How Does Passwordless Authentication Work?
Passwordless authentication keeps all the credentials local to each user, according to Scarfone. While some solutions involve PINs, “these PINs are only locally accessible and valid — unlike typical passwords, which are usually centrally stored and, once guessed or stolen by an attacker, susceptible to reuse by that attacker,” she says.
Passwordless authentication requires the person authenticating “to have physical access to the device they’re authenticating with. The user’s device needs to support one or more passwordless authentication mechanisms, and individual applications may need to support them as well,” Scarfone says. She notes that legacy software and applications are not always capable of supporting passwordless authentication.
Does Passwordless Authentication Need a Second Factor?
The short answer is yes, passwordless authentication requires two factors of authentication. They’re just not the user’s password.
“There are a couple of different ways that passwordless has been rolled out, and it can require multiple factors,” Goerlich says. “What’s important from a user experience perspective is that those factors seem seamless, so it’s one action or one activity.”
Duo advises organizations to keep MFA in place because auditors the company is hearing from in the field “are pushing back, saying, ‘Yeah, I understand you remove the password, but the checkbox still says multifactor,’” Goerlich says. “So, you still do need to have a couple of factors within that authentication.” Those could be a mix of biometrics, cryptographic tokens and private/secret keys.
How Safe Is Passwordless Authentication?
Passwordless authentication is generally considered safer than MFA with a password as a factor, Scarfone says, “and it’s much safer than authenticating with a password only.”
However, nothing is failproof in security, she adds, and passwordless authentication is no exception. “There are still ways it can potentially be compromised, like stealing a user’s device and physical credentials, but it’s orders of magnitude safer than just using a password,” Scarfone says.
Today, if an attacker gets a user’s password, they can log in to an account from any device in the world, Goerlich says, and most likely get into an application. One of the strengths of passwordless is that it limits the devices users can authenticate from and on, restricting the attack surface.
Click the banner below to receive exclusive security content when you register as an Insider.