Passwordless authentication.
Not the snappiest phrase you’ll ever read. But, in the world of IT, it’s growing a rock star status with the likes of Google, Microsoft and Apple all supporting or implementing their own versions.
This is because passwordless authentication will revolutionise the way organisations access devices, apps and accounts. It’s going to enable you to ditch the living hell of passwords for quicker, more secure ways to get your hands on your tech and software.
But what is passwordless authentication?
Here’s what you need to know about this new approach and why you’ll really want to adopt it for your organisation.
See this post as an extended guitar solo in honour of this rock-star new technology. Or, if that sounds way too excitable, we’ll settle for ‘concise all you need to know guide…’
How Does Passwordless Authentication Work?
Passwordless authentication works by removing the need for passwords and verifying users by other methods. It typically prompts them to access their device using biometrics or a PIN to confirm their identity.
Example:
A user needs to sign into an app or website. Instead of inputting a username or password, they simply sign into their phone using their fingerprint or PIN, then click an authentication prompt to confirm their identity.
Going into a bit more detail, passwordless authentication will employ two of the three following features:
- Something uniquely you – for instance, your voice, fingerprints or face (measured by voice recognition, fingerprint scan or facial recognition)
- Something you possess – for instance, a mobile phone or ‘hardware token’ (an authentication device that generates a code)
- Something you know – for instance, a phone PIN code
How Does Passwordless Authentication Differ from Multi-Factor Identification (MFA)?
There’s a key difference from other authentication methods such as the vanilla username and password; or username, password and MFA.
With passwordless authentication, at no time is a password used for sign in. Just getting into your device and confirming it is all that’s required.
Is Passwordless Authentication Good?
From the UX (user experience) point of view – very.
Let’s compare this new method to ‘bad-old passwords’ for authenticating yourself and accessing accounts.
Scenario 1: Passwords. You scrabble in the darkest recesses of your brain for all those stray fragments that typically make up your passwords. And continually fail to piece together the right one.
(Fun-less fact: A study performed by online account experts Yubico revealed that users across the globe spend 11 hours each year requesting passwords.)
Scenario 2: Passwordless authentication. You access your account by doing something you do many times per day –unlock your phone. Simple.
Is Passwordless Authentication More Secure?
Yes. It’s a giant leap in authentication security.
Cyber-attacks such as phishing, social engineering and brute forcing (guessing passwords, often using automated tools) rely on compromised password data. As soon as you take passwords out of the equation, the opportunities shrink for criminals.
How can a criminal trick a user into handing over biometric data?
Answer: not easily.
And even if they somehow could, they still need the actual device to breach an account. How is that criminal halfway across the world going to get their hands on your device? Virtually impossible.
Passkeys are based on FIDO Authentication, which is created by the FIDO Alliance, a respected global authentication standard. It is proven to be resistant to phishing and other remote attacks.
Since we’re a specialist cyber security company, THIS more than anything else is why we love passwordless authentication.
It’s next-level security.
So Why Doesn’t Everyone Have It Already?
Two reasons.
Firstly, there’s the ‘better the devil you know’ factor. Passwords have been around for so long, organisations are reluctant to shake things up with this fundamental change.
There’s logistical challenges, too. There’s no hiding the fact that transitioning to passwordless authentication may require new systems, software and configurations.
A good example is the new Windows Hello for Business which lets users log in without passwords to a range of platforms including Microsoft, Active Directory and Azure Active Directory accounts.
While this key/certificate-based authentication model is no doubt more secure, there are challenges to its adoption. For instance, organisations who depend on on-premise file sharing and have a hybrid Intune environment can find this transition particularly challenging. Intersys provides solutions to this with Cloud Kerberos trust deployment.
We think it’s helpful to see the shift as a journey, and not expect to switch from passwords to passwordless in a flash. You’ll get there, but you might need to start in some areas of your organisation before moving to others.
In Conclusion
Despite some of the challenges, we believe moving to passwordless authentication is 100% worth it. It’s just so much tighter from a security point of view.
And we don’t need to recite all the scare stories we see daily in the news to remind you that tight security is absolutely crucial for businesses, schools, government departments and NGOs today.
Intersys is a specialist cyber-security provider that can help you with all aspects of cyber security, including passwordless authentication. To find out about everything from security operation centre (SOC) services to rapid breach response, contact us now.