Taking care of shopping, official business and online-banking is convenient and very popular. The only downside: to log into the accounts that are necessary for all these online transactions, people need passwords. But passwords are both inconvenient to type in and easy to forget. The result: users are repeatedly faced with the hassle of having to request and assign new ones. In addition, there is the risk that the passwords may fall into the wrong hands. Passwordless authentication can solve these issues. But what is it? And is it really secure?
To prevent unauthorised people from being able to access an online account, users must be able to prove their identity with their login data. The most common form of user authentication is the combination of a username and a password. Or it may be a PIN or a passphrase. These methods rely on one main factor: knowledge, i.e. the user must prove that he or she is in on the “secret” to authentication. But this type of authentication is not without its problems. How can the users and the providers to whom they reveal the secret in order to authenticate themselves really be sure that it is not known to any third parties?
There are many reasons why passwords are an Achilles heel for IT security. For one thing, many users just don’t want to bother with them, so they choose passwords that are easy to crack or use one password for multiple accounts. Then it’s a snap for criminals to get into user accounts with methods like credential stuffing and cause major damage. What’s more, the user has no control over whether the provider is really keeping their secret safe. After all, hackers attack company servers all the time, often pilfering vast numbers of passwords. And in those cases, passwords that protect multiple accounts become a huge problem because they give the cybercriminals access to so many different accounts.
The options for passwordless authentication
Unlike password-based authentication, the passwordless options do not rely on passwords or other stored secrets – i.e. the knowledge factor – to check a user’s identity. Instead, they verify identity beyond the shadow of a doubt with methods that involve the possession factor. That may be a registered mobile device, a hardware token or an inherent factor such as a person’s biometric “signature”, i.e. their fingerprint, iris or face.
There are various technologies that enable passwordless authentication.
Magic link via email
An email is sent to the user containing a “magic link” that he or she can use to log in. But this method is not secure, because email accounts can be hacked, too.
Mobile authenticator and FIDO
Login requires the confirmation of a request by an authenticator that is installed on the smartphone, also known as an authentication app. This type of login is very secure.
How do mobile authenticators and FIDO work?
The term “mobile authenticator” refers to a mobile app that is installed on a smartphone. It uses the smartphone’s hardware security module for authentication. For security and interoperability, the system relies on FIDO (Fast IDentity Online), which is a set of standards for fast, simple and secure authentication. It also works as part of two-factor (2FA) or multi-factor (MFA) authentication.
The FIDO2 standard is especially important for authentication in desktop environments and on mobile devices. FIDO Alliance developed this standard together with the W3C (World Wide Web Consortium), and it is used for the W3C Web Authentication Standard (WebAuthn) and FIDO Alliance’s Client to Authenticator Protocol (CTAP).
The programming interface WebAuthn enables direct communication between an application in a web browser and an authenticator such as mobile authenticator on a smartphone. And the CTAP communications protocol manages the secure interaction between the application and the authenticator.
When authentication is done by means of a mobile authenticator, a crypto or TPM (Trusted Platform Module) chip built into the phone ensures that only authorised users can access the online account. The secret security key on the chip cannot be read, cracked or copied; it is used only by the authenticator for the purpose of unlocking.
An authenticator can employ various verification methods for authentication. Among the most user-friendly of them is biometric authentication , which scans the person’s fingerprint, face or iris with the biometric sensors that are found in all smartphones today. Since most people now have their smartphones on them at all times, this method provides virtually unlimited access to the authentication app.
So, with passwordless authentication via a mobile authenticator app and biometric data, each and every login is a pleasant experience for the user. And the inconvenience of having to remember and type in passwords becomes a relic of a bygone era that no-one will miss.