Passwordless Authentication Is Ready for Its Close-up

MFA strengthens security by adding another element to passwords. Yet, MFA isn’t foolproof, as hackers can still circumvent it. That’s where passwordless authentication comes in.

Karen D. Schwartz, Contributor

March 2, 2023

6 Min Read
Passwordless Authentication concept

Table of Contents

1. Why Multifactor Authentication Isn't Foolproof

2. How Passwordless Authentication Is Different

3. The FIDO Era

4. Considerations Before You Adopt Passwordless Authentication

5. What’s Ahead for Authentication

Passwords, despite their prevalence, have never been entirely effective at preventing bad actors from accessing sensitive resources. Phishing, social engineering attacks, educated guesses, malware, and brute force attacks are only some of the ways hackers can break through.

It doesn’t help that many users choose simple passwords and reuse them often. According to Verizon’s 2022 Data Breach Investigation Report, hackers attempt 50 million password attacks every day. About 60% of data breaches are the result of compromised credentials. It doesn’t help about half of employees share passwords with colleagues or that they reuse passwords across an average of 16 workplace accounts.

Why Multifactor Authentication Isn’t Foolproof

These are just some of the reasons why multifactor authentication (MFA) has become so popular. MFA strengthens security by adding another element to passwords, like a fingerprint or a question that only the user would know. While the federal government got on board in 2021 with an executive order that mandated the use of MFA for all agencies, the same isn’t true of private industry. According to a Secret Double Octopus study, only 16% of organizations use MFA across all password logins.

While MFA does offer better security than simple password systems, it isn’t enough to solve the problem. For example, MFA systems typically send verifications via email, which can be intercepted by hackers. Hackers can also circumvent SMS-based MFA by convincing the phone company to register the hacker’s physical device as the victim’s.

In addition, hackers often continue trying to log in, hoping that the victim will be tricked into acknowledging a request, noted Tim Morris, chief security advisor at Tanium, a cybersecurity vendor. In September of 2022, for example, ridesharing company Uber was subjected to MFA bombing, a type of MFA fatigue attack.

How Passwordless Authentication Is Different

That’s where passwordless authentication comes in. Instead of relying on a password – something MFA still does – passwordless systems use alternate means of authentication. It’s a way to devise an authentication method, like a facial or fingerprint scan or a USB security key, that is resistant to phishing.

It’s important to understand that some vendors call their products “passwordless” when those products aren’t. One-time passwords, sent to a user’s mobile phone or email, along with mobile push notifications, still provide a way in for hackers, who can steal and use those one-time passwords. And then there are “magic links,” which send a one-time link to users during the authentication process. After users click on the link, they can authenticate themselves without entering a password. These also can be subject to hacking.

But true passwordless authentication is much safer than other forms of authentication. According to Enterprise Strategy Group, more than half of organizations have started transitioning to passwordless authentication. More than half of those who have adopted it have experienced significant risk reduction along with increased efficiency for IT and security teams.

The FIDO Era

There are two ways to achieve passwordless authentication. The first is to eliminate the passwords from the traditional MFA approach. For example, instead of using a password, the user could be require to use a voiceprint, fingerprint or facial scan, or a PIN. While this is still MFA-based authentication, it provides more protection against phishing and social engineering attackers, said Jack Poller, a senior analyst with Enterprise Strategy Group.

Despite the benefits of passwordless MFA, Poller believes there is a better, second method. Many agree. This method uses public key cryptography based on FIDO2. The system pairs two keys, one public and one private. An email or website or sensitive data encrypted with a private key can only be opened by the public key. The company retains the public key while the user keeps the private key. Typically, private keys are stored in a hardware vault inside a smartphone or laptop or externally in a hardware security key, which typically requires a hardware authenticator with a PIN for access. The market leader in hardware authentication is Yubico, but there are other options, as well.

“The same thing happens when you go to a website over an SSL or TLS protocol and a certificate exchange takes place,” explained Horacio Zambrano, a cyber market strategist with Secret Double Octopus. “With FIDO, you have a key and a backend FIDO server that manages the public keys and knows about the private keys. That server manages and allows the authentication to happen.”

FIDO keys are considered the strongest form of authentication. Unlike other methods, these keys can thwart a “push bomb,” where a user gets an accept/deny alert and mistakenly accepts because they are distracted. This is a particularly big issue with smartphones. With FIDO2-based systems, if a user presses “accept,” a rapid biometric like a facial scan is initiated. That makes the entire system more secure.

Considerations Before You Adopt Passwordless Authentication

Whichever system you choose – a system based on FIDO2, MFA, or both – should depend on your specific concerns and security requirements. Organizations in highly regulated industries might be more likely to go with a FIDO-focused system, for example.

It’s crucial to understand what needs to be protected, how data is classified, and how to balance convenience with cost, Morris said.  

It’s also important to determine if the passwordless authentication system integrates with existing identity and access management systems your organization has, especially the single sign-on portal. In addition, pay attention to any legacy applications that must be supported.

While FIDO2-based authentication isn’t yet pervasive, its time in the limelight is coming. Last year, for example, Apple, Google, and Microsoft announced that they would expand support for FIDO2.

What’s Ahead for Authentication

The next hurdle is for organizations to adopt the same kind of identity-proofing that occurs on the consumer side. This essentially validates someone’s identity based on a combination of facial scans and government-issued documents like driver’s licenses or passports.

“Most companies today are okay with using a corporate email as a form of authentication to provide access to corporate resources, but it’s not good enough,” Zambrano said. “If somebody had access to your corporate email, that first login might not be the actual employee but someone else who knows your corporate email. Verified identity proofing takes it to the next level. That’s the next bar: APIs into government-issued credentials so the pictures they store can be facially compared.”

About the Author(s)

Karen D. Schwartz


Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like