A Primer on Passwordless

Most users—employees, partners, and customers—get frustrated with passwords. And passwords aren’t even doing a great job at keeping resources secure! As an IT leader, you often hear about the need to maximize security while minimizing user friction. While there are many strategies to go about this, perhaps no security initiative can achieve this balance more effectively than passwordless authentication.

But adopting passwordless isn’t so easy.

Despite the clear benefits and number of passwordless use cases, the notion of going fully passwordless is a complex process riddled with many questions. What does it really mean to authenticate without passwords? Is it less secure? How does it actually work?

Read on to get the inside track on passwordless authentication, and find out how it can be utilized to improve your users’ experience and overall security.

While passwords are what most of us are used to, they are considered a necessary evil, and they present too many risks to ignore. For starters, most passwords are easy to steal or guess. The 2020 Verizon Data Breach Investigations Report confirms this, finding that 80% of breaches involve brute force attacks or the use of lost or stolen credentials.

Despite efforts to increase password security awareness and strengthen policies, poor and risky password practices persist. It’s estimated that the average user has 100 passwords to manage, and that number could double by 2023. As a result, many people will stick to weak passwords, re-use existing ones, or adopt bad practices such as writing down passwords on sticky notes.

To combat this tendency, some organizations push password complexity rules and more frequent password changes on their users. However, this only adds to the problem. It increases the likelihood that users will write down their passwords, use the same password across multiple sites, or forget their passwords altogether. It can also undermine productivity by forcing both users and administrators to dedicate more time and effort to password maintenance.

This is where passwordless authentication comes in.

The definition of passwordless authentication can vary, but the most widely accepted definition is that it’s a method of authenticating a user with an alternate form factor besides a password. Examples include a thumbprint or face scan, a security key, or a one-time passcode via email or text message.

The user experience of passwordless authentication is already familiar to most people, but the complication lies in the implementation. Going passwordless is a journey, and one you’ll need to take step by step to be able to implement it into your organization effectively.

A password is a knowledge factor, meaning it’s something you know. The problem with relying on a knowledge factor alone is that it’s vulnerable to theft, sharing, repeat use, misuse, and other risks. Passwordless authentication, on the other hand, relies on a possession factor (something your user has) or an inherent factor (something your user is) to verify user identity with greater assurance.

No More Passwords Means Stronger Security

Lost and stolen passwords have always been a security risk. By replacing passwords with more secure authentication factors, you make it much more difficult and expensive for attackers to be successful. With the addition of advanced authentication mechanisms—like risk signal tracking and device trust—you gain even greater assurance that logins are secure.

Removing Passwords Creates Better User Experiences

Passwords present a host of usability problems that translate to poor experiences. For example, if your customer or employee can’t remember their password, there’s a risk they might abandon their purchase or give up on the task they were trying to complete, rather than go through the password recovery process. In contrast, by providing passwordless authentication, you eliminate the need to create, manage, and remember passwords.

Passwordless Authentication Promotes Greater Workforce Productivity

By phasing out passwords, you also avoid the need for password resets. This shift alone can yield significant productivity gains because people spend less time locked out of your systems. With more convenient and secure authentication options, your users get quicker, easier access to resources—and way less frustration.

Logging In Without Passwords Lowers Costs

Passwordless authentication eases the burden on your IT helpdesk by minimizing or eliminating password reset requests and their associated costs. And by adopting more modern passwordless techniques, you can also replace expensive two-factor authentication tokens and cards with low-cost push notifications or leverage already-embedded biometric authentication technology on users’ smartphones.

The short answer is no. Multi-factor authentication increases the confidence that a user is who they claim to be by requiring an additional authentication factor to gain access to resources. But it also adds friction by adding an additional step. In contrast, passwordless authentication still only relies on one factor, and bypasses the password altogether. If the authentication process requires more than one factor and none of the factors is a password, then it's a passwordless MFA.

Yes, passwordless authentication is inherently safer than password-based authentication because it lets you replace the use and storage of passwords with more secure authentication mechanisms.

Identity solutions such as PingOne for Workforce and PingOne for Customers are able to support FIDO2, the first open identity standard created specifically to support passwordless authentication. FIDO2 uses public key cryptography to provide the most secure method of passwordless authentication. Credentials never leave the user’s device and are never stored on a server, meaning they’re not vulnerable to phishing, password theft, or replay attacks. Passwordless authentication can also support using more sophisticated threat detection and risk minimization technologies to strengthen security.

Which Authentication Method Is Best for Passwordless?

When it comes to deciding which authentication factors are best for your passwordless use cases, it’s useful to know the pros and cons of each.

Knowledge Factors: Something You Know

Examples: a password, a PIN code, or the name of your first pet

• Pros: Can be easily implemented

• Cons: Can be forgotten or stolen

Possession Factors: Something You Have

Examples: your smartphone, an RSA key, your email account, or a FIDO authenticator

• Pros: Most are hard to steal remotely

• Cons: Need an alternative if it's broken or lost

Inherent Factors: Something You Are

Examples: biometric factors such as facial recognition, fingerprint scans, voiceprints, or EKGs

• Pros: Can’t be forgotten

• Cons: Accessibility limited due to reliance on devices and abilities

Given the range of authentication options available, you may wonder how to strike the right balance of security, usability, and cost for your passwordless use cases. A good way to start is by auditing the various applications you’re using, determining their security needs, and identifying which groups of users should have access to them. Then you can start mapping out application access scenarios and determine the best authentication method for each one.

The top priority for passwordless authentication is ensuring you maintain or improve security by reducing or eliminating the use of passwords.

To make it work, you need to be able to gather other attributes about a user—such as a fingerprint or a device identifier—so that you can verify their identity without compromising security. Additionally, you need to take into account the user’s devices and the various scenarios of how they will authenticate.

A typical journey starts with identifying the most critical business needs to address and selecting initial users in order to gain feedback during the early stages of deployment.

The image above shows Ping Identity’s point of view on a four-step process for implementing passwordless authentication, beginning with central adaptive authentication and ending with zero login (or true passwordless). But there’s no one-size-fits-all approach to passwordless authentication: your implementation may look different depending on your specific applications, user populations, and business needs. Read the white paper to learn more about mapping your journey to passwordless.

Passwordless Use Case 1: Workforce Access to Resources

A common passwordless use case is gradually phasing out passwords based on user behavior. When the same user logs into the same device around the same time every day, a typical behavior pattern is established. If the user continues to follow this same pattern, you can reduce the requirement for password authentication in a systematic way.

For example, you might require that the user enter a password for every login during the first week. If the user’s behavior stays consistent, you might then reduce the requirement for a password to once a day during the first month. If typical behavior continues, you could then require a password only once per week from the second month on.

Passwordless Use Case 2: Consumer Access to Gift Card Balances

Gift cards are popular presents, accounting for an estimated $27.5B in holiday gift sales according to the National Retail Federation. But that popularity also makes them a prime target for cybercriminals and other thieves. Despite the many ways bad actors can steal and scam using gift cards, retailers understandably want to make their cards as easy to use as possible for genuine buyers.

This presents a great opportunity for passwordless authentication. Almost all customers need to use their email to access their gift card balance, right? So, that same email could be used to send a one-time authorization code when a customer accesses the card from a new device for the first time. You could also give customers the option to trust the new device and fingerprint the device so that they do not need to re-authenticate.

Passwordless Use Case 3: Insurance Adjuster Access to Records

In the insurance industry, security is paramount. But you don’t want to take security measures that are so restrictive that they prevent legitimate users—like insurance adjusters—from getting to the customer insurance records and claims history data they need.

For this type of use case, authentication could involve sending a push notification to a phone-based authentication app, which uses fingerprint or facial recognition, with a backup factor of a PIN-protected roaming FIDO authenticator such as a YubiKey. (For more info on these authentication methods, watch the webinar.)

The adjuster can log in by responding to the push notification using this combination. If they can’t receive or respond to the push notification, they can use the YubiKey as a fallback authentication method. Since the YubiKey is a FIDO authenticator and therefore not tied to a phone or laptop, the adjuster can use a PIN to unlock the authenticator and gain access. Security is maintained, and productivity isn’t negatively impacted.

Now that you’ve explored passwordless use cases and advantages, you may even have some ideas about strengthening security, delivering better customer experiences, increasing workforce productivity, and lowering your IT costs. If you’re ready to take the next steps on your journey to passwordless, Ping is here to help.

Our proven passwordless capabilities provide you with an easy way to get started today and reduce your organization’s password risk over time. We’ve identified four steps that will help you move from usernames and passwords all the way to zero login and continuous authentication. Download the white paper today to learn more about the Passwordless Maturity Scale and begin your journey to passwordless authentication.