Passwordless authentication verifies user identities without passwords or other memorized information. Instead, the security team verifies a user’s identity using either a “possession factor,” which is an object that uniquely identifies the user (e.g. a registered mobile device, hardware token, or a generated one-time password) or an “inherent factor” (e.g. fingerprint or facial scan). When used with multi-factor authentication (MFA) and single sign-on solutions, passwordless authentication can improve user experience, strengthen security, and reduce the cost and complexity of IT operations.
Unlike possession and inherent factors, traditional authentication is based solely on something the user knows, such as a password, that is by nature vulnerable to both reuse and theft. In 2020, more than 80% of hacking-related data breaches involved either brute force or the use of weak or stolen passwords.
Passwords also require constant management from both users and IT staff. For the average user, keeping track of ever-multiplying passwords of varying complexity is at minimum a hassle, and often a challenge. Forgotten passwords can delay work or trigger account lockouts. To aid memory, users often reuse passwords across accounts or write them down, further compromising an already weak system. Password reuse can also multiply the impact of hijacking, phishing and data breaches, making it possible for an attacker to unlock multiple accounts with a single stolen password.
For IT staff, managing password resets even for legitimate users can be an expensive and time-consuming activity. At larger businesses, nearly 50 percent of IT help desk costs are allocated to password resets; that can amount to more than $1 million in annual staffing, just to help employees reset their passwords. Resets also divert attention from higher-value digital transformation agendas or defending against sophisticated cyber attacks.
Passwordless authentication provides a single, strong assurance of user identity. For organizations, this means:
- Better user experience: Users no longer need to remember and update complex password and username combinations just to be productive. With streamlined authentication, users can log in faster with less frustration.
- Stronger security posture: Without user-controlled passwords, there is no password to hack, eliminating a whole class of vulnerabilities and a major source of data breaches.
- Reduction in total cost of ownership (TCO): Passwords are expensive, requiring constant monitoring and maintenance by IT staff. Removing passwords eliminates the need to issue, secure, rotate, reset and manage them; reduces the volume of support tickets; and frees IT to deal with more pressing issues.
- IT control and visibility: Phishing, reuse and sharing are common problems in password-protected systems. With passwordless authentication, IT reclaims complete visibility into identity and access management.
As the name suggests, passwordless authentication, or password-free authentication, eliminates memorized passwords as a requirement for verification. Instead, users authenticate their identity with more secure methods such as:
- Generated one-time passwords (OTPs)
- App-based options including tap or push to approve
- FIDO2 security keys
- Biometrics to complete the authentication process
Passwordless authentication uses a range of authentication and encryption protocols. One key difference between passwordless and traditional authentication is that, unlike traditional authentication, passwordless credentials are not fixed or reused. Instead, new authentication data is generated at the beginning of each session.
To go from a passwords-for-everything approach to a passwordless future, take it one step at a time, using these best practices:
- Take a gradual approach that’s easy on users. Start with one access point or user group, then expand from there to give users time to learn the system.
- Focus on convenience as much as security. The easier an authentication method is to use, the more likely users are to adhere to its guidelines.
- Apply strong authentication at weak points first. Where does traditional authentication leave you most vulnerable? Start there.
- Keep your eyes on the prize. Steady improvement adds up.
The world’s most widely deployed multi-factor authentication solution is SecurID—the identity management platform that security-sensitive organizations trust on premises and in the cloud. SecurID offers:
- A wide range of passwordless authentication options, including FIDO keys for logging into cloud/SaaS or web-based applications, as well as Windows machines; push-to-approve; fingerprint and facial biometrics; “bring your own authenticator”; and hardware tokens that represent the gold standard of authentication
- RSA Ready partner relationships with FIDO authentication leaders, ensuring out-of-the-box interoperability with FIDO-based passwordless solutions
- Risk scoring informed by advanced AI and machine learning that calculates access risk based on business context, device attributes and behavioral characteristics, then steps up authentication accordingly
- Protected self-service credential management options that eliminate password-dependent workflows to shore up security in onboarding, credential recovery and emergency access
- Always-on strong authentication, with 99.99% availability and a unique “no-fail” capability for Windows and macOS that ensures secure, convenient access even when network connectivity is interrupted