What You Should Know About Passwordless Authentication 

Passwords have become the Achilles heel of cybersecurity. As we live more of our lives online, we accumulate username-and-password combos — the average person has over 100 passwords.[1] And many of those fail to meet strong password conventions. One study found two-thirds of U.S. adults repeat passwords across services, and one in three share passwords with friends and family — like that Netflix login. And if that’s not bad enough, the same study found the most common password in use today is “12345”.[2] 

Even attempts to boost passwords by adding challenge questions have limited effectiveness. Anyone who’s been warned not to fill out those “Which Sex and the City character are you?” social media quizzes knows hackers get creative to steal those secondary factors, too.[3]

It’s no wonder that identity-based attacks are the source of most data breaches today.[4] Bad guys have built a new sideline out of stealing and reselling valid credentials on the dark web via phishing and other “credential harvesting” attacks. Demand for the services of initial access brokers that sell illegitimate access to corporate networks more than doubled in the last year, according to a recent report from Mimecast partner Crowdstrike.[5]

A strong defense against phishing and other email compromises can provide air cover to efforts to prevent credential theft, but defenders have to attack this problem on multiple fronts. Given that most attacks target or make use of credentials, fortifying identity and access management is also important. Passwordless authentication is an alternative to password-based logins — one that’s gathering momentum as major tech companies commit to supporting the newer approach.[6] Understanding what passwordless authentication is — its benefits, challenges, and limits — and how it can integrate with other cybersecurity tools is essential.

What is Passwordless Authentication? 

Imagine walking into your house without a key. A signal from your phone or a scan of your face unlocks the front door to let you in. That’s a lot like how passwordless authentication works.

Passwordless authentication sidesteps the primary disadvantages of password-based credentials by verifying users are who they claim to be through means other than a random string of letters and numbers — or, worse, a user’s street address or mother’s maiden name. 

The evolution of passwordless authentication has grown in parallel with advances in technologies such as single sign-on (SSO) and multi-factor authentication (MFA), and alongside the boom in smartphones. The evolution of standards such as Fast ID Online (FIDO) and the National Institute of Standards and Technology’s NIST 800-63B made doing away with passwords a possibility. In 2022, Apple, Google, and Microsoft put competition aside to form an alliance backing the development of a passwordless standard.[7]

Passwordless authentication uses alternative ways to verify a user’s identity before granting access to an organization’s network resources, such as: 

• Biometrics: The use of devices with cameras and touch screens enables biometric identification by scanning the user’s fingerprint or face or by using a voice print. To date, this has been considered the gold standard in authentication since it’s the hardest to replicate. There is growing concern about “deep fake” technology and voicemail scams generally. But while they may fool a human user, there is no evidence yet that deepfakes can overcome biometric defenses. 
• Authentication Tokens: MFA using a physical token that generates a one-time code or an authenticator app connected to a previously verified device or email account. This replaces the old sticky note with the password stuck on the side of the computer screen and makes identity portable as more organizations embrace remote work. (Note: this only qualifies as passwordless when none of the factors are password-based.) 
• Push Notifications: An alert sent to an email account or to a previously verified device asks the user to authorize a login, rather than send a one-time code. Beware: the bad guys are trying to crack this defense, too. A rideshare service was hacked by first stealing credentials and then swamping that user with authentication requests. When the user slipped and clicked on a prompt, the hacker got in and moved around the network, announcing the breach in the company Slack channel.[8]

The Challenges of the Passwordless Evolution

Information security professionals have dreamt of a password-less future since biometric identity checks first became possible nearly 30 years ago. But only over the last decade, as the growth in devices made password alternatives a possibility, have those dreams become more realistic.

Adoption of passwordless authentication thus far has been measured. A recent survey from Mimecast partner Okta found just under one in five of its platform users have integrated an application program interface (API) for passwordless authentication, but that’s an improvement over the 11% who were using one two years ago.[9]

There are some common hurdles to passwordless adoption that companies should be prepared to address.

• Stakeholders Don’t Understand Passwordless: Managers and users may get passwordless authentication confused with MFA or SSO, both of which are enablers of passwordless systems, but not the whole solution. MFA and other authentication tools can add more friction to the user experience, making management worry that passwordless will slow down or obstruct daily operations.
• Systems Don’t Get Along: Traditional on-premises systems are built to protect the perimeter with a firewall and let users move freely inside it, so adopting passwordless access with legacy applications can be tricky. Additionally, cloud services can hold up adoption, even as cloud service providers themselves embrace passwordless access. Cloud platforms may have their own competing security protections and identity-vetting systems, and many companies today rely on multiple cloud platforms.[10]
• Change Is Expensive: Resolving these and other issues takes time and effort. Organizations may have to overhaul traditional infrastructure and access policies to enable passwordless authentication. Users may have to be verified (usually by checking a government-issued ID) and their authentication factors vetted and recorded. Access policies have to be audited and revamped to establish a zero trust environment across the network. And, ideally, privileged access will be limited and governed by identity and access management (IAM) systems.

Paving the Way to Passwordless

To meet those challenges, security professionals can embrace a number of best practices for passwordless authentication adoption. These include:

• Making the Move Gradual: To avoid the burdens of a wholesale transition to passwordless access, organizations can maintain password-based access for some less-sensitive resources. It helps if the organization has already audited its network to work out what resources it has and the levels of risk involved in each. That way, it can prioritize which can be left alone for now and which would benefit from the upgraded security of passwordless authentication. 
• Using Behavioral Analytics: Enforcing access policies is easier if the system can factor in the context of user activity to decide whether to step up identity checks or let a user continue its activity unchallenged. If an employee is suddenly logging in from an unfamiliar server or physical location, an IAM system can trigger a verification check. This reduces friction — one of the anticipated management concerns. 
• Focusing on Policies: Passwordless access is easier to enforce if the organization already enforces zero trust across the network. This requires policies that maintain least privileged access and enforce it consistently. Before adopting passwordless access, organizations should clarify their policies and continue updating them based on threat intelligence. This is another function where automation can relieve the load on security staff.

The Bottom Line 

Integrating identity and access management into a holistic security platform can create a layered cybersecurity defense capable of adapting to evolving threats. The effort required to establish passwordless authentication can deliver significant benefits, eliminating a weak link in cybersecurity and making zero trust possible. Find out more about integrating identity protections — and passwordless authentication — into your security platform by watching sessions from Mimecast’s SecOps Virtual 2023 event. You can also read more about Mimecast’s integration with Okta’s Identity Cloud.

[1]“Study Reveals Average Person Has 100 Passwords,” Tech.co

[2] “America’s Password Habits,” Security.org

[3] “BBB Scam Alert: Bored? Think twice before taking that Facebook quiz,” Better Business Bureau

[4] “2022 Data Breach Investigations Report,” Verizon

[5] “CrowdStrike 2023 Global Threat Report,” Crowdstrike

[6] “Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms,” The Verge

[7] Ibid 

[8] “Uber Investigating Breach of its Computer Systems,” New York Times

[9] “Businesses at Work Report 2023,” Okta

[10] “Cloud services market to grow 20% by 2029 following pandemic step change,” IT Pro