Passwords are on their way out. Many people are already familiar with being authenticated without providing a password, such as through using FaceID on iOS, or by scanning a fingerprint on Android, and organizations are increasingly turning to passwordless authentication; a method of proving an online user’s identity using a biometric identifier as an alternative factor other than a password.
We take a deeper look at passwordless authentication: why it’s more secure, and a great deal more convenient for users.
The problem with passwords
There are many issues with passwords, in terms of the security of using passwords, and the effect they have on the user experience.
The main issue is the most obvious and something we have all been guilty of: forgetting your password. It’s hardly surprising; the average person has an overwhelming 80 different passwords.
Keeping track of all these passwords becomes a challenging memory test, and it doesn’t help that each of these accounts likely has different requirements as to password complexity. Consequently, the user experience is negatively affected if they cannot remember the correct one.
The huge number of passwords the average online user is supposed to remember inevitably leads to the next problem, which is the recycling of passwords. It’s estimated that 2 out of every 3 people use the same password for multiple accounts to help them remember it.
Reusing passwords poses a serious issue to users’ security. Major data breaches such as the recent Easyjet breach in the UK, where the details of 9 million people were compromised, often leads to legitimate login details of compromised accounts being purchased by bad actors on the dark web.
This in turn leads to credential stuffing attacks, where criminals exploit the tendency of users to reuse passwords by taking large amounts of compromised account details and inputting them en masse to various different sites in order to find out if they can access any other accounts using the same legitimate password.
It’s worth noting that doing so can drive big profits, meaning the culprits are usually well-established criminal organizations using high-end machine learning technology.
On top of all this, using passwords as a method of authentication can ironically hinder a user’s security.
A Verizon report found that 81% of hacking breaches occur as a result of weak, stolen or reused passwords.
Password login details are actively targeted by methods of online fraud such as phishing, man-in-the-middle and rat-in-the-browser (RitB) attacks, where fraudsters direct users to fake, official-lookingbrowser pages so as to encourage them to input their passwords.
The fraudsters steal this data and can then gain access to users’ accounts.
As passwords are so easy to access or intercept, organizations have been searching for other methods of authentication to replace them. Different examples of passwordless authentication include verification via:
- Email – a user is verified using a magic link (or in some cases a one-time code). A magic link is where a unique token is created for the user and sent to them by email. The user accesses their email and clicks the link, at which point the service they are attempting to access will identify the token and exchange it for a live token, logging them in.
- SMS – the user is sent a unique OTP (one-time passcode) via SMS to their mobile number. The user then inputs this code and is logged in.
- Multi-factor authentication – this is a combination of factors provided by the user such as a PIN, security questions, and contact information.
- Biometrics – this could be a fingerprint scan, or facial recognition in order to establish a user is who they say they are, or behavioral biometrics
The benefits of passwordless
- Authenticating users without using a password protects them from all attacks that rely on accessing passwords. This means man-in-the-middle and RitB attacks and phishing would be reduced
- With passwords out of the equation and not being phished, stolen or reused, admins of the organization the user is attempting to access can assume more control over its security
- The biggest advantage of passwordless authentication has to be the positive effect it has on the overall user experience. Users no longer have to remember several different passwords or risk compromised security for reusing the same ones
Behavioral biometrics – the most secure method of passwordless authentication
Issues of fraud attacks do remain even when authentication is passwordless. SMS authentication, for example, has reportedly been targeted many times.
Additionally, users can still be targeted by RitB attacks, especially where they have reused passwords for various accounts, as fraudsters can create official-looking but fake browser pages where users are encouraged to input their OTP.
In terms of physical biometrics, although this is a more efficient and accurate way to authenticate users through their device, this information can to some extent be captured, replicated and reused to execute an account takeover attack.
Behavioral biometrics, on the other hand, are completely unique to each user whilst being impossible to imitate. Parameters of behavioral biometrics can include the typical way in which a user types, moves the mouse, even the unique angle at which a user usually holds their phone. Any attempt to replicate a user’s unique pattern of behavior in itself would be deemed suspicious to a tool analyzing behavioral biometrics.
Behavioral biometrics are therefore the most accurate and comprehensive way in which to authenticate a user through their device, verifying that every user is who they say they are and are not being manipulated or impersonated.
And authenticating users through their behavioral biometrics can all be done invisibly and continually in the background throughout a user session, without adding any friction to the journey and maintaining that golden advantage of passwordless authentication: a more positive, frictionless user experience.