Passwordless Authentication: Is It Soon A Reality?

The future without a password is slowly taking shape. This perspective, while attractive, requires offering choices and above all challenges that companies may face.

Password management has always been a challenge for businesses and bears a huge responsibility on the shoulders of users, who have to manage hundreds of passwords every day in their digital lives. Now imagine a future without a password. Attractive, isn’t it? naturally ! But before jumping in and being completely free of passwords, it’s important to get started and identify the options and challenges businesses might face.

What exactly does “no password” mean?

On a mobile device, many applications offer optional identification with a fingerprint; If the user accepts this, it connects to authentication without a password. If he has enabled Windows Hello on his laptop, the user may find it convenient to sign in using facial recognition. Passwordless authentication is exactly that. It is an alternative method of identification and connection and does not require entering a password.

However, there are some interesting notes about this concept that should be noted:

  • Not having a password does not necessarily mean that the person will remove the password, but simply means that the person is benefiting from the user experience without a password. Normally, if a secondary authentication method (such as facial recognition) fails, the system will still prompt for a password.
  • The passwordless methods used on the phone and laptop are not interoperable. If you connect to a mobile banking app using your fingerprint and then want to access that same app via your laptop, that inevitably requires you to enter your password.

Let’s face it, passwords aren’t going away anytime soon. Websites, streaming subscriptions, laptop, bank card, and banking website use passwords, each with different requirements such as the number of characters or a specific set of characters.

I am convinced). Now what should I do?

If a company wants to adopt a no-password experience, there are many solutions that will only be able to cover a portion of their needs.

The first option is to use Security Assertion Markup Language (SAML), an XML-based protocol that allows cloud applications to establish a trust relationship with an identity provider (SAML IdP). As part of this trust relationship, the cloud application (such as Salesforce) that it wants to access will redirect to the identity provider’s interface, where the user can be authenticated. For the enterprise, the benefits are significant, but the technology also allows its employees to use a single sign-on method in these cloud applications, via a completely passwordless experience. It will still be necessary to connect once to the identity provider, but once this is done, the user will have access to all configured applications: you will no longer need passwords. It is sufficient to use a reliable method of multi-factor authentication (MFA) to connect to the identity provider. The MFA is in a way a master of the keys.

The second option is to certify a FIDO2 device for a password-free trial. The FIDO Alliance has developed a specification for creating a passwordless way to log into apps and websites. Usually, this will require a hardware token (also called a token) that matches a specific login method (USB, Bluetooth, NFC, etc.) to authenticate in a FIDO2-enabled app. Like Windows Hello facial recognition for example, FIDO2 devices can also be used to log into a computer without having to enter a password. This is an excellent method, and completely secure, but it has obstacles in its development: limited support applications, need backup authentication methods in case the token is forgotten or lost. Not to mention the cost because FIDO2 devices can be relatively expensive.

Posting “without a password” should take into account user experience and security. For example, a user should not remove the password if they plan to keep a simple login method of authentication. For example, OTPs (one-time passwords) messages are known to be insecure; Making it the only form of authentication would be a huge mistake. When only payment authentication is used, with no additional method, attackers can still use the MFA method to force the user to accept payment if the MFA process itself is unprotected.

Finally, we found that many people are questioning the necessity of a password manager, if the trend is to remove passwords. Passwords aren’t going away anytime soon, and it’s almost impossible to have different, complex passwords for every app. Password Manager is a great way to educate users and alleviate hard-to-hack dark web database issues, while allowing users to enjoy a password-free experience. The ideal solution is to connect to your password manager via MFA authentication and let it run the website and manage the connection automatically.

In summarizing…

Here are some tips and suggestions, based on the current state of passwordless authentication:

  • “No password” means that the user does not enter a password; This does not mean that the password no longer exists.
  • Passwords are not going away anytime soon. So better ways must be found to manage and mitigate the problems that arise along the way.
  • For professional cloud applications, the SAML protocol is a great way to provide passwordless SSO access to protected cloud applications.
  • For computer logins, the FIDO2 token enables a higher level user experience and security, but generally at a higher price.
  • A password manager can provide users with a passwordless experience for applications that do not natively support multi-factor authentication, while mitigating many of the issues associated with identity verification.

So it is possible that completely passwordless authentication is the best solution for the company, depending on the goals you set…

The thing is, there is still no passwordless authentication standard that can handle multiple devices and applications. So there will always be a requirement to resort to expensive hardware tokens, a kind of Swiss army knife, to take advantage of similar experiences on laptops and mobile devices, but the possibilities are there for only a very limited number of applications. Let’s say a user logs into their computer every day using facial recognition with Windows Hello; The Windows Hello login cannot be used to access most websites accessed every day: each website has its own identification method. In a few years, FIDO2 could actually establish itself as a “passwordless” standard, but its use is still very limited at the moment.

As always, we can only advise which applications are most important for protection and passwordless methods that may apply to each of these applications. Obviously, we must not forget to take into account the user experience, but above all we must not neglect the costs of security or management.

Leave a Comment