What is authentication, authorization and accounting (AAA)? Security Assertion Markup Language (SAML)
Definition

What is passwordless authentication?

Passwordless authentication allows a user to sign into a service without using a password. This is often done using digital certificates, security tokens, one-time passwords (OTPs) or biometrics.

Passwordless authentication is generally considered more secure than using passwords. It's frequently combined with other authentication approaches, including multifactor authentication (MFA) and single sign-on to improve security and streamline the user experience.

Why passwords are becoming obsolete

Passwords have long been the standard for securing access to digital accounts and systems, but they come with many challenges.

First, strong passwords can be difficult to remember, so users often opt for simple, weak passwords such as "123456" or "password," as they're easy to recall. Additionally, with the growing number of accounts requiring passwords, users keep reusing the same simple password across multiple sites to avoid the hassle of remembering unique passwords for each account. However, reusing simple passwords makes them a prime target for security attacks, as cybercriminals often use phishing attempts, brute-force attacks, man-in-the-middle (MitM) attacks, credential stuffing and other tactics to gain unauthorized access.

Managing passwords can also be costly. Organizations incur significant costs in password management, including time and resources spent on password resets, data breaches and the resulting increase in IT support calls and lost productivity.

Inconsistent user behavior regarding passwords can also create challenges. Many users fail to follow password hygiene tips and best practices, such as regularly changing passwords or creating passphrases using a mix of different characters for different accounts. This inconsistency can lead to vulnerabilities within an organization.

How does passwordless authentication work?

Passwordless authentication proves that users are who they claim to be by demonstrating that they have something unique, such as a phone number or a certificate, or that they have the correct physical characteristics. Passwordless authentication occurs when factors other than passwords, such as those used in MFA, are used to verify identity and manage access.

Authentication factors are generally divided into the following three categories:

  1. Knowledge factors, or something you know, such as passwords, passphrases or security questions.
  2. Possession factors, or something you have, such as certificates, hardware tokens or authentication devices.
  3. Inherence factors, or something you are, such as biometrics, fingerprints or face scans.
An image showing the factors involved in multifactor authentication.
Passwordless authentication uses possession or inherence factors to authenticate, rather than knowledge factors.

Passwordless authentication methods

Common methods of passwordless authentication include the following:

  • Certificates. Digital certificates verify a user's identity without the need for traditional passwords. The user's device holds a private key, while the corresponding public key is stored on the server to enable secure authentication.
  • One-time-passwords. OTPs are temporary one-time passcodes sent to a user's registered device, such as a smartphone, through a short message service (SMS) or authentication app. Users enter this code to gain access instead of using a static password.
  • Biometrics. This method uses unique physical traits, such as fingerprint scanning, retina scans or facial recognition, to verify a user's identity. Since biometric data is hard to replicate, it provides a secure alternative to passwords.
  • Magic links. These URL tokens enable users to log in without a password by verifying their email address or phone number. Links are typically sent via email, SMS or messaging apps, such as WhatsApp.
  • Badge tap and go. This authentication method relies on proximity cards or smart badges integrated with radio frequency identification (RFID) or near-field communication (NFC) technology. Users can easily tap their badge on a reader to gain access, simplifying the authentication process and eliminating the need for passwords.
  • Unique authenticators. Unique authenticators use push notifications from third-party apps, such as Google Authenticator. After the admin configures the app with the service, a secret key is securely provided to the user, who then verifies their identity through the app. These authenticators are compatible with MFA.
  • Passkeys. Fast identity online (FIDO) passkeys provide a secure, passwordless login experience. Using public-key cryptography to replace passwords with cryptographic key pairs generates a unique key pair during registration, with the public key stored on the server and the private key stored securely on the user's device. Authentication occurs using the private key, which is never transmitted, enhancing security against phishing and other social engineering attacks.
  • Proximity badges. These are physical devices or cards that users carry. When close to a reader, these badges automatically authenticate the user and grant secure access without requiring manual input.

What are possession factors?

Possession factors are items that a user physically owns and uses to authenticate their identity in passwordless systems. Unlike traditional methods that rely on something the user knows -- such as a password -- possession factors focus on what the user has.

One of the most common and well-tested forms of passwordless authentication possession factors is certificates or asymmetric keys. Many other forms of passwordless authentication rely on certificates to function in the background. These use cryptographically matched pairs of security keys to sign a request.

Hardware tokens, such as smart cards, secure tokens, NFC tokens and Rivest-Shamir-Adleman secure tokens are a human-friendly way to contain a certificate in a hardware device. These hardware devices handle the authentication signing process and protect the secret key from being leaked.

Time-based one-time passwords (TOTPs) involve a server and a device using a shared secret and the current time to generate a frequently changing OTP. Typically, these change every 60 seconds and are six numbers long. In the past, hardware devices with liquid-crystal display screens would show the OTP. Now, free two-factor authentication apps such as Google Authenticator or Microsoft Authenticator can be used to generate TOTPS.

A sent OTP occurs when the server sends a one-time-use password to a known contact channel by email or SMS text message. The password can be an alphanumeric code that the user types into an authentication prompt or a magic link the user clicks to authorize the device.

Notifications or prompts refer to messages the server sends asking the user of an already trusted device to confirm or authorize an action. Sometimes, the user might need to select the correct numbered prompt.

What are inherence factors?

Biometrics, such as fingerprints, face scans and voiceprints, can be measured and stored to prove that the person is authorized.

Identification documents, such as birth certificates, government IDs or passports, can authenticate a person. However, these are difficult to verify digitally. Some governments have begun issuing IDs with embedded smart cards or RFID tags.

How does one-time-use authentication work?

In a one-time-use authentication scenario, the server issues a challenge that can be accepted only if the user has the authentication factor. An OTP can be sent to a registered phone number or email address to accomplish this. After that, the user enters the OTP into the login box. In the case of a TOTP, the server verifies that the code the user enters matches the one generated by the server based on the current time. For push notifications, the server sends an alert to a smartphone app that the user must accept.

Passwordless authentication based on certificates is built on asymmetric public and private key pairs. The device generates a key pair and sends the public key to the server during provisioning. The private key is stored in a secure location, such as a Trusted Platform Module, smart card or security token. A passcode or biometric lock can be used to further secure the private key.

During authentication, the server generates a challenge, which is sent to the device. The user unlocks the private key, which is then used to sign the challenge. The server accepts the signed challenge and verifies the signature to authenticate the user. Using this method, no secrets are exchanged between the server and the client.

Examples of certificate-based passwordless authentication systems include the following:

  • Apple Passkeys.
  • Microsoft Entra ID.
  • Okta Workforce Identity.
  • RSA SecurID.
  • Yubico YubiKey.
An image showing different biometric authentication methods.
Numerous physical characteristics are used for biometric authentication.

Advantages and disadvantages of passwordless authentication

The passwordless authentication market is expected to grow significantly. Fortune Business Insights predicts it will increase from $18.82 billion in 2024 to $60.34 billion by 2032. While passwordless authentication offers significant security use cases and user experience benefits, organizations must carefully consider the potential challenges and risks associated with this approach.

Advantages of passwordless authentication

Passwordless authentication is considered much more secure than using passwords. However, there are many well-known cyberattacks against password authentication. These attacks can be done remotely without the user's knowledge. Passwordless authentication is resistant to these types of attacks and often alerts the user if something is wrong.

Passwordless authentication is resistant to the following types of attacks:

  • Brute-force attacks. Passwordless authentication doesn't rely on human-readable data, making it much harder to guess.
  • Credential stuffing. The secrets in passwordless authentication aren't set by a human and can't be reused.
  • Keyloggers. Well-executed passwordless authentication doesn't enable the same code to be used twice, stopping keyloggers from gathering useful information.
  • MitM attacks. Passwordless authentication using asymmetric keys doesn't send any secrets, preventing MitM attacks and similar replay or pass-the-hash attacks.

Other key benefits of passwordless authentication include the following:

  • Rarely requires passwords to be reset. Users are less likely to need to reset passwordless authentication. It's common for users to forget or mistype their passwords. Passwordless authentication, on the other hand, relies on things users have or are and, therefore, only rarely needs to be reset -- for example, only if their smartphone is lost or stolen. Since users no longer need to remember complex passwords or go through the hassle of resetting forgotten passwords, it provides a smoother, more efficient login process, enhancing overall user satisfaction.
  • Requires fewer help desk support requests. After transitioning to passwordless, organizations can see a substantial reduction in help desk support requests for password resets and troubleshooting, which can ease the workload on IT teams, improve user satisfaction and lower operational costs.
  • Scalable and easier to deploy. With faster, easier and secure access to accounts, users can focus more on their tasks rather than dealing with login issues. Passwordless authentication options are easier to deploy across large enterprises, making them a scalable option for businesses with complex security requirements.
  • Meets compliance requirements. Passwordless authentication helps organizations meet strict compliance standards for data protection and user authentication by providing a secure, user-friendly alternative to traditional password systems.

Disadvantages of passwordless authentication

Passwordless authentication can also create unique challenges, including the following:

  • Complex and expensive. Passwordless authentication can be more complex and expensive than using passwords. These systems are still relatively uncommon and could require outside services to function.
  • Biometrics can't be changed. Biometric authentication can't be reset. While it's relatively simple to change a password or certificate, it's impossible to change a person's fingerprint or face if these authentication methods were compromised.
  • Security during setup. Passwordless authentication usually requires a secure channel during setup. Secrets are often exchanged during the setup process. If these were leaked, they could compromise the system's security. For example, during the setup of TOTPs, the security token must be shared. If this were to be leaked, an attacker could create their own TOTP.
  • Possibility of identity theft. OTPs can be intercepted or stolen if users' email accounts are hacked or if their phone numbers are stolen through a subscriber identity module swap attack.
  • User resistance. Some users might be resistant to change or struggle to adapt to new authentication methods, particularly if they aren't familiar with passwordless technologies. This can lead to frustration and decreased user satisfaction during the transition period.

Passwordless authentication eliminates the human element, significantly reducing the risk of phishing and social engineering attacks. Explore its benefits in aiding identity security and learn how it compares to other authentication methods.

This was last updated in December 2024

Continue Reading About What is passwordless authentication?

Dig Deeper on Application and platform security