What Is Passwordless Authentication?

Passwords were once the only authentication method available to people accessing their online accounts. Even in those simpler times, passwords were problematic. To remember them, users would make them too simple, too easy to steal by bad actors. And people used the same passwords again and again, which means that once a password was stolen, cybercriminals knew there was a good chance they could use it to access multiple accounts. 

With the proliferation of online accounts, the problems with passwords have become much worse.

The average online consumer now has dozens of accounts — for both personal and professional use — and most users are overwhelmed by the number of username and password combinations they are supposed to remember. In a PC Magazine study, 65 percent of respondents reported that they will forget their password if they don’t write it down, and 57 percent will forget their new password immediately upon resetting it.

To combat the problem with simple passwords and password reuse, some companies require frequent password changes and the use of complex patterns containing letters, numbers, and special characters. While these requirements solve some problems, they create others, including account lockout. The same PC Magazine study showed that the average American is locked out of 10 accounts per month. Account lockout creates a miserable user experience, obviously, but it’s also costly, as helpdesks must field frequent requests for password resets.

By eliminating passwords, you remove all these possibilities.

With passwordless authentication, a person can log in to an online account without having to enter a password. Instead, the job of authentication is assigned to endpoints, such as mobile devices or computers, where the user can use a fingerprint or facial scan, known as “biometric” authentication. It can also be done with authenticator apps, tokens, and smartcards — all growing in popularity. The user doesn’t have to worry about forgotten passwords and, because no credentials are “shared” over the internet, so there’s no threat of interception. 

Two-factor and multi-factor authentication

Many applications and services offer either two-factor authentication (2FA) or multi-factor authentication (MFA). These methods require the user to authenticate with a combination of at least two unique factors. The username and password are “knowledge” factors (something they know). The mobile device, hardware token, or smart card are “possession” factors (something they have). And, biometrics, such as fingerprints or facial recognition identifiers, are examples of “inherence” factors (something they are).

2FA requires a user to first authenticate with a username and password and then a second factor, such as a one-time passcode (OTP) delivered via an authenticator app or an SMS text message. This approach is known as a “passwordless factor,” meaning that the second authentication step, after the username/password step, does not use a password or knowledge factor. While this approach does add a layer of protection, it retains many of the problems inherent in password use

2FA and MFA can both incorporate contextual attributes, such as user device, browser, IP, location, or time of day, but MFA tends to go further and can add a third or fourth factor. Some context changes, such as the user's location or device—or even the sensitivity of the app being accessed—will trigger further authentication, known as step-up authentication. When all the context is as expected, the system may require less authentication, which makes access easier for the user.

Passwordless authentication may be used on its own or as part of a 2FA or MFA strategy, and its popularity is growing.

Is it possible to go completely passwordless?

Yes. With complete passwordless, the user doesn't have the experience of interacting with a password at all because there isn't one. It is possible using a range of methods, such as FIDO2 WebAuthn, passkeys, Open Authentication (OATH), push notifications, OTPs, biometrics, and more. Since the user's not interacting with the password, you eliminate all of its security risks and usability issues.

Enabling complete passwordless is easier for consumers than it is for enterprise employees. While consumers mostly interact with websites and SaaS services, workforce users have a much more complex environment, with IT systems in place that will always require passwords, such as virtual private networks (VPNs), databases, and legacy infrastructure. For these environments, you can provide what’s known as a passwordless experience in which workforce users don’t have to interact with passwords — instead, they can be handled securely in the background by the IAM system. This approach is good for security, because anytime there’s a known password, there’s a risk of compromise. It can also result in a great experience for the enterprise user. ForgeRock Enterprise Connect Passwordless enables passwordless experiences for a range of use cases in the enterprise.

Learn more by reading the blog Passwordless Demystified.

The benefits of passwordless authentication

According to a survey by ESG, 54% of organizations are implementing, testing, or evaluating passwordless authentication, and 31% of these organizations rank it as the top priority in their identity strategy.

There are multiple reasons why companies are exploring passwordless authentication solutions:

Better security: Passwords are a major vulnerability because of reuse and because passwords can be shared with others, so they cease to be controllable. According to the 2023 ForgeRock Identity Breach Report, unauthorized access was responsible for 91% of the records breached in 2022, impacting nearly 1.4 billion people. With passwordless authentication, login credentials are never transmitted over the internet, thus eliminating the threat of interception.

Better user experience: Passwords create a range of problems that translate to poor experiences, and most of us are familiar with them. But usability problems have real consequences that affect the bottom line. For example, if a customer can’t remember the right password used for your site, it’s likely that the customer will abandon their shopping cart rather than going through the forgotten password flow. By providing customers with passwordless authentication, you eliminate that frustration. Your customers can rely on convenient login mechanisms, such as push notifications to their mobile devices and facial recognition, which streamlines the process.

Cost-effective: Passwords increase help desk call volume and they require constant maintenance from IT teams. By removing passwords, you can reduce support tickets and free IT to address more important matters. Importantly, by streamlining the registration and checkout process, passwordless authentication reduces the likelihood of shopping cart abandonment.

Is passwordless authentication secure?

If passwords were secure, we wouldn't be reading constant reports of data breaches. Hackers may be able to inject malicious code into software to infiltrate a network or create a botnet that creates a denial-of-service (DoS) attack. But it is far easier to crack a weak credential or leverage social engineering against an end user to gain credentials.

Part of the problem is that people fail to realize that their weak credentials are not typically the target of a cyberattack. They think of themselves as a low risk because they have nothing to hide or steal. In many cases, that may be true. However, their stolen credentials can be used to gain access to a much larger network where hackers can spread malware and steal valuable data. The recipient of a phishing email is merely a stepping stone — rarely the intended target.

How are passwords stolen and exploited?

According to LastPass, the password management company, hackers have an array of tools at their disposal for harvesting credentials.

Phishing attacks: One way credentials are stolen is when the recipient of the phishing email clicks a link to a site (that looks legitimate) and enters their username and password, which the hacker collects. Some phishing emails contain malicious links or attachments that contain malware. By downloading the malware to their computer, people can become infected with spyware or a keylogger that can capture keystrokes, including login credentials, and send them to the hacker.

Credential stuffing: Credential stuffing relies on the use of bots to automatically test every username and password combination in a (stolen) database to see if any of them successfully gain access to a website. In its 2021 State of the Internet (SOTI) Phishing for Finance report, Akamai revealed there were 193 billion credential stuffing attacks globally in 2020.

Credential spraying: If an email address for an online account is known, credential spraying (also called password spraying) allows hackers to test common passwords (such as password123) to see if any of them work with that particular email address. The use of bots allows them to quickly test against many thousands of email addresses in a database.

Brute-force attacks: A brute-force attack is similar to credential spraying, but instead of testing passwords against many email addresses, it typically involves making multiple login attempts to a single, targeted account using a different password each time. Unfortunately, brute-force attacks are often successful because so many people use simple passwords that are easy to guess. (Read tips for avoiding brute-force attacks.)

How does passwordless work?

It all started with the Fast Identity Online 2 (FIDO2) WebAuthn standard for passwordless authentication, which was approved in March 2019 by the World Wide Web Consortium (W3C). WebAuthn enables businesses to offer passwordless authentication and the standard is increasingly supported by major browsers, operating systems, and hardware manufacturers, including Apple, Google, and Microsoft. The WebAuthn specification delegates authentication to private keys stored on endpoints, such as mobile devices or computers, thereby removing the threat of interception by a bad actor and eliminating the need for a user to remember site credentials.

More recently, FIDO2 expanded the WebAuthn standard to include passkeys, which allow private keys to be stored in a vault in the device vendor’s cloud instead of on the device itself. This means that if you have multiple devices, or you get a new device, you retain your passkey and your ability to use passwordless authentication, such as a fingerprint or facial scan.

Passwordless authentication for consumers

The numbers vary by survey, but there has been a clear trend showing an increase in online accounts since the beginning of the pandemic. TechRadar reported that online accounts have increased by 25 percent and consumers have, on average, 100 of them to keep track of. As consumers spend more time shopping for goods and services online, companies have turned their focus to creating experiences (also known as “journeys”) for customers that are as satisfying as they are secure. If customers have difficulty logging in to their accounts or completing a transaction, they will go elsewhere. With passwordless authentication, customers can avoid many of the issues that cause friction, such as password reset and account lockout.

Keeping customers secure in the digital world with fraud around every corner is driving enterprises to modernize their approach to identity and access management (IAM) and incorporate passwordless in their customer journeys. Passwordless strengthens security by reducing the risk of many identity-based threats, such as phishing, credential stuffing, and brute-force attacks. It also reduces costs by slashing the volume of helpdesk calls, many of which are password related. Perhaps the most important benefit to consumer-facing organizations, passwordless eliminates frustrating login experiences and helps to onboard customers faster and retain them longer.

Passwordless authentication for the workforce

As enterprise applications move to the cloud, organizations have been deploying identity and access management (IAM) solutions with single sign-on (SSO) to keep productivity high and user friction low. Modern SSO solutions can include passwordless logins and other authentication methods that simplify access without sacrificing security.

Passwordless removes the exchange of passwords between users and enterprise applications and infrastructure. Removing passwords reduces the risk of the type of password-based attacks, such as phishing, that can give attackers a foothold into your network, where they can move laterally and steal or expose sensitive data. In addition, with more convenient and secure authentication options, enterprise users gain quicker, easier access to the resources they need to do their jobs. At the same time, passwordless authentication reduces costs by eliminating account lockouts and password-related help tickets.