Passwordless Authentication
Passwordless authentication is a login method that relies on other factors besides passwords, ranging from login keys to biometric data such as a fingerprint or a facial recognition system. It addresses the many vulnerabilities and complications of password-enabled systems – namely, the threat of cybercriminals and those with malicious intent.
How Does Passwordless Authentication Work?
Here is what a passwordless authentication process usually looks like:
- The user requests access to a resource.
- The authentication system sends a challenge to the user.
- The user authenticates using one of the methods outlined above—which could be:
A one-time password (OTP)
A biometric factor (retina scan, fingerprint, etc)
A security key
- The authentication is verified, and the user is granted access to the protected resource.
Examples of Passwordless Authentication
Currently, several types of biometric authentication systems are available on the market, many of which are already used by the public. These include fingerprint recognition, iris recognition, voice recognition, facial recognition, and behavioral biometrics. One does not need to look hard to find implementations of biometric authentication at scale:
- Apple uses facial recognition technology, Face ID, to unlock their iPhones and iPads.
- Amazon uses palm recognition at their Amazon Go stores. Customers can link their palm print to their Amazon account and then use it to make purchases without needing a physical payment method.
- Mastercard offers biometric authentication through its Identity Check mobile app, which uses facial or fingerprint recognition to authenticate online transactions.
- Delta Airlines uses biometric authentication at some airports to speed up check-in.
Passwordless Authentication Types
The most common passwordless authentication types are:
- Security Keys: Physical hardware devices or tokens that users plug into USB ports or connect via Bluetooth. They generate unique codes for each login attempt, enhancing security.
- FIDO2 (Fast Identity Online) Authentication: An industry-standard authentication approach that utilizes public key cryptography to enable secure passwordless logins.
- Biometric Authentication: Utilizes unique physical or behavioral traits such as fingerprints, facial features, or voice patterns for authentication. Biometric data is difficult to replicate, providing strong security.
- Device-Based Authentication: Relies on possession of a registered device, like a smartphone, to confirm identity. Users receive authentication prompts on their devices for access approval.
- Smart Cards: Physical cards with embedded microchips that hold user credentials. Users insert the card into a reader for authentication.
- Time-Based One-Time Passwords (TOTPs): Generates temporary codes that users enter during login attempts. These codes are time-sensitive and change regularly, adding an extra layer of security.
- Push Notifications: Sends authentication requests to users’ registered devices. Users approve or deny access via the push notification, streamlining the login process.
- Email Magic Links: Sends users a one-time link via email, which, when clicked, grants access without requiring a password. Links often expire after a short period for enhanced security.