Passwordless authentication explained

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering (and having to remember) a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token.

Passwordless authentication methods typically rely on public-key cryptography infrastructure where the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device (PC, smartphone or an external security token) and can be accessed only by providing a biometric signature or another authentication factor which is not knowledge-based.

These factors classically fall into two categories:

Some designs might also accept a combination of other factors such as geo-location, network address, behavioral patterns and gestures, as long as no memorized passwords are involved.

Passwordless authentication is sometimes confused with multi-factor authentication (MFA), since both use a wide variety of authentication factors, but while MFA is often used as an added layer of security on top of password-based authentication, passwordless authentication does not require a memorized secret and usually uses just one highly secure factor to authenticate identity (i.e., an external security token), making it faster and simpler for users.

"Passwordless MFA" is the term used when both approaches are employed, and the authentication flow is both passwordless and uses multiple factors, providing the highest security level when implemented correctly.

History

The notion that passwords should become obsolete has been circling in computer science since at least 2004. Bill Gates, speaking at the 2004 RSA Conference predicted the demise of passwords saying "they just don't meet the challenge for anything you really want to secure."[1] [2] In 2011 IBM predicted that, within five years, "You will never need a password again."[3] Matt Honan, a journalist at Wired, who was the victim of a hacking incident, in 2012 wrote "The age of the password has come to an end."[4] Heather Adkins, manager of Information Security at Google, in 2013 said that "passwords are done at Google."[5] Eric Grosse, VP of security engineering at Google, states that "passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe."[6] Christopher Mims, writing in The Wall Street Journal said the password "is finally dying" and predicted their replacement by device-based authentication, however, purposefully revealing his Twitter password resulted in being forced to change his cellphone number.[7] Avivah Litan of Gartner said in 2014 "Passwords were dead a few years ago. Now they are more than dead."[8] The reasons given often include reference to the usability as well as security problems of passwords.

Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security.[9] [10] (The technical report is an extended version of the peer-reviewed paper by the same name.) Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while every scheme does worse than passwords on deployability. The authors conclude with the following observation: “Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.”

Recent technological advancements (e.g. the proliferation of biometric devices and smartphones) and changing business culture (acceptance of biometrics and decentralized workforce for example) is continuously promoting the adoption of passwordless authentication. Leading tech companies (Microsoft,[11] Google[12]) and industry wide initiatives are developing better architectures and practices to bring it to wider use, with many taking a cautious approach, keeping passwords behind the scenes in some use cases. The development of open standards such as FIDO2 and WebAuthn have further generated adoption of passwordless technologies such as Windows Hello. On June 24, 2020, Apple Safari announced that Face ID or Touch ID would be available as a WebAuthn platform authenticator for passwordless login.[13]

Mechanism

A user must first register with a system before their identity can be verified. A passwordless registration flow may include the following steps:[14]

Once they have registered, a user can log in to the system via the following process:

Benefits and drawbacks

Proponents point out several unique benefits over other authentication methods:

While others point out operational and cost-related disadvantages:

See also

Notes and References

  1. Web site: Munir Kotadia . Gates predicts death of the password . News.cnet.com . 2004-02-25 . 2020-04-12.
  2. News: Kotadia. Munir. Gates predicts death of the password. 25 February 2004. ZDNet. 8 May 2019.
  3. Web site: IBM Reveals Five Innovations That Will Change Our Lives within Five Years . IBM . 2011-12-19 . 2015-03-14 . live . https://web.archive.org/web/20150317041625/http://www-03.ibm.com/press/us/en/pressrelease/36290.wss . 2015-03-17.
  4. Kill the Password: Why a String of Characters Can't Protect us Anymore . Wired . 2012-05-15 . 2015-03-14 . Mat . Honan . live . https://web.archive.org/web/20150316003756/http://www.wired.com/2012/11/ff-mat-honan-password-hacker/ . 2015-03-16.
  5. Web site: Google security exec: 'Passwords are dead' . CNET . 2004-02-25 . 2015-03-14 . live . https://web.archive.org/web/20150402115129/http://www.cnet.com/news/google-security-exec-passwords-are-dead/ . 2015-04-02.
  6. Grosse . Eric . Upadhyay . Mayank . Authentication at Scale . IEEE Security & Privacy . January 2013 . 11 . 1 . 15–22 . 10.1109/MSP.2012.162 . 57409 . https://web.archive.org/web/20130423234925/http://www.computer.org/csdl/mags/sp/2013/01/msp2013010015-abs.html . 2013-04-23 . 2 July 2022.
  7. Vijayan . Jaikumar. Russian credential theft shows why the password is dead . Computer World . 2014-08-14 . 2015-03-14 . live . https://web.archive.org/web/20150402132011/http://www.computerworld.com/article/2490980/security0/russian-credential-theft-shows-why-the-password-is-dead.html . 2015-04-02.
  8. Bonneau . Joseph . Herley . Cormac . Oorschot . Paul C. van . Stajano . Frank . The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes . University of Cambridge Computer Laboratory . 22 March 2019 . Cambridge, UK . 2012 . 10.48456/tr-817 . 1476-2986.
  9. Bonneau . Joseph . Herley . Cormac . Oorschot . Paul C. van . Stajano . Frank . The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes . 2012 IEEE Symposium on Security and Privacy. San Francisco, CA . 2012 . 553–567 . 10.1109/SP.2012.44.
  10. Web site: Use passwordless authentication to improve security . Microsoft.com . 2020-01-28 . 2020-04-12.
  11. Web site: Making authentication even easier . security.googleblog.com . 2019 . 2020-04-12.
  12. Web site: Apple Developer Documentation. 2020-10-07. developer.apple.com.
  13. News: Passwordless Authentication: A Complete Guide [2022] - Transmit Security ]. 12 April 2022 . Transmit Security . 13 January 2022.
  14. News: No password for Microsoft Account: What does passwordless authentication mean? . 12 April 2022 . Business Today . en.
  15. News: Deighton . Katie . Technology Alliance Says It Is Closer to Killing Off Passwords . 12 April 2022 . Wall Street Journal . 22 March 2022.
  16. News: Accelerating the Journey to Passwordless Authentication . 12 April 2022 . IBM.
  17. News: Passwordless Authentication . 12 April 2022 . World Economic Forum.
  18. Web site: Smithson. Nigel. June 9, 2020 . Issues with Multi-Factor Authentication: PSA for MFA App Users . dead . https://web.archive.org/web/20200810163102/https://resources.sayers.com/blog/mfa-app-issues . 2020-08-10 . 2 July 2022 . sayers.com.