What Is Passwordless Authentication?


According to Verizon’s 2020 DBIR, 80 percent of hacking breaches require brute force or the use of lost or compromised passwords. Find out how passwordless authentication will help you stay safe online.

The aim of passwordless authentication is to make the authentication process more user-friendly while still increasing security. But why did passwordless technology become essential in the first place?

According to NordPass, the average user has 70 to 80 passwords. It’s impossible for one person to remember 80 different and complex passwords. As a result, people often use easy-to-remember passwords or reuse passwords across several accounts.

However, according to a HYPR study, 78 percent of respondents said they had to reset their passwords within the previous 90 days due to losing them. Passwords are inconvenient for consumers, but they also pose a significant cyber danger to businesses.

What Is Passwordless Authentication?

Authentication refers to establishing your identity in such a way that third parties may verify that you are the individual, entity, or organisation you claim to be. For identity authentication, a long password has traditionally been used. You can use one of the following security criteria for passwordless authentication:

  • A one-time password (OTP),
  • Magic links,
  • Hardware that produces system-generated PINs or codes,
  • Biometrics, or
  • Cryptographic digital certificates.

Don’t worry, we’ll go over each of these in depth later.

When you log into your bank account, for example, you most likely use the standard password-based approach to authenticate yourself to the financial institution. However, if the bank has allowed any passwordless process, you will use one of the above-mentioned methods rather than the complicated, difficult-to-remember password.
A screenshot of the vanguard.com website demonstrating conventional authentication strategies that do not require a password.

Passwordless authentication can be used on a variety of devices, including personal laptops and smartphones. It can be used on public-facing and intranet websites, as well as on internal email networks, work pages, and hardware tools such as laptops, tablets, and mobile phones.

5 Passwordless Authentication Tools

Let’s look at some of the most popular passwordless authentication tools.


Fingerprint scans, retina scans, and facial recognition scans all fall under this group. Biometric authentication is useful for users because they will still have certain authentication factors with them, barring any horrific incidents. They’re a part of the user’s body.

As a result, you won’t need to recall anything or hold any hardware or cards. Biometric authentication is now implemented in many desktop, laptop, mobile, and cellphone manufacturers’ products to offer protection and convenience to their customers.

However, data breaches have resulted in biometric data (fingerprints) being leaked or stolen:

  • In Suprema’s BioStar 2 data breach, VPNmentor researchers discovered 28 million fingerprint and facial recognition records.
  • The Office of Personnel Management (OPM) hack in the United States resulted in the theft of 5.6 million fingerprint documents.
  • Researchers from SafetyDetectives discovered an unreliable database belonging to Antheus Tecnologia that contained 2.3 million data points and 76,000 unique fingerprints.

While there are ways to circumvent biometrics authentication, replicating biometrics for even a single account takes a lot of effort on the part of the hacker. As a result, the chances of mass hacking are slim to none.

One-Time Passwords

Users must include their phone numbers and generate user IDs when creating new accounts. Users receive unique one-time passwords (OTPs) on their mobile phones via push notifications, SMS text messages, or their registered email addresses any time they want to log in to their accounts.

Each OPT is only valid for a short time (usually 30 seconds to 24 hours) and can only be used once. Users won’t have to recall their passwords this way.

Security Tokens

A security token is a physical device that verifies a user’s identity before granting them access to the system and its resources. These are often referred to as dongles. To complete the authentication process, the user must have this token. Safety tokens are divided into three categories:

1. Connected Tokens:

To complete the verification, the user must insert the security token into the machine, monitor, cardholder, or other device. A USB token and a common access card (CAC), the latter of which involves the use of a CAC reader, are two examples of this type of token.

USB Tokens: After plugging in this USB card, you can log in and/or access some sensitive resources on a computer. It usually entails two-factor authentication (2FA). As a result, you can need to unlock the USB using your fingerprint or a secret code as a second form of authentication even after plugging it in.

2. Disconnected Tokens

Small gadgets that resemble a SIM card, a keychain fob, or a USB flash drive. To gain access to a computer resource, the user must enter a unique and temporary cryptographic code produced by these tokens. The token does not need to be entered into the system by the user.

Grid cards are another example of disconnected tokens.

Grid Cards: These cards have grids of combinations of numbers and letters in various rows and columns, much like Bingo cards. When users need to check their identity, they must use biometrics or PINs to log in. The machine would then prompt you to enter a specific value from the card’s tables.

For a visual representation of one of these cards, see the illustration below:


This is an example of a grid card for this subject that we made.

This is a grid card in action. If the device asks you to fill in the blanks “B1, F3, D2,” you must locate and enter the values written in those cells. The values will be Q3JRS6 in the card example above.

Employees should keep the card in their wallets, or the corporation can imprint it behind their badge.

3. Contactless Tokens

Some tokens do not require users to insert a key or plug the token into the device. Bluetooth tokens, for example, perform automatic authentication.

Magic Links

Anauthenticator sends a unique link-URL to your registered email address or via SMS in this passwordless authentication process. A unique token can be found in the URL. The server verifies the connection and sends it back to you when you click on it (client). The token is then stored as a cookie in your browser for that specific session. The connection will expire if it is not clicked within a certain amount of time.

Client Certificates

These PKI certificates are extremely useful for business setups, especially for companies with remote employees. Client certificates, personal authentication certificates (PACs), user certificates, and email signing certificates are all terms for these certificates that authenticate users. (They’re also known as this because they’re also used to digitally sign and encrypt emails.)

These certificates are mounted on the organization’s computer as well as the devices of its employees (desktop, laptop, or even smartphones). They make mutual authentication possible by exchanging certificates that authenticate both the users’ clients and the servers they’re connected to. The server provides its SSL/TLS certificate as normal, but the client also provides its own certificate and public key in this variation on the standard TLS handshake.

Public keys are stored on the organization’s computer, while private keys are stored on client computers. Employees can only access the company’s services if they log in from the computers that contain the corresponding private keys. The link will be rejected if the server is unable to validate and authenticate the user’s certificate.

As a result, even if hackers obtain the user’s credentials, they will be unable to access the company’s server. That in this case, authentication is accomplished by the use of a certificate exchange. The private key is kept secure since it is never sent to the computer.

The certificates are more secure than phone-based multi-factor authentication methods, particularly when used with trusted platform modules (TPMs). TPMs are cryptographic hardware modules that allow you to store digital certificates and keys in a safe manner.

5 Crucial Reasons to Avoid Using Password-Based Authentication

Let’s look at why a password is regarded as a poor security measure and why you would want to try using passwordless authentication methods instead:

1. Cybercriminals Can Guess Passwords with Social Engineering

People are often unconcerned about creating secure passwords. According to Avast, 83% of Americans have poor passwords, and 53% of them use the same password to secure several accounts. People also use passwords that are the names of their loved ones, relatives, pets, or favourite movies, sports, or celebrities. They also use their birthdays, wedding anniversaries, and other significant dates as passwords.

While this information helps people remember passwords, it also makes it easier for hackers to guess them through social engineering. This approach helps a cybercriminal to collect and use information about a victim obtained from social media accounts, professional networking sites, and other publicly accessible information.

2. Hackers Use Brute-Force Attacks to Bypass Password-based Authentication

In brute force attacks, hackers place a script or bot on login fields that automatically applies a pre-guessed database of millions of user IDs and passwords until it succeeds. A botnet is often used, in which a large number of infected devices launch a brute force attack on a specific login sector.

These are the ten most widely used passwords in the world, according to SafetyDetectives, which has compiled over 18 million passwords:

  1. 123456
  2. password
  3. 123456789
  4. 12345
  5. 12345678
  6. qwerty
  7. 1234567
  8. 111111
  9. 1234567890
  10. 123123

This demonstrates how sloppy people can be when it comes to password creation. Using brute force attacks, hackers can easily circumvent the authentication process when users use weak passwords.

3. Risk of Password Leakage Increases When Multiple Users Sharing the Same Password

Multiple workers and teammates also share the identities for the company’s key accounts, resources, programmes, and email addresses in an organisational setting. This can save money on licences for individual accounts, but it can be much more expensive in terms of certification compromise.

These workers can be located in various towns, countries, or operate remotely. The credentials are compromised if any of those employees’ devices are infected with malware, stolen, or otherwise compromised by a man-in-the-browser, man-in-the-middle, or botnet trojan. The hacker has access to the company’s email network, archives, and sensitive information.

4. Hackers Buy and Share Password Lists on the Dark Web

Some hackers use malware or leaky databases to steal users’ login credentials and passwords. They either use the lists themselves or sell these keys on the dark web to other cybercriminals.

Numerous data breaches have occurred in the past, with major corporations such as Yahoo, Equifax, First American Financial Corp, Facebook, and Marriott falling prey to data theft. In May 2020, for example, a hacker community known as Shiny Hunters stole 25 million students’ email addresses and passwords from Mathway, a math-solving app. They were selling the database for $4,000 on the dark web.

As a result, perpetrators who are unfamiliar with programming or standard hacking techniques will purchase and use the passwords. When people use the same password for different accounts, attackers have a much easier time hacking all of them.

5. Keyloggers and Other Malware Can Record or Steal Your Passwords

A keylogger is a piece of software that can track and record the activities and behaviours of users. This type of programme will read, copy, and paste data from the devices on which it is mounted. Keyloggers are used by hackers to steal passwords and other sensitive information. However, if you don’t use a password-based authentication system, you can reduce some of the risks associated with keyloggers.
Multi-Factor Authentication (MFA) vs. Passwordless Authentication

Multi factor authentication (MFA) is similar to passwordless authentication, but it differs in that it also requires the use of a password. Two or more levels of verification are used in MFA. A password, followed by at least one secondary authentication process, such as a hardware token or a biometric scan, in general. These secondary authentication variables are often referred to as “what you know,” “what you have,” and “what you are:”

1) Passwords, answers to security questions, and passphrases are all things you should know.

2) What you have: A controllable possession such as a smartphone, laptop, USB token, or grid card.

3) Who or what you are: Fingerprints, iris or facial scans, and other biometrics

Passwords and other forms of knowledge-based secrets are not required with passwordless authentication. It does, however, necessitate the use of cryptographic key pairs (which we’ll discuss in greater detail later). Multiple layers of authentication may or may not be present in passwordless authentication mechanisms. This means it can either use a single standalone verification method or a combination of methods (also known as “passwordless MFA”).

The Role of PKI in Passwordless Authentication

Internet security is based on the basis (processes, procedures, and technologies) of public key infrastructure (PKI). It’s all about asymmetric encryption, and PKI is at the heart of many passwordless authentication methods.

Asymmetric encryption is used in certificate-based authentication systems, such as SSL/TLS certificates for websites and the client certificates we just discussed. This entails the use of asymmetric key pairs and digital certificates provided by trusted third parties (known as certificate authorities, or CAs). The keys encrypt and decrypt data, while the certificates, which CAs sign, authenticate third parties.

These key pairs are made up of two keys that are mathematically connected but not identical.

Users’ clients and websites share this key, which is available in the public domain, to prove their identities by third-party authentication. This is the method of encrypting data to keep it secure from prying eyes.
Private key: As the name implies, this key is private and must be kept secret. You use this key to decrypt data that has been encrypted by the public key. These keys are fantastic because they are almost impossible to crack. According to Quintessence Labs, a 2048-bit RSA key will take approximately 300 trillion years to crack using modern computers.

The authentication process is completed only when you have the correct combination of validated certificates, public and private keys, and you can safely access the device. The success of PKI is entirely dependent on the private key’s confidentiality and the trustworthiness of certificate authorities.

Wrapping Up on Passwordless Authentication

Organizations, websites that provide online services, and users’ computers all benefit from passwordless technology because it offers a secure private key. Users don’t have to memorise a huge number of passwords or repeatedly press “forgot password” to reset them.

Passwordless authentication frees up time in the IT department because it eliminates the need to set password policies and adhere to password storage laws and regulations. They don’t have to be on high alert all of the time to identify and avoid password leaks.

Is a password-free solution right for your company? Are there any drawbacks to using a passwordless authentication system that should be considered? Let’s look at these issues in one of our upcoming posts about the benefits and drawbacks of passwordless authentication.

Leave a Reply