Categories ArticlesSecurity

Passwordless authentication: Safer, better, and about time

How many times have you stared at your computer screen, fingers poised over the keyboard, eyebrows furrowed in consternation as you try to remember what over-complicated string of characters you used last month when you were asked to change your password for the umpteenth time this year? You regret not writing it down immediately because you were so confident you’d remember every special character and capital letter you typed in, but now you can’t even remember the word you chose. As your mind draws a blank, you hover the cursor over the “Forgot Password?” button, sigh, and click. Passwords were once the safest way to secure your information on the Internet, but they’re slowly making way for other — often simpler — methods that authenticate that a user is who they claim to be. Passwordless authentication is slowing taking over the function that passwords once held, and these methods are safer in that they are not easily hacked or predicted.

Why passwords are being left behind

Passwords are vulnerable to data breaches, especially when careless companies store them in publicly accessible, unsecured databases. Phishing attacks continue to affect users who are unaware of the malicious nature of phishing links. Passwords also need to be maintained by IT teams at organizations, making them a burden to deal with.

However, the most compelling argument against the use of passwords with ever-increasing complexity is the sheer number of users who just can’t recall their passwords. On average, every user on the Internet has around 90 accounts on different websites. Given that this is the average, imagine the number of users with hundreds of different accounts of different websites, each with its own password. It’s no wonder then that reports claim that a third of all online transactions are abandoned because online shoppers can’t remember their passwords. The implications of these revenue losses for online retailers are massive. The most important takeaway, however, is that users need more secure and simplified authentication systems that don’t leave them locked out of important services at inconvenient times.

How passwordless authentication has changed the game

You may have already noticed that passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets. Many mobile devices today use biometric authentication methods to identify users. Fingerprint and face scans are used to grant users access to their devices, with Apple phones notably using face scanners to authenticate their users. Many apps can now be unlocked just by pressing your finger to a fingerprint scanner on your phone, allowing you to keep your app data safe from prying eyes. Voice recognition software is also being used to add a layer of security to apps and devices.

Many apps, services, and websites no longer require a password to access them as long as you can authenticate your identity using your email address or Facebook account, which have already authenticated your identity. Email-based authentication is fairly simple, as you merely need to click on a link to generate a live token to access a website, or you need to enter a one-time code sent to your email to verify that you are indeed who you claim to be.

SMS-based authentication is the primary mode of authentication for most apps on mobile phones. Upon entering your phone number, a one-time code is generated and sent to the number. Sometimes, the code is verified automatically, and at other times, you are required to manually type it in. Either way, this is definitely an easier way to access an app’s services than to sign up for its services using another password. However, SMS authentication isn’t as safe as other forms of passwordless authentication, having been targeted by cyberattackers in the past.

Multifactor authentication is a more secure method of authentication that doesn’t use passwords and is often used by websites and apps that require a high degree of security. This method involves at least three layers of authentication, which could include fingerprint scans, security questions, voice recognition, PIN codes, face scans, or even contact information. The additional layers make it harder for bad actors on the Internet to access more sensitive information, such as your bank account details.

Implications for passwordless authentication

A company’s decision to transition to passwordless authentication is a beneficial decision not just in terms of customer acquisition for the company but also in terms of increased security for end-users and customers. Having to create, remember, and reset passwords is often a complex and lengthy process, and this can lead users to abandon their attempts to access services, or it can lead companies to lose out on a huge potential customer base. On the business side, the company can save tons of investment in backend support and maintenance of password renewal and recovery systems as well as issues with securing databases and access and ensuring that passwords are at minimum risk of being accessed or stolen by bad actors. They can instead divert those efforts to implementing a smoother authentication process that improves the end-users’ experience.

One of the major impacts of passwordless authentication is not that it removes the pressure from users to remember new passwords, but it protects them from the security threat of reusing passwords across multiple sites. A data breach on one site could potentially compromise the security of the user’s information on multiple other sites if the user has reused the same password elsewhere. While this practice is generally warned against, it is estimated that nearly 60 percent of all users use the same password almost ubiquitously. Hackers have been known to exploit these vulnerabilities in the past, and passwordless authentication would help prevent a cascade of violations by ensuring that one slip up doesn’t lead to casualties across websites.

Security risks associated with passwordless authentication

Passwordless authentication is not without its own security risks, however, and there are multiple ways by which even the most seemingly secure methods of authentication can be compromised. Fingerprints can be reproduced on prosthetic fingers or gloves, faces can be digitally reconstructed, SMS-based and email-based authentication have been compromised in the past, and multifactor authentication methods have been hijacked by thorough hackers. It is up to companies to ensure that they keep the end-users’ security among their highest priorities by researching ways to counter potential threats to the security of users’ information.

One of the more interesting ways that companies are attempting to authenticate users involves not only logging their fingerprints but also logging data such as the amount of pressure you use when typing, the way you hold your phone, your swiping patterns, and which hand you dominantly use. All these factors can be used to verify if the person using your device is indeed you and prevent malicious actors from attempting to access your personal information.

While companies can do their best to secure your data with their best practices, at the end of the day, users are the ones who are responsible for how they use and store their data. Passwords are, more often than not, breached through human error by someone clicking on a link they shouldn’t, downloading software that they aren’t completely sure of, or engaging in poor password maintenance practices. Passwordless authentication is a boon in light of the overwhelming information that human beings cannot be trusted to look after their own security, as it reduces the degree to which human stupidity can interfere with stellar security measures. We’ll just have to wait to see if we manage to ruin that as well.

Featured image: Pixabay

Twain Taylor

My interests lie in DevOps, IoT, and cloud applications. I began my career in tech B2B marketing at Google India, after which I headed marketing for multiple startups. Today, I consult with companies in The Valley on their content marketing initiatives, and write for tech journals.

Published by
Twain Taylor

Recent Posts

CCPA and GDPR: Similarities and differences you must know

The GDPR and the CCPA are both aimed at protecting privacy. Although many similarities exist…

4 hours ago

How to manage and automate Azure DevOps using Azure CLI

Azure DevOps is fast becoming the next big thing. This Azure DevOps Quick Tip shows…

3 days ago

Trench Tales: When you really need to retire that messaging platform

That old messaging platform has served you well, but maybe it’s time to move on.…

3 days ago

Customize PowerShell with default parameters and save time

Microsoft makes it easy to set up default parameters for PowerShell. And while they may…

3 days ago

Secret Manager security service now available for Google Cloud

Secret Manager, new from Google Cloud, is out in in beta. It provides a secure…

4 days ago

Postman API platform surpasses 10 million registered users

API development platform Postman said it has surpassed 10 million active users, a clear signal…

4 days ago