Passwordless authentication: the ultra-secure future of logging in?

1st February 2022

Passwords are a real hassle. From your average user’s perspective, you have numerous passwords to remember, many of which you’re forced to change every 30-90 days.

From an IT security perspective, passwords can be phished for, keylogged, and forgotten – headaches for any user, but a nightmare for your IT help desk!

Well, what if we told you there was a new, passwordless frontier on the horizon? Well, it’s true! So, let’s get up to speed on passwordless authentication – an approach that our boffins believe is here to stay.

What is passwordless authentication?

Passwordless authentication refers to any method of verifying a user’s identity that doesn’t rely on a static password or any other kind of “knowledge-based secret”. Instead, passwordless authentication can use a number of different, far more secure, authentication factors.

To understand how passwordless authentication works, we first need to understand the concept of authentication.

What is authentication?

Authentication is basically any way of verifying your identity to a computer. Historically this has been achieved with a username and password-style login. It’s that password – the aforementioned “knowledge-based secret” – that acts as the authentication factor. The password tells the computer that “yes, this is the authentic user, access granted”.

But what happens when that password becomes… not so secret? If a password falls into the wrong hands and there are no other authentication measures protecting that account, then there’s nothing to stop an unauthorised party from selling the details on or logging in and causing chaos. Viewed this way, passwords aren’t the pinnacle of security they were once considered. Thankfully nowadays, there are numerous other ways to tell a computer “yes this is definitely me” without the flawed and phishable password system of yore.

Passwordless authentication factors

Though there are technically five different categories of authentication, passwordless authentication generally focuses on two:

  • Something the user has (an “ownership” factor), like a smartphone which can receive a notification or text; a hardware token like a key-fob authenticator; a pin pad like you may have for internet banking; or access to an email address.
  • Something inherent about the user (a “biometric” factor), like a fingerprint, iris scan, facial recognition, or voice recognition.

Some passwordless authentication tools may also incorporate elements of geolocation or time-based verification for added security.

How does passwordless authentication work?

Instead of using a password to prove that you’re you, you use an ownership factor (something you own) or a biometric factor (something inherent about you). In fact, you can even create a hyper-secure multi-factor authenticated environment that’s completely passwordless. Just pick two or more passwordless authentication factors and away you go!

The benefits of passwordless authentication

You may well be wondering “what’s so wrong with passwords?”. Though this may come as a shock, passwords are surprisingly insecure. They’ve served us well and were the best authentication solution we had for a long time. However, for a web that’s so riddled with cybercrime and security loopholes, it’s time to move on and retire them for good. Here are 5 reasons why.

Users don’t have to remember passwords anymore

Let’s get the obvious one out of the way first. When you don’t use passwords, users don’t have to remember them. This does away with the whole problem of lapses in memory, downtime from password reset requests, and the insecurity of poor password habits like writing passwords on a sticky note by your screen.

No passwords to lose or phish for

When all of the responsibility of authentication no longer lies with a single, fairly unchanging password, you no longer have to worry about passwords being stolen. Though some authentication methods will ask you to type in a dynamic, time-sensitive, single-use passkey you’ll never have to rely on a static password that can be used repeatedly, regardless of time or place.

Brute-force, password “spraying” attacks (where a criminal “sprays” countless passwords at a login screen in the hopes that one of them will actually work) are a thing of the past too. When there’s no password, there’s no password entry field; and no password entry field means there’s nothing to spray passwords at!

Fewer passwords means fewer it headaches

Though passwords are a pain for users, they can create massive, ongoing headaches for IT support teams. Gartner research on the matter is staggering; findings showed that 20-50% of help desk requests relate to password resets. This all ties up helpdesk resources that could be solving deeper, more embedded IT issues or working towards strategic technical goals.

Bye bye bad password habits

Poor password etiquette can be the bane of many organisations’ existence. When users are asked to reset their passwords every couple of months, they sometimes get lazy – using the same password as before but suffixed with a “2” or something similar. This completely misses the point of regular password changes.

Though industry-leading password managers are incredibly secure and come very much recommended, we feel they’re just putting a plaster over the problem – a problem that’s totally solved by going passwordless.

Passwordless service providers don’t have to store passwords

When a service uses passwordless authentication, that service provider no longer has to store any user passwords. In the event that they do get hacked, there won’t be any passwords to steal, and therefore no working account credentials to potentially harvest and sell on.

However, depending on the way the service users authenticate themselves, there may be a possibility that a hacker could still retrieve a list of user email addresses (or whatever contact info is used to identify users at login). These details could be used to send spam to, as part of a cyber-intel gathering  campaign, or (depending on what the service does) as blackmail.

A few words of caution

We believe that the world is on the precipice of a passwordless future. However few things are ever totally black and white when it comes to new tech, so we do feel the need to offer a few gentle words of caution.

A single factor presents a single point of failure

Though passwordless is great, we must stress the importance of providing multiple authentication options wherever possible. When authentication hinges on the user’s access to a certain device, what happens when that device is lost, broken, or stolen?

Smartphones can be quite desirable items and relatively easy for thieves to make off with, so think carefully about making them – or indeed anything – your sole authentication factor. Think – what additional, non-password factors could be incorporated as a backup or used as an additional factor in a multi-factor authentication system?

Not all passwordless authentication is created equal

There are numerous ways to achieve passwordless authentication but they’re not all equally secure. For example, biometric authentication methods like a fingerprint or iris scan carry much more “verification power” than simply being emailed an automatic login link.

Choosing the right authentication factor(s) is a real balancing act, largely hinging on the sensitivity of the thing you’re trying to secure. There are some things where biometric authentication would probably be overkill, and there are some things where emailing a sign in link would be miles below the level of security you need.

Additionally, it’s likely that dodgy services will crop up, claiming to provide passwordless authentication, but the product is poor or they’re really just a front to make money, steal your data, or both. Always research the brands you intend to use for sensitive matters like this and if in doubt, seek input from experts like us!

Initial investment costs

There are likely to be some setup costs to going passwordless. You may need to invest in additional software licenses (to WatchGuard AuthPoint, for example) or authentication hardware (like Yubico FIDO U2F keys ). Even if you use the in-built fingerprint scanning capabilities of your organisation’s smartphones, you may need to upgrade your older devices to keep everyone’s fingerprinting capabilities on par.

No business likes to spend money but we assure you that any outlay will most likely be repaid in significant gains to security and efficiency.

Retraining (and persuasion) will be required

We’re all so used to passwords at this point that there may be some retraining needed, especially around authentication apps, biometric scans, and authentication hardware. If you intend to use biometric authentication, you may need to allay some users’ fears about physically identifying information being stored on a shady database somewhere. However when using our preferred solution, Microsoft Windows Hello for Business, your biometric data is fully encrypted and never leaves your device.

The world isn’t fully passwordless. Not yet

Say you wanted to go 100% passwordless tomorrow. It would certainly be a great decision and one we can certainly help you with (we may need to negotiate that deadline, though!).

However, not all providers have quite caught up yet so it’s likely you will still need to use passwords to some extent until passwordless becomes the norm. You may be able to add multi-factor authentication steps to those logins to protect them in the meantime.

Naturally providers like Microsoft and Apple are on top of things but more specialist software providers may take longer. Give them time, they’ll come round.

What do the Just Cyber Security team recommend?

Of all of the authentication factors out there, anything biometric (“something inherent about the user”) is probably the most secure, so we advise that it plays a part in your passwordless journey. Microsoft’s Windows Hello for Business  incorporates fingerprint scanning and/or facial recognition capabilities where your encrypted biometric data never leaves your device. Microsoft even states “even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.”

We recognise that there are some

Moving away from biometrics and over to ownership factors, Yubico FIDO U2F keys  are a great investment. They can be tapped on the device or plugged into the USB at login to prove that the user is who they say they are.

Ideally, we would recommend using a multi-factor authentication process for ultimate security, using one biometric method and one ownership method. So, we suggest using Windows Hello for Business and a FIDO U2F Key  in tandem.

Looking to a passwordless future

All in all, we’re looking forward to the passwordless future. It’ll be one less stick that the cybercriminals will have to threaten innocent web users with. Will they find something else? Perhaps, but by and large credential theft will be a thing of the past and we’ll enjoy a much better authenticated experience online. Bring it on!

Moving away from passwords is a lot to get your head around. What help making the leap to passwordless? Or maybe you need some guidance around multi-factor authentication? 

Our experts are on standby – book a call today! We might even be able to strengthen your defences using the tools you already have! 

Book a call with one of our boffins today! Or ring us on 0808 1644414.

You’re in safe hands with our cyber security team