Passwords were once the only authentication method available to people accessing their online accounts. Even in those simpler times, passwords were problematic. To remember them, users would make them too simple, too easy to steal by bad actors. And people used the same passwords again and again, which means that once a password was stolen, cybercriminals knew there was a good chance they could use it to access multiple accounts.
With the proliferation of online accounts, the problems with passwords have become much worse.
The average online consumer now has dozens of accounts — for both personal and professional use — and most users are overwhelmed by the number of username and password combinations they are supposed to remember. In spite of repeated warnings, many people still use the same password for multiple accounts. Some use weak passwords that are easy to crack by motivated bad actors. Others save their passwords in a file labeled “passwords.” In a PC Magazine study, 65 percent of respondents reported that they will forget their password if they don’t write it down, and 57 percent will forget their new password immediately upon resetting it.
To combat the problem with simple passwords and password reuse, some companies require frequent password changes and the use of complex patterns containing letters, numbers, and special characters. While these requirements solve some problems, they create others, including account lockout. The same PC Magazine study showed that the average American is locked out of 10 accounts per month. Account lockout creates a miserable user experience, obviously, but it’s also costly, as helpdesks must field frequent requests for password resets.
By eliminating passwords, you remove all of these possibilities.
With passwordless authentication, a person can log in to an online account without having to enter a password. Instead, the job of authentication is assigned to endpoints, such as mobile devices or computers, where the user can use a fingerprint or facial scan, known as “biometric” authentication. It can also be done with authenticator apps, tokens, and smartcards — all growing in popularity. The user doesn’t have to worry about forgotten passwords and, because no credentials are “shared” over the internet, so there’s no threat of interception.
Two-factor and Multi-factor Authentication
Many applications and services offer either two-factor authentication (2FA) or multi-factor authentication (MFA). These methods require the user to authenticate with a combination of at least two unique factors. The username and password are “knowledge” factors (something they know). The mobile device, hardware token, or smart card are “possession” factors (something they have). And, biometrics, such as fingerprints or facial recognition identifiers, are examples of “inherence” factors (something they are).
2FA requires a user to first authenticate with a username and password and then a second factor that uses a one-time passcode (OTP). These are typically delivered via an authenticator app or over the SMS text messaging protocol. With 2FA, the second authentication factor must be presented with each authentication attempt.
2FA and MFA can both incorporate contextual attributes, such as user device, browser, IP, location, or time of day, but MFA tends to go further and can add a third or fourth factor. Some context changes, such as the user's location or device—or even the sensitivity of the app being accessed—will trigger further authentication, known as step-up authentication. When all the context is as expected, the system may require less authentication, which makes access easier for the user.
Passwordless authentication may be used on its own or as part of a 2FA or MFA strategy, and its popularity is growing.
By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.
Ant Allan, Vice President Analyst Gartner
The benefits of passwordless authentication
According to a recent survey by ESG, 54% of organizations are implementing, testing, or evaluating passwordless authentication and 31 percent of these organizations rank it as the top priority in their identity strategy.1
There are multiple reasons why companies are exploring passwordless authentication solutions:
Better security: Passwords are a major vulnerability because of reuse and because passwords can be shared with others, so they cease to be controllable. Passwords are responsible for 81 percent of breaches, according to the 2021 ForgeRock Consumer Identity Breach report. With passwordless authentication, login credentials are unique for every website and never leave the user’s device. Unlike a username and password, credentials are never transmitted over the internet, thus eliminating man-in-the-middle (MiTM) attacks.
Better user experience: Passwords create a range of problems that translate to poor experiences, and most of us are familiar with them. But usability problems have real consequences that affect the bottom line. For example, if a customer can’t remember the right password used for your site, it’s likely that the customer will abandon their shopping cart rather than going through the forgotten password flow. By providing customers with passwordless authentication, you eliminate that frustration. Your customers can rely on convenient login mechanisms, such as push notifications to their mobile devices and facial recognition, which streamlines the process.
Cost-effective: Passwords increase help desk call volume and they require constant maintenance from IT teams. By removing passwords, you can reduce support tickets and free IT to address more important matters. Importantly, by streamlining the registration and checkout process, passwordless authentication reduces the likelihood of shopping cart abandonment.
Is passwordless authentication secure?
If passwords were secure, we wouldn't be reading constant reports of data breaches. Hackers may be able to inject malicious code into software to infiltrate a network or create a botnet that creates a denial-of-service (DoS) attack. But it is far easier to crack a weak credential or leverage social engineering against an end user to gain credentials.
Part of the problem is that people fail to realize that their weak credentials are not typically the target of a cyberattack. They think of themselves as low-risk because they have nothing to hide or steal. In many cases, that may be true. However, their stolen credentials can be used to gain access to a much larger network where hackers can spread malware and steal valuable data. The recipient of a phishing email is merely a stepping stone — rarely the intended target.
How are passwords stolen and exploited?
According to LastPass, the password management company, hackers have an array of tools at their disposal for harvesting credentials.
Phishing attacks: One way credentials are stolen is when the recipient of the phishing email clicks a link to a site (that looks legitimate) and enters their username and password, which the hacker collects. Some phishing emails contain malicious links or attachments that contain malware. By downloading the malware to their computer, people can become infected with spyware or a keylogger that can capture keystrokes, including login credentials, and send them to the hacker.
Credential stuffing: Credential stuffing relies on the use of bots to automatically test every username and password combination in a (stolen) database to see if any of them successfully gain access to a website. In its 2021 State of the Internet (SOTI) Phishing for Finance report, Akamai revealed there were 193 billion credential stuffing attacks globally in 2020.
Credential spraying: If an email address for an online account is known, credential spraying (also called password spraying) allows hackers to test common passwords (such as password123) to see if any of them work with that particular email address. The use of bots allows them to quickly test against many thousands of email addresses in a database.
Brute-force attacks: A brute-force attack is similar to credential spraying, but instead of testing passwords against many email addresses, it typically involves making multiple login attempts to a single, targeted account using a different password each time. Unfortunately, brute-force attacks are often successful because so many people use simple passwords that are easy to guess. (Read tips for avoiding brute-force attacks.)
In its 2021 Data Breach Investigations Report, Verizon reported that compromised credentials were involved in 60 percent of breaches, noting, “Credentials remain one of the most sought-after data types.”
Breaches that revealed usernames and passwords rose by 450%, giving attackers a massive number of credentials to use in gaining further unauthorized access.
ForgeRock, 2021 Consumer Identity Breach Report
How does passwordless work?
It all started with the Fast Identity Online 2 (FIDO2) WebAuthn standard for passwordless authentication, which was approved in March 2019 by the World Wide Web Consortium (W3C). WebAuthn enables businesses to offer passwordless authentication and the standard is increasingly supported by major browsers and operating systems. The WebAuthn specification delegates authentication to endpoints, such as mobile devices or computers, thereby removing the threat of interception by a bad actor and eliminating the need for a user to remember site credentials.
When a user registers a device, the device is instructed to create a unique public key/private key pair for communicating. Once the user authenticates, the private key, which is stored securely in persistent memory and never leaves the user’s device, becomes available to sign authentication challenges by the public cryptographic key.
The use of WebAuthn is rising dramatically. In addition to most popular browsers, WebAuthn authentication is built into operating systems such as Microsoft Windows 10 with Microsoft’s authenticator Windows Hello. These platforms allow keys to be stored on laptops, USB fobs, and NFC and Bluetooth devices, so that users can carry their authentication method with them across multiple devices.
Passwordless authentication for consumers
The numbers vary by survey, but there has been a clear trend showing an increase in online accounts since the beginning of the pandemic. TechRadar reported that online accounts have increased by 25 percent and consumers have, on average, 100 of them to keep track of.
As consumers spend more time shopping for goods and services online, companies have turned their focus to creating experiences (also known as “journeys”) for customers that are as satisfying as they are secure. If customers have difficulty logging in to their accounts or completing a transaction, they will go elsewhere. With passwordless authentication, customers can avoid many of the issues that cause friction, such as password reset and account lockout.
Keeping customers secure in the digital world with fraud around every corner is driving enterprises to modernize their approach to identity and access management (IAM) and implement solutions powered by artificial intelligence and machine learning (AI/ML). With incredible speed and accuracy, these systems, such as ForgeRock Autonomous Access, apply exactly the right amount of friction to ensure that legitimate users can easily get to their resources and that ATO attempts and other fraudulent activities are instantly blocked.
Passwordless authentication for the workforce
As enterprise applications move to the cloud, organizations have been deploying identity and access management (IAM) solutions with single sign-on (SSO) to keep productivity high and user friction low. Modern SSO solutions can include passwordless logins and other authentication methods that simplify access without sacrificing security.
With more convenient and secure authentication options, enterprise users gain quicker, easier access to resources. At the same time, passwordless authentication reduces the burden on your IT staff by minimizing or eliminating password reset requests.
Say Goodbye to Passwords and Usernames
If you already use passwordless authentication, then you're going to like authentication without a username.
ForgeRock Access Management
Forget Passwords. Go Passwordless.
Go Passwordless. Authenticate Securely
How Passwordless Authentication works when delivered through Intelligent Access
It’s Time to Go Passwordless
Go Passwordless – It's Easier Than You Think