February 12 2023
You need to log into one of your online accounts – it’s time to prove that you are who you say you are. At a top level, you’ll encounter one of two options here:
In recent years, organizations have moved away from passwords and towards passwordless options, because password-based authentication is generally cumbersome, expensive, and insecure.
There are many different passwordless options, but they’re not all created equal – some options deliver better user experience, security, and inclusivity than others.
Passwordless authentication is the process of authenticating user access to an online account, software, or service without requiring a knowledge-based password.
A number of technologies can be used to enable secure user access without passwords, such as:
Passwordless authentication is beneficial because it can often strengthen security. Password vulnerabilities are well-known and they can be breached in numerous ways – plus, password management practices are often risky.
So, passwordless options are designed to strengthen security and to reduce the attack number of ways systems can be attacked. A good passwordless solution can also make the authentication process more convenient for users compared to passwords, because passwords are so easily lost, forgotten and breached, leading to lengthy recovery processes.
Quite commonly today, organizations choose to implement two-factor or multi-factor authentication to establish greater trust online under hostile conditions and limit fraud through stronger authentication. This means organizations don’t need to do away with passwords entirely if they don’t want to – instead they can combine them with another factor such as biometric face verification.
But remember: the specific benefits of going passwordless will depend on the solution you adopt. It’s important to strike a balance between security and user experience.
In the early days of the internet, organizations typically relied exclusively on a user ID and password to verify a customer. As more money started changing hands online, fraudsters began to take advantage.
Fraudsters were successful: shockingly, 80% of hacking-related breaches involve compromised and weak password credentials. Passwords intrinsically weaken the integrity of the security process and expose the individual or service to risk. This causes society-wide security risks for users and organizations alike.
Along the way, the attacks bad actors use to undermine passwords became more sophisticated and scalable. They include, but are not limited to:
So, new methods of authenticating customers sprang up to counter the disadvantages of passwords. Some stayed, and some died away. One method that stayed is biometric authentication – not least because it can offer secure access within seconds without the user needing to remember anything.
In 2023, iProov predicts that biometric combined with device will overtake password combined with device as a two-factor authentication solution – meaning we could finally see the end of passwords, even as part of two and multi-factor authentication solutions.
Passwordless authentication is generally split up into two categories:
Possession-based factors, such as OTPs, are sometimes referred to as “something you own”. They attempt to authenticate users through ownership of a device. For instance, if you can fetch and paste an OTP, then this should prove that you are the person who owns the device associated with that phone number and of which you have exclusive access to – thus proving your identity.
One problem with possession-based authentication is that it trusts devices over people. Codes are shareable and phishable, which means they are not a clear-cut representation of someone’s identity.
Inherence-based factors – i.e. biometrics – are sometimes referred to as “something you are”. They attempt to authenticate users by asserting a biological/physical characteristic. For instance, scanning your face using a device’s user-facing camera or pressing your finger against a device’s fingerprint scanning pad.
The third authentication factor is knowledge-based. Knowledge-based authentication usually means passwords, but can also mean secret answers, such your first pet or mother’s maiden name (though secret answers are used less commonly these days).
To put it simply, passwordless authentication works by users authenticating using a possession or inherence-based factor – such as a OTP or a facial biometric scan – rather than a password.
Auto-filling passwords is not passwordless authentication. Neither is using a cellphone unlock code to fill in a password field. Both of these options rely on an underlying password. Passwordless authentication works through bypassing the need for a password by using a different technology altogether.
The simplicity of face biometrics is one of its great advantages. It’s widely accessible, there’s no password to remember, and there’s no device or access token to carry around. This makes biometric face verification one of the most inclusive and accessible methods of security there is — if it’s implemented correctly.
While other methods can deliver benefits over the traditional password, the security still usually falls short of a sophisticated biometric solution. OTPs, for example, are often alarmingly easy to phish. Read more about the risks of OTPs here.
So, let’s consider a few of the areas where biometric passwordless authentication can make a real difference:
In the same vein that some passwordless methods are better than others, some biometric solutions are also better than others.
There are a number of unique propositions that elevate iProov technology above others as a passwordless solution:
Liveness technology is a component of biometric technology that distinguishes between inanimate objects and a human.
Liveness technology is a key consideration for choosing a biometric passwordless authentication solution. When you are considering what kind of liveness technology to use, you have to think about what your threat profile looks like. How hard is the attacker going to try in order to break into your system? How important is it for you to establish that an online user is a real person and not a spoof? And how valuable is the information they are accessing? Different use cases require different levels of assurance – which is why some organizations choose step-up authentication.
Ultimately, not all liveness is created equal. There is a spectrum of liveness technologies. Some of them are very cheap and fast. Some of them are much more substantial and resilient to attackers’ methods that can detect even the most determined attackers. The latter can provide considerable reassurance for organizations and their users.
iProov offers solutions that cover low to high-risk use cases. But when a transaction is mission critical, only iProov Genuine Presence Assurance® (GPA) can ensure that the user is the right person, a real person, and is authenticating in real-time. This is vital in protecting against highly scalable digitally injected attacks. Using patented Flashmark™ technology, a one-time biometric code is created which cannot be replicated.
If you’re interested in knowing more about implementing iProov’s technology to deliver seamless and secure passwordless authentication, please request a demo here.