Cutting through the hype on true passwordless authenticationFred O'Connor | October 3, 2019
There’s a lot of vendor hype around authenticating without passwords. But many aren’t offering true passwordless authentication. Instead, they’re selling what can be called passwordfree authentication. What’s the difference? One emphasizes user convenience over security and the other truly eliminates passwords from authentication. Here’s a technical perspective from Veridium Chief Product Officer John Spencer.
Passwordfree authentication: Adding convenience but not security
Passwordfree authentication doesn’t remove passwords and PINs from the authentication process. A person may use a biometric to authenticate instead of entering a password or PIN, but neither one is eliminated. They’re just stored some place, most likely on the device, in the cloud or in a password management tool. This approach offers a better user experience but doesn’t reduce the risks associated with using passwords and PINs.
“From a user’s perspective, this method is passwordfree since you don’t have to type in a password. But on the back end, there’s still the ability to type in a password,” Spencer said.
Consider how people access their bank account with a mobile app. Instead of entering a password or PIN, they likely use their biometrics by touching a fingerprint sensor. But that’s password replay. Your fingerprint confirms your identity and replays your password, letting you into your account. If you’re using an iPhone, for example, the app’s password is saved on Apple’s Keychain along with your other passwords.
“Password replay is not passwordless authentication,” Spencer said.
To access your bank account from a laptop, you’d use a browser and type in your user name and password since using a biometric isn’t an option. But if a password is still involved in the authentication process, attackers can use it for malicious purposes.
“I can go to your account on a laptop browser and use your credentials to enter your account since they can still be used to authenticate,” he said.
What is passwordless authentication
Passwordless authentication completely removes the password from the authentication process. A person never creates a password when they setup an account or enters a password to access that account.
“Genuine passwordless authentication doesn’t replay passwords in any way. When you go to a website and you’re challenged to log in, there’s no option to put a password in,” Spencer said.
By getting rid of passwords, the security risks associated with them are eliminated, which explains why more enterprises are going passwordless. Phishing attacks loose their potency if there aren’t any credentials to con out of employees. And if there aren’t passwords to steal, threat actors can’t use them to infiltrate companies.
To take full advantage of passwordless authentication’s security benefits, organizations need to eliminate all opportunities to use password authentication. This includes using a password to log in with a browser, for example.
“Just enabling passwordless authentication isn’t enough. Organizations need to close the other doors that were previously exposed by asking a person for their user name and password. You want to make it impossible to use a password in any situation,” Spencer said.
How to adopt true passwordless security
Going passwordless starts with never relying on passwords for authentication. Your employees, customers or users never create one and never have the option of typing in one. Instead, mobile devices like smartphones are linked to an account and people use a biometric like fingerprints to access that account. Biometrics, when stored properly, are extremely difficult to spoof and use in presentation attacks. Passwordless authentication with biometrics offers a safe and secure way to protect data while providing people with a convenient way to access that data.
Here’s a guide to quickly spot the differences between passwordfree and passwordless authentication.
— Doesn’t really eliminate passwords.
— Stores passwords on a device, in a browser or in a password management service or tool like OneLogin or Apple Keychain.
— Replays the password instead of removing it from the authentication process.
— Offers a convenient way to authenticate, but doesn’t eliminate the security risks linked to passwords.
— Allows password authentication via a Web browser.
— Completely removes the password from the authentication process. People are never asked to create a password or enter one to log in.
— Uses something besides a password, such as a biometric, to validate a person’s identity and passes along a certificate to permit authentication.
— Eliminates the option to enter a password, including when people use their laptop’s browser.
— Increases security by eliminating the risks associated with passwords and improves the user experience.