What Is Passwordless Authentication and How Does It Work?

Passwordless authentication allows users to access services and platforms through a process that relies on cryptographic key pairs and biometric features, thereby providing a secure and convenient authentication experience.

passwordless

Passwordless Authentication

Passwordless authentication is a feature that allows users to log in to services and platforms without a password. Instead, the login process can be accomplished with biometrics like facial recognition and fingerprint scans.

Passwordless authentication processes are generally considered a form of multi-factor authentication (MFA). The use of additional authentication factors provides an added layer of security while maintaining a high level of ease and convenience.

Benefits of Passwordless Authentication

Passwords are the weakest link in the authentication process. They are often either reused or not sufficiently secure to prevent an account from being compromised. This is the primary benefit of passwordless authentication. However, there are other benefits as well. These include:

  • Added security: As mentioned, passwords are highly susceptible to cyber attacks and data breaches. More specifically, stolen and compromised passwords leave all user accounts across multiple platforms and services vulnerable to more aggressive attacks like credentials stuffing and brute-force attacks. This is equally problematic for users and companies. Eliminating passwords removes this threat.
    In the following interview, Stephan Schweizer (CEO of Nevis) describes the dangers of credential stuffing and how Nevis uses FIDO passwordless authentication to increase security and reduce reputational risks.
  • Improved user experience: Using biometrics instead of passwords for authentication eliminates the tedious and time-consuming process of typing in long and complex passwords. And remembering them as well.
  • Lower cost of operations: Companies that rely on password security have to implement complex policies, including password hashing and storage as well as password breach detection mechanisms, to ensure a marginal level of security. On top of these expenses, the customer service costs associated with password resets are extensive. These costs fall away with passwordless authentication.
  • Added speed: Passwordless authentication is 3x faster than sign in with passwords.

How Does Passwordless Authentication Work?

As mentioned, passwordless authentication is a form of MFA. It relies on the use of a cryptographic key pair: the public key, which is held by the service provider, and the private key, which never leaves the user’s device. However, during an authentication process, it can be unlocked using biometrics (facial recognition or an iris or fingerprint scan) to complete the authentication process. Here’s how it works:

  • Key-pair generation: During the sign-up process the authenticator (mobile device or computer) creates a key pair. The private key remains on the device while the public key is provided to the service provider/web portal/app/etc.
  • Challenge generation: The next time the user wants to log in to the service, a challenge is generated by the service provider/portal and sent to their authenticator device.
  • Login with private key: The user uses a biometric identifier to unlock the private key stored on the authenticator device. The challenge is signed with the private key. At this point, the public key assesses if the right private key has been used. If so, the user is logged in.

FAQ about Passwordless Authentication

Why Does Password-Free Authentication Increase Security?

orange-plus orange-minus

Passwords can be easily guessed or stolen through phishing, social engineering or other means. Passwordless authentication, on the other hand, uses more secure methods such as biometrics, one-time codes or security keys, which make it much harder for an attacker to gain unauthorised access to an account.

More information about the safety question of the Face ID biometric authentication method.

Why Is Passwordless Authentication Convenient?

orange-plus orange-minus

With passwordless authentication, users do not have to remember complex passwords, which can be difficult and time-consuming. This makes the login process more convenient and efficient, resulting in a better user experience.

In our opinion, using complicated passwords is a fail. Read more in this blog.

Why Does Passwordless Authentication Reduce Costs?

orange-plus orange-minus

Passwordless authentication can also reduce the costs associated with password management and account recovery. By eliminating password resets and support requests, companies can save time and resources.

We have compiled here how much resetting passwords actually costs a company and how many billions are lost this way.

Why Does Password-Free Authentication Help With Regulatory Compliance?

orange-plus orange-minus

Many government regulations require companies to implement strong authentication measures to protect sensitive data. Passwordless authentication can help companies meet compliance requirements and avoid costly fines.