Not only do people not like using passwords, but there’s consensus in the identity and access management space that they are not the most secure way to protect data. Look at this year’s Verizon Data Investigations Breach Report, which found that 32 percent of the nearly 42,000 security incidents covered in the report involved phishing and 29 percent involved stolen credentials. And that’s in addition to the countless times we’ve been told to change our passwords because they were exposed in a security incident. It’s clear that an authentication method that doesn’t involve passwords is needed.
But there’s confusion around what to call this method. Two terms being used are being used more frequently are passwordfree and passwordless authentication. But while they both infer not using passwords and are sometimes used interchangeably, key technical differences set them apart. Being able to distinguish between the two is key if organizations want to reap the full benefits of passwordless authentication, especially around security.
Passwordfree authentication provides a convenient way to authenticate, but doesn’t get rid of the security risks associated with passwords. With passwordfree authentication, a person may use a fingerprint instead of a password to access an account, giving the appearance that a password isn’t involved. But the password is still used behind the scenes. The fingerprint confirms a person’s identity and replays the password, which is stored on a device, in a web browser or in a password management service or tool like OneLogin or Apple Keychain. Passwordfree authentication just replays a password.
Here’s a demonstration of passwordfree authentication. Think about how people access their bank’s mobile app. They most likely touch the phone’s fingerprint sensor instead of entering a password. But to access that same account on their laptop’s browser, they head to the bank’s website and type in their password. If a person can type in a password, so can attackers if they obtain it. By not eliminating passwords, passwordfree authentication falls short at protecting companies.
Passwordless authentication eliminates the password from the authentication process. Users are never asked to create a password or enter one. In fact, with true passwordless authentication there’s no field for people to enter a password. Instead, another form of authentication such as biometrics is used to validate a person’s identity, passing along a certificate to permit verification. This approach increases security by eliminating the risks associated with passwords. Phishing attacks and stolen credentials are no longer threats if passwords aren’t used to authenticate.
Users also win when they can use something besides a password to authenticate. For employees, passwordless authentication means no longer having to remember passwords or creating complicated ones at frequent intervals to comply with password management policies. Employee productivity also increases. Instead of wasting time trying to remember a password or, even worse, waiting for IT to let them back into a locked account, employees can focus on their jobs. Meanwhile, IT professionals can work on more important tasks instead of resetting passwords.
For consumers, passwordless authentication meets the expectations they have from using consumer technology, which is the standard they use to judge all technology. When they authenticate, consumers expect the same convenient and fast experiences provided by their smartphones. But entering a password doesn’t offer this experience. Letting consumers authenticate with passwords will only become more critical as banks and payments providers figure out how to comply with the strong customer authentication component of PSD2. In fact, passwordless authentication maybe become a what distinguishes an organization from their competitors and helps attract new customers and retain existing ones.
Getting rid of passwords can improve security, lower password management costs and provide a better user experience. But those things are only possible if organizations truly eliminate passwords with passwordless authentication.
This blog previously appeared in Finextra.