Passwordless Authentication

The act of authentication is the process of validating users and devices before accessing resources. It is a critical part of security and has gone through multiple evolutions throughout the years. In the early days passwords were sufficient. As the number of diverse resources and applications grew so did the need to have different passwords associated with different accounts. For critical resources it was always advised to set long and complex passwords that needed to be changed regularly. This made the management of passwords a nightmare and so password management software become a reality.

Multi-Factor Authentication (MFA) was also introduced to improve security by asking the user to provide another form of authentication. Although that was good for Security it didn’t contribute much to improving the user experience so long as passwords are still being used.

When we discuss authentication today, we often talk about three key parts that can be used in the Authentication process.

1- Something you know: This often translates to a password

2- Something you have: This can come in many forms and is often used as the second factor in MFA. The most popular option is to have a passcode that is sent to your phone or email

3- Something you are: This is something specific to the person’s identity. Examples include using a thumbnail or facial recognition.

According to a 2023 report 40% of breaches were attributed to Authentication. And while Security departments often at work doing their best to strengthen authentication by using strong authentication systems and mandating MFA, the use of passwords continues to create huge problems. It’s extremely hard to balance security with user experience and the issue of managing passwords is central to that discussion.

As we look into the future it becomes obvious that we must strive to achieve strong security along with optimal user experience thus the promise of Passwordless Authentication. Passowordless Authentication is no longer an idea as we are starting to see a lot of organizations taking interest in the technology and concept and some are in the process of implementation.

Here is a list of alternative method that are available for Passwordless implementation:

Something You Have:

Physical Devices:

• Smart Cards: Those have been widely used when entering an office building. Example: CAC cards have been used for some time by Defense organizations

• USB / Physical Keys: Something that you carry, and you can plug the device into a USB port

Authenticator App: Offered by many companies that include Apple, Google, Duo, Symantec and many more.

Certificate based authentication: This has been used broadly in the past when authenticating agentless devices. It can be extended to users

Software token or URL link: Either can be used and sent via email

Something You Are:

Finger thumb: This option is now widely available on devices specially Mac’s and some PCs

Facial Recognition: Most cell phones use this option today

Eye Retina Scan: Mostly used to authenticate to critical systems

Voice: Often used when validating identity when talking to someone over the phone (Although with AI and deep fakes there is a concern of compromise)

Although Passwordless authentication may improve security its biggest impact is on reducing security complexity by drastically improving the user experience during authentication.

For more information on how to implement Passwordless authentication please contact Calpean.com