should cover a majority of these capabilities at least at a good baseline level. The list of capabilities above is not exhaustive, but intended to give an overview of some of the most important features.
A Brief History of Passwords
The practice of demanding proof of identity in exchange for something of value can be traced back to ancient times. To ensure that the right people have access to the right resources under the right conditions is perhaps one of the main security objectives in an organization. As a result, passwords have been used to verify and authenticate users since the early days of computing. However, passwords were not created to provide security.
Why Was the Password Invented?
Passwords have been used since antiquity. Polybus, a Greek historian of the Hellenistic period, describes how the Roman military used shared secrets or watchwords on a wooden tablet when changing shifts at night. In the 18th century story of Ali Baba and the Forty Thieves, the magical phrase “Open sesame” was used by the thieves to open a secret cave containing gold and a hidden treasure.
In the digital age, however, using and keeping passwords secure has been more challenging. The issue with passwords is that they can easily be stolen, guessed, or compromised. Therefore, it is important to explore the origins of passwords in order to understand why they are failing as an authentication method.
In 1961, Fernando Corbató first presented the idea of passwords at the Massachusetts Institute of Technology (MIT). At the time, computer scientists were developing the Compatible Time-Sharing System (CTSS). Essentially, the CTSS consisted of an operating system for multiple users that employed separate consoles to access a shared mainframe and required users to use passwords to obtain private access to the terminals.
Not long after that, a software bug infected the system's master password file and made everyone's passwords available to anyone who logged into the system. Consequently, the system’s breach demonstrated the vulnerability and problematic nature of passwords.
Why Is the Password Still Popular?
Passwords were not invented to provide security but created instead to keep track of how much time was spent on shared mainframe computers. Despite the inherent problems of passwords, businesses and organizations continue to use them as a method of authentication.
As a matter of fact, using passwords to access our digital identities is a commonplace experience since our personal lives are increasingly conducted in and dependent on cyberspace. Although software and technology companies are finding alternatives to traditional methods, many people are still reluctant to move away from passwords due to user acceptance, security limitations, and deployment costs.
The IT security community has long been aware of the fact that passwords provide little or no security as a means of authentication. Therefore, as remote and hybrid work become more prevalent and cyberattacks continue to increase, understanding the problem of passwords and finding a more convenient and secure solution might make all the difference when it comes to surviving in a rapidly changing world, avoiding the harsh penalties of compliance regulations, and defending your organizations from password-based attacks.
The Problem of Passwords
The password is remnant of an era before hacking and cyberattacks became a common and universal problem. Although the internet has changed significantly since the early days, passwords have practically remained the same. In parallel, cybercriminals have targeted operating systems with increasing sophistication and frequency as computers have become more accessible worldwide.
It’s The Password, Stupid
Passwords can be costly, time-consuming, difficult to manage, and result in poor user experiences. In addition, the fact that password reuse is a common practice among users, only exacerbates the problem. Choosing easy passwords, not updating them regularly, and sharing them with other people to make things easier are not uncommon occurrences.
Data breaches are most often the result of stolen credentials and compromised passwords, which make passwords among the weakest links in cybersecurity. To add fuel to the fire, recent geopolitical tensions and global disruptions have made organizations more susceptible to account takeover attacks and fraud cases.
The idea of passwords becoming obsolete has been discussed by the IT industry for years, if not decades. Traditional multi-factor authentication (MFA) solutions were supposed to overcome the issue of passwords; however, the problem is that some MFA solutions still rely on a password as the first factor or backup factor for authentication.
Moreover, adding MFA on top of passwords only increases the burden on both users and IT teams, and organizations often struggle to enforce MFA adoption by their users. When it comes to security, MFA requires users to provide two or more factors in order to be authenticated: something they are, something they have, and something they know. Some of these factors include PINs, security questions, magic links, mobile SMS codes, and one-time passwords (OTP).
Nevertheless, adversaries and cybercriminals can exploit account-recovery systems, gain access through an overload of notifications and prompts, intercept access codes, or use other methods to bypass MFA. While a password-based MFA system may once have been effective enough, its viability in today's threat landscape is fundamentally diminished. As a result, the security risks and inconvenience of passwords have led to a trend in which organizations are eliminating passwords altogether.
The Alternative? Passwordless Authentication
Passwordless Authentication has become a popular and catchy term. It is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow, and from the recovery process as well.
Some passwordless options have been around for a while but are starting to be implemented more by enterprises and even consumer-facing businesses. For example, smart cards and hardware tokens have been used as an alternative to usernames and passwords for decades. However, there are some distinctive features that make Passwordless Authentication noteworthy.
Unlock the Potential of Passwordless Authentication
By eliminating passwords and adopting a passwordless solution, organizations will remain competitive, secure, and compliant, and have a modern authentication system that does not require users to remember passwords.
Security and Convenience
Digital identity has become the foundation of the digital economy as it responds to a changing business landscape.Therefore, it is important that businesses and organizations pursue greater use of passwordless authentication solutions as they modernize their authentication systems. Passwordless solutions must ensure a frictionless and convenient user experience, but without sacrificing security and privacy. To fully leverage the potential of passwordless technologies, both aspects must be improved simultaneously.
If some users are still reluctant to let go of their passwords, vendors must convey a clear and transparent message about the business value and the benefits of passwordless solutions. In addition, users are likely to adopt passwordless authentication solutions more readily if they understand how the technology handles and improves their security and privacy. The collection of personal data by consumer IAM and authentication systems must adhere to a growing number of standards and privacy regulations around the world such as the EU General Data Protection Regulation (GDPR).
Innovation as a key driving force
Innovation is a key driving force in all IT market segments. The concept of passwordless authentication is already innovative in and of itself. However, passwordless can be done in a number of ways. Different vendors in the market continue to differentiate themselves by innovating in different areas, such as fraud detection, desktop authentication, device trust, automation, decentralized identity, or using a more modern containerized and microservices-based product.
To unlock the full potential of passwordless authentication, enterprises and organizations are also using QR codes, fingerprint scanning, and other biometrics to enroll and authenticate their users, thereby propelling the demand for passwordless authentication. If successfully implemented, the passwordless solution will add a significant layer to the overall security posture of the organization while providing a frictionless experience to the users.
Industries and Use Cases: Should your Organization Embark on a Passwordless Journey?
The Passwordless Authentication market is experiencing growing momentum. As cybercrime continues to increase, more organizations are likely to adopt this methodology to protect their platforms, leading to considerable growth for this market segment in the coming years.
Understanding the Market
The digital economy is changing the way many organizations interact with their employees, partners, and customers. With smartphones and digital wallets becoming more prevalent, businesses and organizations will have to address the benefits and challenges they bring. Moreover, the continuing shift to remote and hybrid work will contribute to the further adoption of passwordless products and services by both employees and customers.
Longer term, for widespread adoption of passwordless solutions to take place, standards such as the FIDO2 authentication standard (WebAuthn) and the OAuth standard need to be widely implemented in products and browsers to enable easy integration between authenticators and applications as well as passwordless enrolment and credential recovery.
Some solutions in the Passwordless Authentication market provide nearly every feature one would expect in a passwordless service, while other solutions are more specialized, and thus have different kinds of technical capabilities. For example, some smaller vendors are targeting mobile operators as well as small and medium-sized enterprises (SMEs). Other vendors focus on highly-regulated industries and the government-to-citizen (G2C) market.
Most solutions support multiple use cases (workforce, consumers, and partners). Security is the main priority in workforce use cases, whereas CIAM focuses more on seamless user experiences. Of course, leveraging both at the same time is essential.
Passwordless authentication methods are often used in the healthcare and financial services industry due to the sensitivity of the data involved. To access military facilities and obtain confidential information, passwordless technologies and biometrics are commonly used in government and defense sectors. To prepare for such a passwordless future, organizations must get rid of passwords and replace legacy systems with modern authentication solutions.
Implementing a Passwordless Solution: What to Do and Where to Start
Passwordless initiatives serve as an enabling concept that propels organizations towards their digital transformation and Zero Trust goals. Therefore, it is important for organizations to consider a phased implementation approach that is well-suited from a technical and business standpoint.
Embark on a Passwordless Journey
The ability to foster a strong cybersecurity foundation while implementing a passwordless authentication solution is vital given the ever-changing threat landscape. First, it is important to determine the needs of your organization and define them in a measurable way. Ultimately, embarking on a passwordless journey depends on your business model and requirements. The right approach will make authenticating easier for users, while increasing security at the same time.
Since your organization is likely to be subject to specific industry regulations and standards, it is important to avoid fines and penalties due to regulatory non-compliance. Thus, selecting the right passwordless solution and keeping your organization up to date with industry-specific regulations is important for your organization’s future. Success of passwordless implementation depends on the flexibility of the vendor to support both access and provisioning related industry standards and protocols. Therefore, support for all major Identity Federation standards and regulations, can be beneficial.