Analyst Chat

Analyst Chat #148: How to Improve Security with Passwordless Authentication

"Passwordless authentication" has become a popular and catchy term recently. It comes with the promise of getting rid of the risk associated with passwords, however, organizations will add a significant layer to the overall security of their IT infrastructure. Research analyst Alejandro Leal rejoins Matthias to explain how this can be achieved in reality with today's products and services. He gives an overview of the market, the technologies and recent developments in this area.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Alejandro Leal. He is research analyst with KuppingerCole, currently hailing from the United States. Hi, Alejandro. Good to see you.

Hi Matthias, good to see you. Happy to be back.

Happy to have you back. And we are talking today about a topic that you covered in a recent Leadership Compass, our document that compares vendors and services in a specific market segment. We want to talk about passwordless solutions. So to start out, when we talk about passwordless, what does that replace? What are passwords and how are they, how are they considered from a security perspective and from a compliance / governance perspective?

Well, I think before we need to ask ourselves, why do we use passwords? So if we look at the origins of passwords, we have to go back to 1961. At the time, MIT was one of the growth of computing activity and it was also during this time when computer scientists at MIT developed a computer sharing system, the CTSS, essentially the CTSS was an operating system for multiple users that employed separate consoles to access a shared mainframe, and it required users to use passwords to secure and access private files. So by developing such a system, the birth of passwords, in a way also introduced the concepts of logging and authentication in the digital world. However, only a few months passed before the CTSS suffered from a password breach, basically a software bug infected the master password file and it made available all the passwords to anyone who logged into the system. So this breach demonstrated that passwords were not designed to secure a system, but were instead created to keep track on how much time was spent on shared mainframe computers. So in this context, we understand that passwords are remnants of a time when hacking and password based attacks were not common and widespread. Since the early days, the Internet has changed a lot, but passwords have remained practically the same. And the issue with passwords is that they can easily be stolen and compromised, but it can also be very costly, difficult to maintain and manage, they’re time consuming, and they often result in poor user experience. So keeping passwords secure is a top priority for any organization because once a password is compromised, it is very difficult to detect or prevent a security breach because now the attackers are in possession of a legitimate password. So passwordless options have been used for a while, such as hardware tokens or smart cards. But today we see a trend of new solutions that include the ability to support legacy systems. They support the range of authenticators. They use public key cryptography and other innovative approaches that I will talk about in a second. So it's clear that the need for passwordless solutions is increasing. However, finding a passwordless solution that is simple, effective and secure is a bit more challenging. So organizations and businesses must confront password based attacks and find alternatives without disrupting their users and their business practices. And this Leadership Compass provides an overview of the market for passwordless authentication products and services and presents a compass for you to find the right solution that will help your organization, your workforce, your customers, and your partners. In this compass, in this report we examine the market segment. We examine the products, functionalities, and some of the innovative approaches to providing passwordless authentication solutions.

Right. You've described it well, that it was not really about security. It was about time sharing and the amount of time that has been spent. But nevertheless, since 1961, we have still the concept of passwords here and we have still the dangers of passwords here. But it seems a bit weird to say okay, we get more secure by removing passwords. So passwordless seems to be less secure than with passwords. But this is not the case, right?

That's right. You know, we see, for example, few years ago, traditional MFA solutions were hailed as overcoming the issue with passwords. But the problem is that some MFA solutions, they still rely on a password as a first factor or as the backup factor for authentication and some of these require SMS codes or one time passwords and other options that are easily visual. So the goal that passwordless authentication solutions are trying to overcome is to provide a consistent log-in experience across all devices, introduce a frictionless user experience, and of course, perhaps the most important thing to secure those devices and endpoints.

So when you say passwordless solutions, is there a common denominator to say, okay, there are some concepts that are the same for all of these passwordless solutions because when you designed, or defined the segment of vendors or services to analyze in this document, what was the core functionalities, the main capabilities that you were looking at? What constitutes a passwordless solution that makes it more secure?

Well, different views exist on what makes a passwordless solution, but a passwordless and phishing resistant MFA authentication solution should have at least the ability to provide a broad range of authenticators to have cryptographic approaches, a comprehensive set of APIs, support legacy systems and some of the major standards and secured certifications. It is true that in a way everyone is doing passwordless in one way or another. Some of them have their own specific way of doing it. Some of them, some of the vendors, for example, they focus on self-sovereign identities to provide a passwordless solution. Others, they use blockchain technologies to do that. Others focus more on device management and device trust. Others support passwordless from the initial authentication of a desktop. So it's a very dynamic and competitive market. We see lots of vendors focusing on different areas, different parts of the world. Some vendors focus on small medium enterprises and other vendors focus on highly regulated industries from like let’s say, the banking or the government. So it's a very interesting market and it was a really, really amazing way to cover all of this in this report.

Right. And as you said, it's a larger market. Are there the traditional, the usual suspects there or is this also a market where you have lots of innovation, lots of startups, lots of new vendors, new names? Or is it a mix of all of this?

It's a mix of all of these, yes. I mean, we see the traditional big vendors doing it, but we also see some vendors that are highly specialized in their own way. But I think since it's a very dynamic market, we're going to see many changes in the future. For example, something that I thought was very interesting, a couple of vendors are doing a SIM based authentication, so they're using the SIM card of the mobile phone to provide this passwordless authentication. Apparently this is a very popular way of doing it in China, where billions of transactions happen every day. So this is something that these vendors are trying to bring here in Europe and North America. So we see a lot of different companies doing different things and it's very exciting. Some of them focus only on enterprise use cases, some of them focus on consumer use cases. Some of them do both. But we see that trend because I believe with the help of FIDO2 and WebAuth. And recently in January of this year, the Biden administration released a memorandum arguing in favor of enterprise identity and access controls and achieving a zero trust model and having a phishing resistant MFA across enterprises. So I believe that this is going to be a trigger to more innovative approaches and more vendors jumping into the passwordless market.

When I think of multi-factor authentication and of passwordless, I usually come across the mobile phone as one of the of the key factors that is in common use. At least for me, it is my main second factor usually. So it's an application that is on there that asks me whether I approve something. Is this a trend that you see in the market as well? And where is the market going here?

Yes, I think it is because one of the very important components of what makes a passwordless solution is device trust. In order to successfully transition to a passwordless solution, I think companies must establish trust across their devices and make sure that the right people have access to the right devices. So by implementing strong device trust, organizations can control access to the critical cloud applications. So some of the elements that are important when it comes to, let's say, using the mobile phone to provide passwordless would be device health checks, device roaming, support for bring your own device. And there's this term called portable identity or in some cases some vendors call it decentralized identity, which is basically being allowed to use multiple devices and maintain the same identity and the same credentials. This sounds like a very obvious thing to say, but this is, of course, one of the major components to making a passwordless solution a reality.

Right. So I understand that, as you've described it, there are several different technologies to use, but there are also vendors that cover different regions, different countries, different requirements when it comes to local requirements. So the Leadership Compass looks like something that can help in identifying the right solution for the right use case. So it is a tool for those who are looking for a proper solution to aid them in finding the right way forward. Is this right, do I get that? So it's a one size fits all approach to find the right solution, across the regions, across the technologies etc..

That's right. Yes. Some customers are looking for a particular way of doing passwordless, some of them have different requirements and needs. So I think this Leadership Compass does a good job in providing an overview on the market, on the vendors and some of the innovation approaches that some of these vendors are taking.

Great and the Leadership Compass is already available. So for those who are interested, please head over to and try to have a look at the Leadership Compass on Passwordless Authentication. I assume you will be covering that market in the future as well. So you will look at the new trends, at the next steps that you expect?

Yes, I'm really excited to see, because like I mentioned, it's a very dynamic market and lots of these vendors were very excited to share their approaches to passwordless. They were very enthusiastic. And I believe that in the future they're going to be some changes, they're going to be some new trends, and hopefully we’ll be there to cover them.

Great. Thank you very much. Yeah, thank you very much, Alejandro, for sharing your insight from, I think this must have been a lot of work when there's lots of vendors and a huge market. But nevertheless, we came to a comprehensive Leadership Compass that covers the full market, including the Vendors to Watch that are in addition to that also mentioned, so that those who are looking for a bit offbeat solution might also be in the right place for finding the right solution for them. For the audience. If you have any questions regarding this topic of passwordless or if you have suggestions of topic we should cover in the Analyst Chat Podcast, please leave a message wherever you are. If you are on YouTube, please go down to the comments section and leave me a comment. If you are listening to that in the podcatcher of your choice, just reach out to me, and drop me a message. For the time being. Alejandro, thank you very much for your time and for joining me from the United States for this episode. So it's a large distance podcast episode and I'm looking forward to having you soon as a guest for another episode. Thanks, Alejandro.

Thank you Matthias.


Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Making Passwordless Authentication a Reality: The Hitchhiker’s Guide

In this webinar, Bojan Simic, founder and CEO at HYPR, and Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, share their insights and experience on what to consider when moving towards passwordless authentication, and making this a reality. They talk about solutions, but…

Webinar Recording

Better Business With Smooth and Secure Onboarding Processes

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless…

Webinar Recording

Fixing the Way the World Logs In

Passwords are quickly and easily compromised, they are costly and difficult to manage, and they result in poor user experiences. Many organizations are looking for alternatives, but find it challenging to identify appropriate passwordless and phishing resistant authentication solutions that…

Webinar Recording

Prediction #1 - Passwordless Authentication: Killing the Undead will become Mainstream in 2022

The increased importance of a frictionless user experience as a digital business success factor on the one side, and a big wave of ransomware and similar attacks with user credentials as a main entry point are forcing us to rethink authentication and finally get rid of the password.…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00