In a bid to mitigate the cyber risks and keep attackers at bay, businesses are constantly looking for innovative strategies. One of the latest trends in this regard is to eliminate centralization by doing away with centrally managed passwords.
Passwordless authentication, as it is fondly referred to, is clearly on the rise. According to a Gartner report, by 2022, it is expected that 90% of midsize and 60% of large enterprises will embrace passwordless methods in at least 50% of cases. That would be a significant increase from a mere 5% in 2018.
But how exactly does it work, what are its benefits and is it as secure as it is said to be? Let’s find out.
What is passwordless authentication?
If like most people, you have used passwords all your life, the idea of passwordless authentication might arouse skepticism in you. But before you dismiss it altogether, how about understanding it a little better?
As the name implies, it is an approach to login configuration that does not involve the use of a password. It could, for instance, require your use of an email, and with every login attempt, you get a one-time pass to access your account.
Slack’s magic links use such an approach whereby you only need to input your email address and tap “Send Magic Link” to log into your account right from your email inbox.
In other cases, it could use a one-time code rather than a password. You will either get this code in your email or via SMS to access the account.
On Gmail, the approach is slightly different. Instead of using a password, it may send a prompt on your phone to deny or approve a login attempt. Another kind of approach is the use of biometric authentication which may scan your fingerprint, face or eye to authorize access.
For more advanced systems, there are physical security keys that often come in the form of USB drives.
Whatever the form of authentication that such a system uses, the fundamental concept involves using a pre-existing authentication detail to confirm identity.
Potential benefits of passwordless authentication
Anytime you create an account on a website, you might also need a password. Only you and the site will know this password and you will trust the site to keep it safe. If you happen to have accounts on 100 sites, you need as many strong passwords for security purposes. According to CSO statistics, the average consumer has about 90 accounts with passwords to manage.
And that is where the challenge arises. Having a strong, unique, memorable password for each site and service is not for the faint of heart. That is where this novel innovation comes in handy. You do not have to create or memorize passwords for each service you use.
Eliminating credential reuse
What is even more important than the matter of convenience is preventing the security risk that arises from reusing passwords. As much as we all know how risky it is to use the same password multiple times, let’s face it, almost everyone does it.
It seems like a much better alternative to walking around with a little black book on which you write all your passwords – yet another security risk.
But that is the stuff of dreams for hackers. They know how much users love to recycle passwords and they exploit this weakness with success time and again. Credential reuse reportedly has a success rate of 2%.
Though that might seem like a small number, it equates to over 46 million accounts being open to compromise.
Hacker deterrent – fewer data breaches
Website owners have the weighty responsibility of keeping user passwords secure. If on your site you have user passwords in unencrypted form, it becomes an instant hacker magnet. Eliminating them means one less thing to worry about, and could spell the end for data breaches.
A majority of enterprises make use of centralized credential stores to keep client data. This in effect turns them into sitting ducks, creating a hackers’ paradise.
Not as secure as users may think
While the convenience and security features of passwordless authentication seem overwhelmingly obvious, there are considerations to make. Just as with everything else technical, even the best innovations can be insecure with inappropriate use.
Let us consider a few potential risks of this form of security:
When sending a magic link or login code, an operator needs to ensure that the channel they use is secure. In case such a channel is compromised, then the code might end up in the wrong hands.
Weaknesses exist even in big-name organizations and this could result in devastating effects. Communicating a PIN code over potentially unsecured networks or worse still, the internet, is not a viable replacement to passwords.
More of a convenience than a secure alternative
The passwordless experience is great from a usability point of view, everyone agrees on that. But as far as security is concerned, they are not any better than existing systems. In fact, they are often simply an extra layer in an already vulnerable system.
On-device biometrics, for instance, can simply unlock devices, paste passwords and activate key stores. A majority of the rest of the options are based on centralized systems raising the same concerns as passwords.
Before a passwordless future
Passwordless authentication seems to be on its way. Its benefits seem appealing to both people and organizations, hence its popularity.
Yet, our passwordless future is still a way off. Between now and then, companies and individual users have to find some way of protecting their passwords from cybercriminals and unsecured databases. For the time being, the prime method for achieving this is the password manager. These tools enable users to have strong and unique passwords for each of their accounts.
There is still a lot left to do to pave the way for true security under a passwordless regime. It is a great start, but to be truly secure, we need to ensure that the form of authentication used is beyond the reach of criminal minds. Otherwise, it might just become another case of the same script, different cast.