Executive Summary: Passwords are ineffective security controls. If your organization is using password authentication, you’re more at risk of cyber-attacks against your organization succeeding. Make plans to move systems to Passwordless Authentication.
What is Passwordless Authentication? Passwordless authentication is session-level validation of digital identities that compares previously registered credentials against those presented at the time of the authentication request but does not rely on users remembering and entering passwords. Instead, Passwordless Authentication systems leverage public key crypto and various biometric factors. Passwordless authentication systems do not require transmission or storage of user passwords or passwords hashes.
Year after year, studies show that compromised passwords are a key vector in the majority of cyber-attacks and data breaches. For example, consider the Verizon Data Breach Reports over the last 15 years. Passwords can be phished, brute force guessed, collected by malware, and sold by and to cybercriminals on the dark web. Knowledge-based authentication, or security questions, are usually even more insecure as an account recovery mechanism than passwords themselves.
Multi-Factor Authentication (MFA) is using two or more of the “something you have, something you know, or something you are” factors. Many MFA systems start with a password and add additional factors, such as mobile phone biometrics, SMS codes, or other obtrusive challenges. But in those cases, users still have to know the password in order to get in, so this is requirement is a substantial inconvenience to the user and opportunity for attackers.
The notion of Passwordless Authentication has been around for a while. However, as in the early MFA use cases, some “passwordless” solutions still have hidden or rarely used passwords. These are really “password-fewer”, not passwordless. Examples of password-fewer solutions are operating systems that allow users to use facial or fingerprint recognitions for most authentication events, but occasionally require the user to sign in with a password. Password-fewer scenarios increase usability for the end user most of the time but retain the risks of password authentication systems. Attackers are not going to try to copy and present forged user biometric templates if text-based passwords can be compromised instead.
FIDO is a leading standard for Passwordless Authentication. Though some FIDO compliant solutions utilize PINs, many FIDO certified solutions can enable fully Passwordless Authentication experiences.
Contemporary MFA solutions can also employ Passwordless Authentication technologies. Some solutions allow customers to designate multiple crypto challenges, biometrics, and behavioral biometrics as factors for evaluation rather than passwords or KBA questions. Moreover, these factors can be used for registration and account recovery.
For more information on Passwordless Authentication solutions, see the KuppingerCole Leadership Compass on it athttps://www.kuppingercole.com/research/lc81215/passwordless-authentication. KuppingerCole is launching a new service for customers that will allow users to interactively review products in the Passwordless Authentication market. Check back in the next couple of weeks to see how this service can assist you in selecting the right Passwordless Authentication product for your organization.