What Are Passwordless Logins and How Do They Work?

Passwordless logins are ways for users to access a network or device securely without entering a password. Chances are you already use a passwordless login system on your smartphone and just haven’t heard the term passwordless login. 

In this case, you access your smartphone with biometrics data. Instead of relying on a user to remember complex passwords or trust them not to reuse them and follow all other best practices, the system is designed with human nature in mind.

While biometrics are often part of a passwordless login system, passwordless logins can also be facilitated with multi-factor authentication (MFA).

In this article, we look at a long-awaited development in network security, including the history, functioning, and pros and cons of passwordless logins. 

Passwordless logins might be part of the future of passwords, but there will always be passwords, and the good ones are often too complex to remember, especially when you need hundreds of unique ones across all the apps and sites you frequent.

Let TeamPassword take care of securely remembering your passwords while you focus on growing a successful business!

‏‏‏‏‎ ‎‎ 

Sign up for a 14-day free trial to test TeamPassword with your team members today.

‏‏‎ ‎

The history of passwordless logins

The idea of passwordless logins has been around for a long time. In fact, Bill Gates predicted that passwords would soon be obsolete in 2004. He stated, “they just don't meet the challenge for anything you really want to secure.”

Then, in 2011, IBM predicted that, within five years, “you will never need a password again.”

A journalist at Wired, Mat Honan, likely because he was a victim of a hacking incident, wrote in 2012 that “the age of the password has come to an end.”

In 2013, the manager of information security at Google, Heather Adkins, stated that  “passwords are done at Google.” Indeed, Eric Gross, also at Google, commented, “passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe.”

While the age of passwords has clearly not ended, that of passwordless logins has begun, and we are likely to see more and more innovations in passwordless logins going forward.

‏‏‎ ‎

How does passwordless authentication work?

The main goal of passwordless authentication is to ease the login burden of the user, and if at all possible, that includes reducing the amount of interaction required. It uses public-key cryptography. This authenticates the user with two separate authentication keys: one is a private key which is secret, while the other is a public key that isn’t secret.

If this sounds simple, prepare to be disappointed. When you multiply the growing online population by the number of logins they use regularly, it becomes pretty clear just how much of a burden these more advanced authentication systems can be. 

While technology is progressing briskly and there are already many passwordless login approaches available, none are yet mature enough to be crowned the winner. This means that, in the security systems we see online, many different passwordless solutions are still being advanced. 

For example, multifactor authentication, single sign-on (SSO), password managers, and adaptive access policies are already being leveraged along with biometrics to reduce the number of passwords a user needs to remember and how often they need to be entered. All of this simultaneously improves the ease of use of online apps and increases their security.

To add a bit more detail, as mentioned above, passwordless authentication typically relies on a public key and a private key using what is called “public-key cryptography.” Public-key cryptography, which is sometimes called asymmetric cryptography, is a cryptographic system that uses pairs of keys.

The public key is provided during the registration process to the authentication service (a server, application, website, etc.).

The private key is kept on the user’s device (computer, smartphone, smartcard, etc.). This private key can only be accessed using a non-knowledge-based authentication factor. The traditional authentication factor is a biometrics signature, but there are others being used to varying degrees. These factors can generally be groups into two types:

  • Ownership factors (i.e., something the user has): These factors include smartphones, one-time password (OTP) tokens, smartcards, or hardware tokens. They can also include your known geo-location or a network address.
  • Inherence factors (i.e., something the user is): These are generally biometrics identifiers, such as fingerprints, facial recognition, or a retina scan. They can also include behavioral patterns, such as your gait or some hand gesture.

Regardless of whether an ownership factor or an inherence factor is used for the passwordless login system, the key requirement is that no memory is involved. 

While passwordless authentication is sometimes confused with multifactor authentication (MFA), they are separate security systems that are sometimes implemented together, the so-called passwordless MFA. 

MFA is a security system where multiple different login steps are required. For example, you first input traditional username and password credentials. Then, in a second step, an OTP code is sent to your Microsoft Authenticator app to add a further level of security. In this case, the MFA system is not passwordless. 

In passwordless MFA, instead of the first step being a username and password, it might be a fingerprint scan, while the second step could still be the same OTP code system or one of the other commonly used MFA systems such as a phone call.

Don't let your company fall victim to extortion emails, credential stuffing, and other password vulnerabilities. Let TeamPassword take care of security while you focus on your other jobs.

‏‏‎ ‎‏‏‎ ‎

Sign up for a 14-day free trial to test TeamPassword with your team members today.

‏‏‎ ‎

Pros and cons of passwordless logins

As with any of the current or future login systems, passwordless logins are not free of disadvantages. However, most would agree that on balance, they provide better and more user-friendly security than the traditional password systems. Let’s look at some of the specific pros and cons of passwordless logins.

The advantages of passwordless logins

The proponents of passwordless logins have a long and comprehensive list of the benefits of ditching passwords. Here are a few:

  • Greater security: Passwords are currently known to be a weak point (really the weak point) in computer systems (they are reused, shared, cracked, etc.). Indeed, they are considered the main route of entry for attacks and are responsible for a large number of security breaches.
  • Better user experience: This advantage is pretty clear. Users are traditionally asked to remember many super complicated passwords. They are told not to write them down, and they have to change them every couple of months. Passwordless logins do not require you to remember anything, and they are also not periodically renewed. 
  • Reduced IT costs: In addition to the fact that no password storage or management is needed, IT teams no longer need to spend much of their time setting password policies, detecting leaks, or resetting forgotten passwords.
  • Better visibility of credential use: Since access is tied to a specific device, they cannot be used by many different users. It is always clear who is logged in and where, and it is impossible for multiple people to use the same login simultaneously. 
  • Scalability: It has been reported that the modern Internet user has around 200 logins! That level of scalability is not sustainable in the password world without cutting corners that makes them less effective. Conversely, passwordless logins are infinitely scalable as they require no brainpower to implement.

The disadvantages of passwordless logins

While the benefits of passwordless logins are clear, they are not without issues. The following are some of the current problems:

  • Implementation costs: While, as mentioned above, the cost to run a passwordless login system is low, the implementation costs can be quite high. For example, if you want to use a smartcard system for passwordless authentication, then you need to put an extra piece of hardware into the hands of every user. 
  • Training and expertise needed: Every new technology has a learning curve. Both end-users and IT teams will need to learn how to use these new systems.
  • Single point of failure: The reliance on separate hardware, and often a specific piece of hardware (i.e., your smartphone, not a smartphone), means that a lost, broken, or stolen device results in a user being locked out of not just one but all of their accounts. 

‏‏‎ ‎

Is Passwordless a good choice for me?

If your business has the goal of reducing its security risks caused by passwords, then going passwordless is probably a good idea. 

However, passwordless logins have their negative points, and you may be trading off a lot of extra training for your IT department and upfront costs for the longer-term benefits of increased security and a more user-friendly system.

So, there’s a good reason for organizations to want to dump passwords and move to passwordless authentication. However, much of the same benefits can be gained simply and quickly with a good password manager. They reduce the mental burden of remembering many passwords and reduce the tendency to cheat by reusing passwords or picking ones that are easy to guess.

However, logins evolve over time. A password manager will be a necessary part of network security. Only with TeamPassword can you ensure your team members are proactive participants in network security.

‏‏‎ ‎

Sign up for a 14-day free trial to test TeamPassword with your team members today.