Passwordless authentication refers to any sign-in process that lets a user access their account without a password. Users are often required to verify their identity with a more secure authentication factor instead.
All passwordless authentication methods, including multi-factor authentication (MFA) and single sign-on (SSO) solutions, work from a simple premise – that regular passwords alone aren’t secure enough to protect digital identities.
Types of authentication
Instead of a password, passwordless authentication requires users to verify their identity with factors that are harder to copy or steal. These can include:
1. Knowledge – something a user knows
- Password or PIN (these can also be possessions)
- Answer to a security question
2. Possession – something a user has
- One-time passwords (e.g., email links, SMS codes, push notifications, authenticator apps)
- Physical security keys like access badges and USB devices
- Software tokens and certificates
3. Inherence – something a user is
- Fingerprints
- Voice recognition
- Facial recognition
- Other types of biometric authentication
- Time, location, and behavior
The problem with password security
Though many websites and applications still require them, passwords are not very secure. They offer no way to verify someone’s true identity, and they can be used and abused by anyone, anywhere, to gain unauthorized access to an account.
As the number of networks, platforms, applications, and services that people use grows longer, so does the list of credentials they have to remember. The sheer scale and variety of these credentials can already cause blind spots in terms of security, but the real problems arise when people try and find shortcuts around it, like writing down and reusing passwords, or setting up weak ones to begin with – all of which makes them easy pickings for attackers.
Some common password attacks include:
- Credential stuffing – an automated attack where stolen username and password combinations are repeatedly entered into website authentication forms to try and gain unauthorized access to accounts.
- Brute force – a trial-and-error attack where multiple common password combinations are used against an account with the hope of one eventually working.
- Password spraying – a form of brute force attack where attackers use a set of common passwords against multiple accounts to gain access to any that they can.
- Phishing – a social engineering technique where attackers trick people into revealing sensitive information like passwords or installing malware – often via an email or website link.
- Keylogging – using malware or hardware, attackers secretly record a user’s keystrokes to discover their password and other confidential data.
The benefits of passwordless authentication
By allowing quick and secure access to online services, passwordless authentication makes life easier for users, IT teams, and organizations when managing their work across multiple on-site, hybrid, and cloud environments. Some of its main benefits include:
Improved user experience: Rather than trawling through a list of credentials for each service they need, passwordless authentication allows users to log in quickly and securely, often with just one identity. This simplifies the sign-in process and creates a smoother user experience overall.
Better security: Passwordless authentication methods often use public/private cryptographic key pairing, which is highly resistant to phishing attacks, and they can’t be forgotten like regular passwords. These authentication factors are also often limited by time, location, device, or body, so even if an attacker manages to steal one, they’re unlikely to be able to sign in at the same time.
Centralized management: Passwordless authentication methods make it easy for IT teams to monitor and control identity security from one place. They also scale in line with complex modern networks, reduce the costs of typical password management (including password resets, support requests, and security infrastructure), and help organizations comply with data privacy and cybersecurity regulations.
