What does (or can) passwordless login really mean?
Passwordless authentication. The industry has been talking about it for a decade, and suddenly all the cool kids are finally doing it. And honestly, it’s about time.
While users have become a little more savvy about clicking on bogus emails, password hygiene remains pretty lousy. Just ask the FBI. Their internet crime stats make it clear that phishing, vishing, smishing, and pharming are the most common attack vectors – by a landslide.
Add to that the hassle associated with forgotten password processes (which vexes your customers) and the cost of supporting account recovery (which sidelines your customer service team), and like I said…it’s time to send the password packing.
So what is passwordless authentication exactly, and are your customers ready to step into a phishing-resistant future?
Is passwordless really passwordless and how does it work?
To answer this question, let’s do a quick recap of what the purpose of a password is in the first place. In short, it’s a way to authenticate that the person signing in is, indeed, who they claim to be. The password – a “secret” thing that only you know – is one tried and true authentication factor. It’s also one of the easiest for an attacker to social engineer. Other factors – like things you possess (a device) and things you are (your face or fingerprint) – are less susceptible.
In short, if you let your customers authenticate and sign-in without requiring a knowledge factor, you’re using passwordless login.
How’d we get here: the evolution of passwordless authentication
Like every overnight success, the sudden arrival of passwordless login options on popular sites and apps has been in the works for a while. Two developments over the last several years dramatically accelerated its widespread adoption: smartphones with Face and Touch ID and the release of the FIDO2 protocol.
Before FIDO2, an earlier “passwordless” approach eliminated the knowledge factor (aka the password) altogether, and used an MFA method, such as one-time SMS codes, as the sole means of authentication. This made for a better user experience, but it didn’t assert a level of trust that’s comparable to what’s now possible with FIDO2.
Eighty-one percent of smartphones currently in use come with biometric capabilities. With advanced face and fingerprint readers tucked into so many pockets, consumer-oriented sites quickly seized on the opportunity to authenticate customers with Face and Touch ID (inherence factor) instead of passwords (a knowledge factor).
As a bonus, since customers use Face ID or Touch ID on their own phones (a possession factor), brands can check off two auth factors at once. So, not only is it passwordless, it’s a form of multi-factor authentication.
The one annoying thing about passwordless options like Face ID and Touch ID is that your biometric print is stored locally on your device. While that’s great from a security standpoint, it makes it harder when you want to access your accounts on different devices – say, your phone and then your laptop.
The good news is that just last year, FIDO announced a solution that’ll help customers get over this hurdle. It’s a technology called “multi-device FIDO credentials” – aka passkeys. With passkeys, customers can create biometric-based credentials on one device and use them to log in on other devices and even other OEM platforms.
By extending the boundary of trust from one device to another, passkeys function like a password manager – but without the password.
How secure is FIDO2 passwordless authentication?
In short, it’s secure. For the full explanation, jump over to our blog post: Why Face ID is more secure than you think.
If you just want the TL;DR, suffice to say that FIDO2 is grounded in 50 years of hard-core math that underpins public key encryption.
Behind the scenes it looks like this:
- The device passes a cryptographically secure token (stored in an encrypted, cloud keychain) to the site or app that proves the user’s identity.
- The biometric template sits on a chip inside the device, protected by multiple layers of encryption, making it nearly impossible for hackers to steal or replicate the tokens remotely.
- Built-in lifeness detection algorithms prevent device biometrics from being fooled by photos, videos, or other low-effort hacks.
That’s why FIDO2 is winning authentication: It’s easy for customers, secure for brands, and vexing for hackers.
Is passwordless sign-in right for my brand?
The marketing team is usually chomping at the bit to launch passwordless options since it reduces sign-in friction for customers. And increasingly, CISOs are leading the charge to reap the security benefits.
Before you flip the switch, though, here are a few questions to assess whether passwordless is right for your brand and to make your rollout smooth sailing.
- What devices do your customers use today? Are those devices fully equipped with biometrics and do your customers use them?
If your customer base trends older, less tech savvy, or resistant to biometric device unlock, you may need to continue offering less secure MFA options. Admittedly, FIDO2 passwordless beats out the best non-inherence MFA, like sending one-time codes for every login. But sticking with passwords might be better than losing customers outright.
- What account recovery options will you need to build for users who lose access to their biometric-enabled device?
Every day, mobile phones fall in the ocean, get left on airplanes, or otherwise meet with disaster. When they do, there go your biometric templates! If you’re relying on a standard self-service recovery process that uses security questions or something similar, your customers are vulnerable to social engineering attempts.
Remember: Your customers’ account security is also only as strong as your account recovery process. So consider using a system that relies on backup codes or puts a human in the loop. For example, a customer service rep could remove the device, manually add an MFA method, and send a one-time code to a new device to prove possession. Then the customer can authenticate using biometrics on the new device.
It’s time to meet your customers where they are
If your customer base uses biometric-capable devices to access your website or app and they’ve mastered the use of their face (or fingerprint or voice) to unlock those devices, now’s the time to throw those passwords overboard.
At Strivacity, we implement FIDO2 biometrics as part of our customer journeys. And we make it easy on brands, too.
Wanna see how? Contact our team to find out how you can get all the security and convenience of passwordless authentication.
We’re saving you a seat at the cool kids’ table.