What is passwordless authentication?
- IAM Glossary
- What is passwordless authentication?
Passwordless authentication is a method of verifying a user’s identity without requiring a traditional password. Instead, users verify their identity through other means such as biometrics, passkeys, magic links or One-Time Passwords (OTPs).
How does passwordless authentication work?
Rather than relying on something the user “knows,” like a password, passwordless authentication relies on something the user “is” or something the user “has.” When the user logs into an account that uses passwordless authentication, they first enter their username or email address. Then, they’ll be prompted to provide something they have to verify their identity. This can be a security key or a magic link sent to their device. If the user’s authentication method relies on something they are, they would present their biometrics through a facial, eye, or fingerprint scan, or voice recognition.
Types of passwordless authentication
Passwordless authentication can be divided into two categories: possession and inherence factors.
Possession factors
The possession authentication factor relies on something the user has. Hardware security keys are great examples of the possession factor since these are physical USB-like keys that only the user has access to. Other methods of passwordless authentication that fall into this category include magic links, passkeys and Time-based One-Time Passwords (TOTPs).
Inherence factors
The inherence authentication factor is based on the physical character traits of a user. Inherence factors include any type of biometrics such as a fingerprint, facial recognition and retina scans.
Is passwordless authentication safe?
Passwordless authentication is more secure than password-based authentication. This is because passwordless authentication methods aren’t vulnerable to being compromised through common password-based attacks such as credential stuffing and brute force.
Traditional password-based authentication uses knowledge as an authentication factor. Passwordless authentication systems recognize this knowledge factor as a possible attack vector for phishing, ransomware and password-based attacks, since “something you know” is also something someone else can find out – and potentially use against you or your organization.
Advantages of passwordless authentication
Here are two advantages to using passwordless authentication.
Increases security
Since passwordless authentication is more secure than using traditional passwords, it removes the threat posed by weak credentials and eliminates the potential of suffering password-based attacks. This not only reduces an organization’s attack surface, but also strengthens its overall security.
Improves user experience
With so many passwords, it can be difficult to remember them all, which often leads to password resets. These resets are not only costly for organizations but they can also lead to loss in productivity. Implementing passwordless authentication reduces password-related IT support costs and increases productivity, all while providing a frictionless login experience for users.
Passwordless authentication disadvantages
One major disadvantage of implementing passwordless authentication is that it can be expensive for organizations. This is because it may require that organizations buy additional hardware and software to support its implementation. Although it can be expensive, an organization's Return on Investment (ROI) is high because they’re taking steps towards mitigating the potential of suffering a successful cyber attack that could cause significant financial losses and a tarnished reputation.