In the world of identity management and security, fraudsters are constantly evolving their tactics, exploiting weaknesses in outdated device identification methods. For fraud, identity and digital experience teams, securing...
Passwordless Authentication: A Complete Guide [2022]
by Alex Brown
Passwordless authentication refers to any identity verification method that doesn’t use a password. Examples of passwordless authentication include physical security keys, authenticator apps, email magic links and biometrics. Passwordless authentication solutions vary in features, but they all enable users to log in without creating or memorizing a static password. Going passwordless means eliminating passwords from the login process to increase security and reduce friction for a better user experience.
Passwordless authentication can be used across various industries and use cases. For example, companies can issue physical security keys to authenticate employees and secure access to internal assets. Customers can use their fingerprints to confirm a purchase on their mobile devices. Users who forget their passwords might use an email magic link to log in.
Passwordless authentication isn’t limited to these methods or use cases, though. It includes a wide range of implementations with varying feature sets and advantages, all of which dwarf the inherent vulnerabilities of passwords.
Why are passwords weak in authentication?
Password-based authentication is inherently vulnerable to attacks that target the weakest link in the security chain: the user. Humans will ultimately make a mistake with their passwords, either using the same credentials multiple times across many services or not making them strong enough. In a phishing attempt, they might even hand over their passwords unwittingly. According to Verizon, more than 60% of breaches involve compromised credentials, and even more are the result of the “human element” — careless security practices, accidental disclosure of passwords or outright theft of login combinations.
Passwords alone are often recognized as the “old way” of doing things, with multiple additions created to make them less vulnerable. Multi-factor authentication (MFA), like one-time passcodes (OTPs), is often used adjunctively with passwords to address the issues credential-based authentication creates. Of course, these bolt-on efforts only complicate things further and create extra steps for customers who are forced to use passwords in the first place. Passwordless authentication is an attempt to solve the problems that passwords present.
Not all passwordless authentication methods are equally effective
Although passwordless authentication has been around for decades, emerging methods still continue to innovate and alter the identity industry’s landscape. For example, as TPM (Total Platform Module) requirements become more common, achieving certificate-based authentication on a vast range of platforms is possible with minimal user prompting.
However, opinions vary on whether all the methods vendors describe as “passwordless” are truly what they claim to be. For instance, some solutions that offer biometric authentication simply bolt it onto a password-based architecture that doesn’t incorporate FIDO2 standards — which, unfortunately, leaves that data vulnerable to hackers who can intercept it or target credential stores.
The industry consensus is that these three methods are categorically passwordless:
The second tier of passwordless authentication methods isn’t necessarily wrong; however, it is arguably not completely passwordless. The three methods are:
Why would someone argue that OTPs, email magic links and authenticator apps are not genuinely passwordless? As long as most email providers require only a password, verification that involves an email account can’t be completely passwordless. Because of this, email OTPs fall prey to the fact that they’re a pseudo-password gated by another, weaker password. OTPs via SMS are even less secure because they are vulnerable to smishing, man-in-the-middle and SIM swap attacks in which a hacker will divert text messages to their own device.
The same is true for magic links. Anyone with access to the email account in question can use the link. While they are incredibly convenient, they still invite passwords to part of the process.
Authenticator apps that generate constantly changing OTPs or use other PIN-based methods are certainly more secure than relying on email account security, but they aren’t truly passwordless. An authenticator app is only as secure as the device it’s running on. There are many ways to defeat a device’s security: malware, man-in-the-middle attacks and outright theft are all options that a hacker could take. Since there’s nothing intrinsic linking the account to the user, targeting the device that holds the authenticator is all that’s required.
How does true passwordless login work?
Passwordless authentication uses strong authentication and never shares any secrets, so everything relating to a user’s identity remains private. For this to happen, the system must use pairs of cryptographic keys.
A key pair is generated when a user registers a new account. The user holds a private key, and it never leaves their device. Anyone can hold the corresponding public key. The pair required for logging in to a specific account will include the same public and private keys.
Users activate their private key by completing a challenge, such as a face or a fingerprint scan whenever they want to log in. Once their key is activated, it signs the challenge from the public key held by the service provider. Then, they’re granted access.
Passwordless login: a step-by-step look
Let’s take a closer look at the flow of true passwordless login by breaking it down. First, let’s talk about how the factors of authentication work and what traditional, single-factor authentication looks like.
There are three authentication factors, and you can mix factors for added trust. These factors are knowledge (something I know), possession (something I have), and inherency (something I am). When more than one of these factors is used, it’s called multi-factor authentication or MFA. Here are a few examples of each factor of authentication:
Possession: a hard token, USB key or mobile device with an authenticator app
Knowledge: a password, PIN or answer to a challenge question
Inherency: facial recognition, fingerprint or other biometrics
Most single-factor authentication requires users to declare who they are (a username) and answer a knowledge-based challenge (a password). This low-security approach to authentication brings the burdens of security holes and a poor user experience.
However, the most critical thing to remember in single-factor, knowledge-based authentication is that the supposed “secret” is shared by both the user and the service provider. That means users have to trust their password with a company that may be vulnerable to cyber attacks — and may be unable to prevent that secret from getting out.
True passwordless means no username, no password and no identifiers passed between parties. With true passwordless login, the goal is to keep a user’s identifiers under their control. The best way to achieve that is with the FIDO standard, using public-key cryptography (PKI).
Unlike traditional MFA, which typically involves ownership and knowledge factors, FIDO-based passwordless authentication links a user’s private key to a cryptographic public key. Users verify their identity with a biometric that unlocks the locally stored key whenever they try to log in. When the authentication challenge signed by the private key matches up with a public key, they’re given instant access.
Let’s walk through it step by step using the flow chart below:
Registration
When users register for an app or service, a registration approval request is sent to their device. They confirm this request using their biometric reader.
A private key is generated for the user.
A corresponding public key is sent to the app or service.
The public key is registered. The only way to sign the challenge from the public key is with the private key.
Authentication
A challenge is generated and sent to their device when the user tries to log in.
The user approves the challenge by unlocking the private key with their biometric reader.
The challenge is signed using the private key.
The public key determines if the correct private key signed the challenge, and the user is logged in.
The most important thing to remember is that in true passwordless, a user’s private key is a buffer between them and the provider. Their biometrics and the private key never leave their device.
The benefits and advantages of passwordless authentication
Passwordless authentication is beneficial for many reasons, but the most significant impact is on customer experience and security. Benefits to different organizations can vary depending on their unique needs. For example, a sizeable customer-facing enterprise will reap the benefits of a better customer experience. Meanwhile, they’ll find it’s the only way to execute their zero-trust policy at scale when working with a FIDO2-certified passwordless solution.
Here’s a short list of what you can expect from implementing passwordless authentication:
A smoother and more convenient customer experience – Passwordless authentication is typically much easier to navigate and use for customers than passwords. They are no longer required to create and remember complex passwords. They’re also able to quickly authenticate and get back to shopping without the potential of getting locked out of their accounts. Our report found that consumers are 44% more likely to sign up for a service if they could use biometrics and 35% more likely if a no-password option was available.
Recovered revenue from reduced customer attrition – According to Mastercard, up to a third of customers will simply abandon their carts if they forget their passwords. If companies can reduce that margin by any amount, that’s revenue back in their pocket that they would have lost completely. Similarly, a more convenient identity experience will encourage customers to return thanks to its ease of use and mobile-friendliness.
Dramatically improved security that eliminates the threat vector of passwords – Unlike passwords, hackers can’t crack passwordless biometrics. They can’t steal the biometric information and trick a service into accepting it. Not only does the biometric data remain locally on a user’s device, but FIDO2-based solutions use cryptographic key pairs impenetrable to outsiders. Likewise, if a password is stolen from another account, it can’t be used in a “credential stuffing” attack in which fraudsters try out one login across many services.
Long-term savings from the lower total cost of ownership (TCO) and reduce infrastructure – Maintaining a password-based authentication system is expensive in terms of IT support and upkeep. It costs money to reset a user’s account, and it can also be a massive drain on resources to automate account recovery, staff call centers and maintain a support ticketing system. Large enterprises might spend millions yearly on password-related support, and the long-term savings of eliminating passwords may be in the tens of millions for sizable companies.
Significantly decreased complexity in the identity stack, making it easier to add and manage elements – One thing that often irks CISOs and IT departments is the complexity of increasing security on a password-based authentication system. As security requirements continue to evolve, many companies have been forced to adopt a bolt-on approach in which they add piecemeal elements to their identity stack. This usually results in a difficult-to-manage and unwieldy authentication system. Passwordless solutions simplify achieving MFA and meeting regulatory requirements, meaning fewer elements are needed to obtain far better results.
How passwordless biometric authentication works
Users unlock their private key by completing a challenge using device biometrics to log in. As soon as the key is unlocked, it pairs with the public key held by the service provider. At that point, the user gets access to the service.
Device biometricsrefer to the biometrics readers embedded in endpoint devices. There are two main types of readers available today: face readers and finger readers. Both include special hardware and sensors embedded in the device itself.
Face recognition in modern devices works by projecting and analyzing over 30,000 invisible dots to create a depth map of a user’s face while simultaneously capturing an infrared image. It then transforms the depth map and infrared image into a mathematical representation which is compared to the enrolled facial data.
Fingerprint scanning in modern devices uses advanced capacitive touch to capture high-resolution images of your fingerprint. The sensor reads fingerprints in 360 degrees of orientation, analyzes the subepidermal layers of the skin, and categorizes each fingerprint into arch, loop or whorl categories.
It then maps individual details of fingerprint ridges, including variations like pores, and compiles all the data. The reader then uses this data to match and recognize fingerprints. The technologies behind fingerprint scanning and face recognition make them the most accurate authentication technologies today, with extremely high accuracy.
Many passwordless solutions rely on the FIDO2 (Fast Identity Online) standard, a combination of WebAuthn and CTAP (Client to Authenticator Protocol). FIDO2 uses pairs of cryptographic keys — public and private keys — instead of transmitting the data used to authenticate.
If you use a FIDO2-based solution to log in with biometrics, your fingerprint or face scan never leaves your device. A biometric match unlocks your private key, which pairs with the public key. The recipient doesn’t even know what method you used to unlock the private key, only that it was used to sign the challenge.
Passwordless biometric authentication is highly secure, and when supported by the FIDO2 strong authentication standard, users’ private data is never transmitted, shared or stored in a database.
Is passwordless biometric authentication safe?
We’re often asked if biometric authentication is that secure. It’s not only highly secure, it’s better than virtually any other authentication method available. But how much more secure is biometric authentication than passwords?
First, let’s talk about how vulnerable passwords really are. The reality is that many hackers are not coding whizzes. They’re con artists, or perhaps they discovered some particularly effective malware toolkit with easy-to-follow instructions.
Hackers rarely “hack” passwords and usernames using complex scripts or machine language. Instead, they steal credentials by phishing, social engineering or intercepting a user’s input. It’s far easier for a criminal to rob someone standing at the ATM than to pry the machine itself open.
Most so-called “hackers” aren’t executing complex attacks on reinforced databases — they’re walking in through the front door. Passwords are the most frequently targeted vector by fraudsters, and eliminating them gives them nothing to steal, manipulate or intercept.
Compare that to biometric authentication, which to date has not been defeated in the wild. Even in the laboratory, researchers have only been able to defeat facial recognition under impossible-to-replicate conditions. Biometric authentication is both very secure and worlds apart from passwords.
Passwordless authentication vs. MFA
Multi-factor authentication, or MFA, is a term used to describe authentication that requires two or more factors. This includes a password and a one-time passcode generated by an authenticator app, sent by SMS, or received via email in the most common applications. MFA is just a way of describing how many factors are involved in verifying a user’s identity. For example, a mobile device that unlocks using a fingerprint is only single-factor, but it’s still technically passwordless. It’s also still more secure than just using a password.
Is passwordless authentication MFA?
What can confuse some when it comes to passwordless MFA is where the second factor comes into play. And, if the authenticator service uses the FIDO2 standard, it’s the possession of the private key on the device itself. In simplest terms, FIDO2 uses the private key to ensure that the correct device is used in combination with biometric authentication. Read further onFIDO2 passwordless authentication or learn what is MFA?
How do you implement passwordless authentication?
Only Transmit Security provides passwordless authentication and omnichannel identity portability while protecting user privacy. As the first truly passwordless and app-less password alternative, our cloud-native service creates a frictionless identity experience without the need for complex changes at the web and application levels.
The most compelling aspect is that our developer-friendly passwordless service takes only days to integrate into all your channels. With ultra-fast implementation thanks to OpenID Connect standards, production can begin within weeks and with as little as one developer.
Compare this to the more typical identity management transformation programs, which can take months and sometimes years. For organizations looking to quickly deploy a passwordless, strong biometric solution for their customers, now is the perfect time to make the switch and quickly recoup lost revenue.
Solving the Password Problem Easily
Passwordless authentication and passwordless logins are quickly emerging as the most convenient and secure options available. represents a dramatic leap forward in the industry that both improves the customer experience and provides an ironclad layer of privacy and security.
A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company Form.com.