What is passwordless authentication?

What is passwordless authentication?

Passwordless authentication refers to methods that allow users to log into IT systems such as websites, databases, and applications without entering text-based passwords, credentials, or other “secrets.”

Instead of relying on passwords, users confirm their identity and gain access to systems in other ways. IT policies may be able to operate behind the scenes, for example, by using Single Sign On (SSO) to recognize a user and log them in automatically.

Alternatively, systems may use biometric evidence like fingerprints or facial recognition, possession-based factors like hardware tokens, or location-based factors like proximity badges, to confirm the user is who they claim to be before granting access.

At the moment, more focus is on the passwordless experience than passwordless implementation. With a passwordless experience, people authenticate to resources without seeing or having direct access to any shared secret.

Full passwordless implementation, in which the authentication system doesn’t maintain any shared secret at all, is much further off, especially for machine identities and service accounts.

Key advantages of passwordless authentication include:

• Enhanced security
• Stronger identity assurance
• Better user experience without password fatigue
• Reduced IT costs for password resets and help desk

The evolution of passwordless authentication

Passwords have been an area of cybersecurity risk for a long time.

The rise of identity theft and data breaches can be commonly traced to weak or shared passwords. Even with good password hygiene, passwords can be stolen through phishing and brute force attacks.

The origins of passwordless authentication began in the 1980s with physical fobs holding one-time passcodes. This evolved into time-based and hash-based protocols in the 1990s before smart cards and early multi-factor authentication emerged.

Today, Google, Apple, Microsoft, and the media are driving the vision of passwordless authentication for consumer technology. Passwordless authentication in the workplace, though on a slower path than consumer tech, is also evolving.

Types of passwordless authentication

Passwordless authentication can be achieved in different ways.

Approaches used for passwordless authentication include:

• Biometrics: Fingerprints, facial recognition, retina scans
• Possession factors: Hardware security keys, OTP codes sent to devices
• Magic links: One-time login URLs sent via email/SMS
• Tokens: Software or hardware tokens for OTP passcodes 
• Behavioral authentication: Typing patterns, touchscreen dynamics 
• QR codes: Scannable codes to instantly verify a second device
• Passkeys: Cryptographic credentials. In this method, a user's device generates a public-private key pair. The private key is securely stored locally, while the public key is registered with the server. The server issues a challenge to login that the device signs with its private key. This creates a one-time digital signature the server validates against the public key to authenticate the user. WebAuthn/FIDO is the standard for passwordless authentication on the web via public key cryptography.

IT teams can choose suitable techniques based on convenience, security needs, and infrastructure compatibility.

Challenges of passwordless authentication

While passwordless authentication has its benefits, it also poses challenges, such as:

• More complex implementation
• Compatibility issues on legacy infrastructure
• Cost investments for new systems 
• Lack of standards and maturity

What does passwordless authentication look like in practice?

When adopting passwordless systems, best practices include:

• Evaluating use cases and infrastructure needs
• Phased rollouts focusing on quick wins
• Leveraging existing solutions like SSO platforms first
• Encouraging user adoption via training and incentives
• Testing solutions via trials and feedback processes

Specifically, organizations can:

• Select suitable authentication factors 
• Determine the number of factors required, while balancing security and convenience
• Procure necessary hardware/software 
• Register users and devices on the new systems
• While complex for in-house implementation, third-party providers can accelerate the deployment of passwordless authentication.

The future of passwordless authentication

By 2025, passwordless authentication revenue could hit $25 billion, expanding to over $50 billion by 2030 as adoption accelerates.

Ultimately, the question seems to be when, not if, passwordless authentication becomes the norm. With stronger cryptographic techniques, biometric adoption, and the maturation of security standards, it’s possible to imagine a future without fallible human-generated secrets.

More Resources:

Blogs
Unlocking the future: how passwords are evolving to keep you safe

Webinar
The Future of Passwords and the Passwordless Evolution

Original Research
Passwords and Passwordless Authentication Survey Report

Whitepapers
Beyond Password Managers
See why consumer-grade password managers aren’t sufficient to protect privileged accounts in the enterprise. 

Multi-factor Authentication at Depth
Just because someone can present the right password doesn’t guarantee they are the user you think they are. Multi-factor authentication (MFA) mitigates risk throughout the chain of access control points.

Invisible Privileged Access Management
Reduce password fatigue and empower happy employees. With native integrations, Privileged Access Management sits behind the scenes and synchronizes all privileged identities, roles, permissions, and activities.