Knowledge is power, right? Well, yes – except when it comes to access and authentication. That’s because knowledge-based factors, in the form of passwords, are making organizations less powerful, and more vulnerable. As a result, many are looking toward a future beyond passwords.
You may have seen the Forrester report estimating that 80% of security breaches involved privileged credentials. Another password-related threat vector, phishing, features in 34% of all complaints reported in the FBI’s Internet Crime Report 2023. In early 2024 “The Mother of all Breaches” contained 26 billion leaked records, many containing usernames and passwords.
The solution is to move away from asking users to authenticate using what they know (password), and toward something they have, or is part of their unique identity. By adopting a passwordless approach to authentication, organizations treat the cause (instead of the symptoms) by removing passwords from the landscape completely.
The problems with passwords
According to Deloitte, ‘an individual user, on average, has 22 accounts and reuses passwords for 16 of them.’ In the event of one of those 16 passwords being cracked, that’s potential unauthorized access to a further 15 applications.
Have you ever sat down and counted all the accounts you have at home? How many you've created, used and forgotten about? Ask yourself, how many accounts do you have today? Probably more than 22. Now imagine dealing with that at scale.
A simple credential-stuffing script means criminals can use these passwords across multiple portals, to uncover routes at scale. The answer is to remove this ability at the source – and that’s where passwordless authentication enters the chat.
Understanding passwordless authentication
Passwordless security is about users proving who they are, rather than just giving a password that says who they are. Some of the ways organizations are implementing the technology include:
- Biometric authentication: Users present their fingerprint, voice, facial ID, eye or other unique physical characteristic. Behaviors – which are hard for AI spoofers to mimic – can also be included, such as the way someone types or moves. Biometric data can be stored locally on the device, limiting the potential attack surface.
- Hardware-based: Users produce something they own or carry. For example, a security key, pass or fob. These offer support for multiple security protocols, for easier scalability with security.
- One-time passcodes: These can be connected to a registered mobile phone number or email address. Users can login after receiving the code, or a clickable ‘magic link’ URL.
Security posture can be further hardened by using digital certificates, as part of Public Key Infrastructure (PKI).
PKI: The foundation for secure authentication
PKI provides the foundation for securely authenticating all users – also known as ‘subscribers’, to include entities, applications or systems executing – on a network.
Trusted third-party Certificate Authorities issue digital certificates, providing trust and integrity for encrypted exchanges between subscribers. PKI servers check the certificate that’s issued, the information about the public key, certificate owner and the certificate issuer. If the certificate’s authenticity is trusted, access is granted.
PKI uses public key cryptography to encrypt. These can only be decrypted by a corresponding private key, controlled by the intended recipient.
Imagine a customer uses facial ID to access their online bank account app. Their face acts as a unique private key, that only they own. The bank’s app login is a public key, like a padlock. When there’s a match between public and private keys, the user is authenticated and can login to view their account.
Of course, different users also need levels of secure access with different credentials. Here’s where tokens and single sign-on (SSO) come in.
Tokens and single sign-on
Tokens allow organizations to manage access to users without using passwords. This could be for a single session or transaction, used once and then made invalid. Tokens can be issued to the user’s device, or in physical form, such as a USB. There are also OAuth 2.0 tokens, for authorizing access to resources, often for a limited time or with limited permissions.
For users, a similarly seamless experience is possible with SSO. Where a single set of login credentials can give access to different applications, based on their permissions. This makes it easier for users, and also boosts productivity by allowing them to login straightaway. The centralized authentication of SSO makes it common for enterprise systems such as Microsoft Entra.
SSO also helps with compliance, with the restrictions on access a key part of complying with regulations such as Sarbanes Oxley (SOX). In particular, Section 404, which states organizations must ‘state the responsibility of management for establishing and maintaining an adequate internal control structure.’ IT teams can use SSO to control access, identities and devices – creating a fully auditable governance solution.
GDPR Recital 49 requires similar evidence-based limiting, for ‘preventing unauthorized access to electronic communications networks’. Microsoft Entra offers multiple SSO-based options to support compliance, from federation-based and cloud with OAuth, SAML, OpenID Connect, through to on-premises and password-based methods.
Allowing access while ensuring security is a careful balancing act, especially when certain accounts have higher privileges, and offer malicious actors more potential to cause harm if breached with privilege escalation.
This has implications for legislation such as the HIPAA Minimum Necessary Standard, where organizations must act to limit sharing of Protected Health Information. Data privacy regulations in general are evolving, with 75% of the global population predicted to have personal data covered under privacy regulations by the end of 2024.
These trends underscore why many businesses are looking to privileged access management (PAM) as a way to manage and secure passwords and access.
Passwords in privileged access management
PAM offers a way to limit exposure with strong authentication. You can assign privileges to roles, and then employees automatically gain the necessary access.
Any requests are logged automatically, creating an audit trail. This can be used to support data governance, and provide evidence of compliance with the likes of PCI DSS, and requirements that include to ‘track and monitor all access to network resources’.
This is business-critical when you consider legacy systems – along with password authentication – remain a big part of the financial industry landscape. For example, COBOL, a programming language developed in the 1950s, is estimated to be used in ‘more than 43% of international banking systems.’
Advantages of passwordless authentication
Coupled with single sign-on, users don’t have to think about how to stay secure. That’s where passwordless comes into its own. Because no matter how careful you are with a password, you have to remember to be secure all the time. Whereas a threat actor only needs you to forget once for them to have an opportunity.
With passwordless, there’s no opportunity because there’s no password to steal. There’s just a better user experience. After all, using your fingerprint, phone or hardware key is a lot easier than remembering a username and password.
What’s more, by incorporating biometric elements, security can be based on unique physical characteristics. This ease-of-use is essential when it comes to introducing passwordless authentication to the business environment.
Implementing passwordless authentication
Passwords have appeared everywhere from ancient religious texts to Shakespeare’s Hamlet. So, it’s natural to expect some resistance to behavioral change.
However, passwordless authentication is becoming more accepted at a consumer level, driven in part by widening use of innovations such as Apple ID and Microsoft Authenticator. And also with consumer-level laptops, with more offering embedded fingerprint readers, plus similarly user-friendly biometric authentication methods.
Passwordless-related education will also support adoption and help reduce privacy concerns. For example, explaining that biometric data is stored only on a user’s device, and not uploaded to the employer’s database.
Naturally, there will be times when users are locked out. If they’re unable to reset a password in the way they’re familiar with, organizations need a solid recovery plan. It may be a case of balancing risks between different password-based recovery methods, from email resets to OTPs, to ensure users stay motivated and empowered.
There may also be legacy apps where passwords must be retained, forcing organizations to choose a more hybrid approach as they embrace a passwordless future. The challenge will be to manage both realities, in a constantly evolving threat landscape.
Future trends and considerations for passwordless authentication
The advent of SIM swapping can offer attackers a way around multi-factor authentication (MFA) by receiving OTPs to gain unauthorized access. Voice cloning with AI is another threat to voice-based authentication.
These emerging threats are why an advanced form of MFA is now needed. One that includes the use of biometrics and third-party authenticators, making logins passwordless.
Advances such as Fast IDentity Online (FIDO2) and WebAuthn go some way to mitigate the impact and help organizations keep their security responses dynamic and granular. These go beyond passwords and two-factor authentication, using public key cryptography to generate a private key and a public key, and complementing PKI. Protocols are open and standardized for widespread adoption, with extra support coming from global companies including Microsoft, Amazon, Apple, Visa and Google.
Toward a secure, accessible, passwordless future
Passwordless authentication is a win-win for businesses and users. Security is enhanced and future-proofed. There are the cost savings (dealing with password problems costs businesses $480 per year of productivity). Passwordless authentication helps support compliance with regulations and restricting access. Customers and users enjoy fast and convenient experiences when accessing what they need.
Passwords have served businesses well, from a time when there were fewer applications and less value contained within data. However, the value – plus volume, variety and velocity – of modern electronic information will only continue to grow, meaning a secure-by-design approach is needed. Passwordless authentication offers businesses a way to stay secure in this new reality, delivering more protection with less friction, and ultimately a better experience for all.
