Passwordless authentication is the process of verifying a software user’s identity with something other than a password. The most common passwordless authentication methods include verifying the possession of a secondary device or account a user has or a biometric trait that is unique to them, like their face or fingerprint.
Passwordless authentication can reduce costs and security risks for any organization. And as Google Cloud’s director of product management Sam Srinivas explains, passwordless authentication usage will likely grow rapidly in the near future.
Here is why more enterprises are turning to passwordless authentication and how you can implement it in your organization.
Why Passwordless Authentication Is Better than a Password
Passwordless authentication creates a smoother experience than traditional username and password (U/P) authentication for both you and your users (that can be more secure if it relies on WebAuthn). Not only does this save you money, but it can even lead to an increase in sales in some cases.
Reduced security risks
According to Verizon’s 2021 Data Breach Investigations Report (DBIR), credential vulnerabilities account for over 84% of all data breaches. Eliminating passwords altogether reduces your risk for a data breach because it reduces a bad actor’s ability to use them (and the unsafe behaviors that often expose them) against you and your users.
For example, cybercriminals often use credential stuffing (using compromised user credentials from one breach to gain access to another organization) to breach an organization because more than two-thirds of all people reuse passwords. Eliminating passwords removes the ability for cybercriminals to use credentials they’ve obtained elsewhere to access accounts on your system.
Passwordless authentication that uses modern authentication methods like FIDO-compliant devices reduces your organization’s vulnerability via phishing attacks (tricking users into downloading malware or providing sensitive information with a malicious email).
Since phishing accounts for 36% of all data breaches and many are performed with the goal of acquiring a username and password, eliminating passwords means your users or employees won’t accidentally provide bad actors anything they can use to gain access to their accounts and personal data if they receive a phishing email.
Reduced costs (and increased sales) through better user experience
The average person has 100 passwords to remember and spends 12.6 minutes of every week resetting them (often through a call to a help desk). This ends up costing your organization more money in password resets and customer service time than you think. For example, although the industry standard is $70 per reset, Auth0 customers report up to $120 per reset, even before they’ve called the helpdesk.
Implementing passwordless authentication, however, can help reduce or eliminate those costs since your users will be able to log in without a password. This also eliminates the need to store and maintain those password databases.
Research by The Ponemon Institute and Yubico also shows that eliminating passwords may increase sales for some businesses since almost half of the 1,700+ IT professionals they surveyed reported that they could not complete a personal transaction as a result of a forgotten password.
Finally, user experience can be a competitive advantage for software businesses (even at the enterprise level). So reducing login friction could also encourage users to choose you over your competitors.
Types of Passwordless Authentication
Traditional username and password authentication require a user to input something they know (a password) in order to verify who they are. But passwordless authentication methods require a user to demonstrate that they have something (a possession factor) or that they are something (an inherence factor), both of which are harder to circumvent.
Below are the most common methods used for verifying both inheritance and possession factors:
- Biometrics: Many physical traits are more or less completely unique to each individual. Biometric authentication uses these unique physical traits to verify if a person is who they say they are, without requesting a password. For example, the likelihood that two faces are the same is less than one in a trillion, so facial recognition is an effective way to verify an individual.
- Magic Links: Instead of asking a user for a password, this form of passwordless authentication asks a user to enter their email address into the login box. An email is then sent to them, with a link they can click to log in. This process is repeated each time the user logs in.
- One-Time Passwords/Codes: One-time passwords (OTP) or one-time codes (OTC) are similar to magic links but require users to input a code that you send them (via email or to their mobile device via SMS) instead of simply clicking a link. This process is repeated each time a user logs in.
- Push Notifications: Users receive a push notification on their mobile devices through a dedicated authenticator app (for example, Google Authenticator) and open the app through a push notification to verify their identity.
How to Implement Passwordless Authentication
Coding passwordless authentication is a lot more complex than simply telling your dev team to change the login box. In fact, if your login box was a light switch, implementing passwordless authentication, for many organizations, would be more akin to rewiring the whole house. However, third-party providers offer a rapid and more secure implementation that is more secure and up-to-date than anything that can be built in-house.
The extent to which that analogy holds true for you will depend on the design of your existing identity and access management (IAM) systems. But the point is that it’s far more complex and costly to implement securely than most realize, often requiring dedicated development resources over a long period (and then scaling and maintaining those systems after implementation).
As a result, many organizations choose to work with an identity provider (like Auth0) that can reduce the time to implement passwordless authentication for millions of users to months in some cases, as well as offload many of the maintenance costs they’d face in the future. Learn more about implementing passwordless authentication with Auth0 here.
The Auth0 Identity Platform, an independent product unit within Okta, takes a modern approach to identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.