Passwordless Authentication: What is It? How Does it Work?

You need to log into one of your online accounts – it’s time to prove that you are who you say you are. At a top level, you’ll encounter one of two options here:

1. Knowledge-based authentication. This usually means a password. It’s a familiar option, but often causes problems for both users and organizations alike. For example, in the last 24 hours, 32% of users have had to request a password reminder. Forgotten passwords are a huge issue that causes significant administrative costs and lost business.
2. Passwordless authentication. This could be an SMS One-time Passcode (OTP), fingerprint authentication, or any other authentication method that does not require a password. With iProov face biometrics, for example, a user can authenticate simply by looking at their device in order to gain access to their account.

In recent years, organizations have moved away from passwords and towards passwordless options, because password-based authentication is generally cumbersome, expensive, and insecure.

There are many different passwordless options, but they’re not all created equal – some options deliver better user experience, security, and inclusivity than others.

[lwptoc]

What Is Passwordless Authentication?

Passwordless authentication is the process of authenticating user access to an online account, software, or service without requiring a knowledge-based password.

A number of technologies can be used to enable secure user access without passwords, such as:

• Biometric authentication (i.e. face, voice, or fingerprint)
• SMS OTP authentication
• Email one-time link authentication
• An authenticator application
• Hardware-based authentication (i.e. Yubikey)
• Video call verification

Why Do Organizations Choose Passwordless Authentication?

Passwordless authentication is beneficial because it can often strengthen security. Password vulnerabilities are well-known and they can be breached in numerous ways – plus, password management practices are often risky.

So, passwordless options are designed to strengthen security and to reduce the attack number of ways systems can be attacked. A good passwordless solution can also make the authentication process more convenient for users compared to passwords, because passwords are so easily lost, forgotten and breached, leading to lengthy recovery processes.

Quite commonly today, organizations choose to implement two-factor or multi-factor authentication to establish greater trust online under hostile conditions and limit fraud through stronger authentication. This means organizations don’t need to do away with passwords entirely if they don’t want to – instead they can combine them with another factor such as biometric face verification.

But remember: the specific benefits of going passwordless will depend on the solution you adopt. It’s important to strike a balance between security and user experience.

The Past and Future of Passwordless Authentication

In the early days of the internet, organizations typically relied exclusively on a user ID and password to verify a customer. As more money started changing hands online, fraudsters began to take advantage.

Fraudsters were successful: shockingly, 80% of hacking-related breaches involve compromised and weak password credentials. Passwords intrinsically weaken the integrity of the security process and expose the individual or service to risk. This causes society-wide security risks for users and organizations alike.

Along the way, the attacks bad actors use to undermine passwords became more sophisticated and scalable. They include, but are not limited to:

• Phishing
• Keylogging
• Brute force attacks
• Man-in-the-middle attacks.

So, new methods of authenticating customers sprang up to counter the disadvantages of passwords. Some stayed, and some died away. One method that stayed is biometric authentication – not least because it can offer secure access within seconds without the user needing to remember anything.

In 2023, iProov predicts that biometric combined with device will overtake password combined with device as a two-factor authentication solution – meaning we could finally see the end of passwords, even as part of two and multi-factor authentication solutions.

How Does Passwordless Authentication Work?

Passwordless authentication is generally split up into two categories:

1. Possession-based

Possession-based factors, such as OTPs, are sometimes referred to as “something you own”. They attempt to authenticate users through ownership of a device. For instance, if you can fetch and paste an OTP, then this should prove that you are the person who owns the device associated with that phone number and of which you have exclusive access to – thus proving your identity.

One problem with possession-based authentication is that it trusts devices over people. Codes are shareable and phishable, which means they are not a clear-cut representation of someone’s identity.

2. Inherence-based:

Inherence-based factors – i.e. biometrics – are sometimes referred to as “something you are”. They attempt to authenticate users by asserting a biological/physical characteristic. For instance, scanning your face using a device’s user-facing camera or pressing your finger against a device’s fingerprint scanning pad.

The third authentication factor is knowledge-based. Knowledge-based authentication usually means passwords, but can also mean secret answers, such your first pet or mother’s maiden name (though secret answers are used less commonly these days).

To put it simply, passwordless authentication works by users authenticating using a possession or inherence-based factor – such as a OTP or a facial biometric scan – rather than a password.

Auto-filling passwords is not passwordless authentication. Neither is using a cellphone unlock code to fill in a password field. Both of these options rely on an underlying password. Passwordless authentication works through bypassing the need for a password by using a different technology altogether.

Click here for a more in-depth understanding of the different authentication methods available.

Why Choose Face Biometrics for Passwordless Authentication?

The simplicity of face biometrics is one of its great advantages. It’s widely accessible, there’s no password to remember, and there’s no device or access token to carry around. This makes biometric face verification one of the most inclusive and accessible methods of security there is — if it’s implemented correctly.

While other methods can deliver benefits over the traditional password, the security still usually falls short of a sophisticated biometric solution. OTPs, for example, are often alarmingly easy to phish. Read more about the risks of OTPs here.

So, let’s consider a few of the areas where biometric passwordless authentication can make a real difference:

• Security: Generally, speaking biometric-enabled passwordless authentication should be more secure than a password-enabled login. Passwords are hard to remember, so people tend to use the same password across multiple sites. This means if a password is guessed or breached, a hacker could gain access to a whole host of user accounts using credential stuffing attacks. Additionally, people often choose simple passwords that are easy to crack. That’s why the majority of security breaches involve passwords. 63 percent of consumers have had to change a password due to security breaches. You cannot lose your face or have it stolen, though.
• Improved user experience and convenience: With passwordless authentication, the user generally doesn’t have to remember anything. In the case of iProov, they don’t even have to do anything: they just stare into the user-facing camera on their device. This makes authentication exceptionally easy for the end-user.
• Reduced costs: Biometrics means reduced overhead on resetting passwords, and less time spent reminding employees to reset their passwords or to use secure ones. Password helpdesk tickets are a huge problem across industries – several large US-based organizations in different verticals allocate over $1 million annually for password-related support costs. They require constant maintenance from IT. Removing the password eliminates these costs by relying on more efficient and secure authentication methods.

Benefits of Implementing Passwordless Authentication Using iProov Face Biometrics

In the same vein that some passwordless methods are better than others, some biometric solutions are also better than others.

There are a number of unique propositions that elevate iProov technology above others as a passwordless solution:

• Industry-leading completion rates: iProov completion rates are typically > 98%. Compare this statistic to the fact that Over 50% of users have abandoned online purchases because they forget their password and retrieving it took too long, and it’s easy to understand why organizations move away from passwords.
• Cloud-based security. iProov cloud-based security means that our authentication is unaffected by any vulnerabilities on the device used. It also means that our security is opaque to the attacker and far harder to reverse-engineer. Finally, this enables iProov to deliver out-of-band authentication. Some passwordless authentication options are tied to the device – so if that device is compromised, an OTP or authenticator app will be worthless because the attacker has access to the codes on the device. This is why President Biden has stressed the importance of cloud-based architecture.
• Truly passive experience: The iProov user experience is effortless, fast, and passive — all a user needs to do is look at the device’s user-facing camera.
• Scalability and proven success: iProov has demonstrated its ability to scale in real-world environments with major deployments worldwide — with over 1 million verifications per day during peak periods. iProov is a proven supplier, already actively used and relied upon by top organizations such as the US Department of Homeland Security and UBS.
• iSOC: The iProov Security Operations Center monitors day-to-day operations and identifies new and evolving attacks. Our defenses and algorithms are updated continually in response to new threats, which makes life much harder for attackers. This ultimately means that we learn more about the attackers than they learn about us.

Read all the advantages of iProov face biometric authentication in-depth here.

Why Is Liveness Important for Passwordless Authentication?

Liveness technology is a component of biometric technology that distinguishes between inanimate objects and a human.

Liveness technology is a key consideration for choosing a biometric passwordless authentication solution. When you are considering what kind of liveness technology to use, you have to think about what your threat profile looks like. How hard is the attacker going to try in order to break into your system? How important is it for you to establish that an online user is a real person and not a spoof? And how valuable is the information they are accessing? Different use cases require different levels of assurance – which is why some organizations choose step-up authentication.

Ultimately, not all liveness is created equal. There is a spectrum of liveness technologies. Some of them are very cheap and fast. Some of them are much more substantial and resilient to attackers’ methods that can detect even the most determined attackers. The latter can provide considerable reassurance for organizations and their users.

iProov offers solutions that cover low to high-risk use cases. But when a transaction is mission critical, only iProov Dynamic Liveness (GPA) can ensure that the user is the right person, a real person, and is authenticating in real-time. This is vital in protecting against highly scalable digitally injected attacks. Using patented Flashmark™ technology, a one-time biometric code is created which cannot be replicated.

Learn more about Dynamic Liveness here.

Biometrics for Passwordless Authentication: A Summary

• Passwordless authentication methods were developed to combat the inefficiencies, insecurities, and inconveniences associated with passwords.
• Passwordless authentication is generally split into two categories: possession-based (such as OTPs) and inherence-based (such as biometrics).
• Passwordless authentication methods should generally be more secure and convenient than password-based options. But there is a hierarchy to the options available: iProov champions face biometrics as the method that maximizes convenience, inclusivity, and security.
• iProov’s face biometric authentication is being used at scale by the world’s most security-conscious organizations to deliver a passwordless solution that improves security and user experience simultaneously.

If you’re interested in knowing more about implementing iProov’s technology to deliver seamless and secure passwordless authentication, please request a demo here.