Passwordless authentication is a method of verifying a person’s identity without using a password. Instead it relies on more secure authentication factors like possession factors or biometric authentication.
Passwords are one of the greatest security weaknesses and their continued use leaves organizations and people vulnerable to multiple forms of cyberattack. These include phishing, brute-force attacks, man-in-the-middle attacks, keyloggers, SIM-swapping and more. Passwords also cause enormous user frustration, especially as we try to make them safer by requiring complex and longer character strings and regular changes. Passwordless authentication is meant to eliminate those security vulnerabilities while also being more convenient for users.
There is some debate about what qualifies as passwordless authentication. For example, sometimes people call OTP authentication passwordless, even though it uses a (temporary) password and has proven to be susceptible to phishing and other types of password attacks that target shared secrets.
FIDO Passwordless Authentication
The Fast Identity Online (FIDO) Alliance has set specifications and standards for phishing-resistant, passwordless authentication. Under FIDO and the expanded FIDO2 standards, shared secrets are completely eliminated from the authentication process. Instead it uses passkeys, which leverage a combination of public-key cryptography and secure on-device biometrics. HYPR is an example of a passwordless authentication solution based on FIDO standards. Here is an explanation of how it works.
How Secure is Passwordless Authentication?
Passwordless authentication that is based on FIDO specifications is extremely secure. The Cybersecurity and Infrastructure Security Agency (CISA), NIST, the OMB and other regulatory bodies consider it to be the gold-standard for phishing-resistant authentication.
Passwordless Authentication vs. MFA
Multi-factor authentication (MFA) requires you to verify identity with two or more independent factors. These factors can be knowledge (something you know, like a password or PIN), inherence (something you are, like face recognition or your fingerprint), or possession (something you have, like a smart device or security key). The vast majority of MFA incorporates passwords as one factor.
Passwordless authentication uses inherence and/or possession factors, not knowledge. Passwordless authentication can be single factor or multi factor, depending on the implementation and technology.
