Sep 15 2022

Passwordless Authentication: Does Ditching Passwords Increase Security?

As organizations pursue hybrid work setups, passwordless authentication can give businesses greater confidence that workers at home are who they say they are.

Two and a half years into the COVID-19 pandemic, many workplaces are turning to hybrid work, with some employees at home and others in the office as the norm. 

According to a McKinsey survey released in June, 58 percent of employed respondents reported having the option to work from home for all or part of the week. That result was right in line with employees’ preferences, according to a Gallup survey, which found that 59 percent of respondents would prefer to work in hybrid settings.

However, security remains a paramount concern, with so many endpoints outside of the enterprise network seeking access to critical applications and data. The advent of passwordless authentication could make it easier for organizations to bolster their cybersecurity in the hybrid work era.

“Passwordless authentication is beneficial regardless of where workers are located,” says Karen Scarfone, the principal consultant for Scarfone Cybersecurity (and a BizTech contributor). “It would be most helpful in those situations where passwords are at the greatest risk of compromise — for example, people using personally owned devices on home networks for telework purposes.”

Hybrid Work sidebar


How Does Passwordless Authentication Improve Security?

For years, businesses have been deploying multifactor authentication (MFA) to enhance security and improve identity and access management. In addition to a password, users are required to provide a second factor of authentication to log in, either via a biometric identifier, private passkey or token.

There is significant evidence that the trickiest part of that setup is the password itself, says J. Wolfgang Goerlich, an advisory CISO for Cisco’s Duo Security. “So, we remove the password from that equation, and we log in with a single or multiple strong factors to complete that authentication prompt,” he says.

Scarfone frames passwordless authentication as MFA that “doesn’t use a password as one of its authentication factors.”

While the function of passwordless authentication is embedded in the name, Goerlich says that “savvy organizations and savvy security leaders are looking at this not just as a way to remove the password, but also as a way to increase strength in authentication and to offer some user benefits to the organizations.”

Click the banner below to explore the solutions you need for a well-honed hybrid-work environment.

How Does Passwordless Authentication Work?

Passwordless authentication keeps all the credentials local to each user, according to Scarfone. While some solutions involve PINs, “these PINs are only locally accessible and valid — unlike typical passwords, which are usually centrally stored and, once guessed or stolen by an attacker, susceptible to reuse by that attacker,” she says.

Passwordless authentication requires the person authenticating “to have physical access to the device they’re authenticating with. The user’s device needs to support one or more passwordless authentication mechanisms, and individual applications may need to support them as well,” Scarfone says. She notes that legacy software and applications are not always capable of supporting passwordless authentication.

Does Passwordless Authentication Need a Second Factor?

The short answer is yes, passwordless authentication requires two factors of authentication. They’re just not the user’s password.

“There are a couple of different ways that passwordless has been rolled out, and it can require multiple factors,” Goerlich says. “What’s important from a user experience perspective is that those factors seem seamless, so it’s one action or one activity.”

Duo advises organizations to keep MFA in place because auditors the company is hearing from in the field “are pushing back, saying, ‘Yeah, I understand you remove the password, but the checkbox still says multifactor,’” Goerlich says. “So, you still do need to have a couple of factors within that authentication.” Those could be a mix of biometrics, cryptographic tokens and private/secret keys. 

How Safe Is Passwordless Authentication?

Passwordless authentication is generally considered safer than MFA with a password as a factor, Scarfone says, “and it’s much safer than authenticating with a password only.”

However, nothing is failproof in security, she adds, and passwordless authentication is no exception. “There are still ways it can potentially be compromised, like stealing a user’s device and physical credentials, but it’s orders of magnitude safer than just using a password,” Scarfone says.

Today, if an attacker gets a user’s password, they can log in to an account from any device in the world, Goerlich says, and most likely get into an application. One of the strengths of passwordless is that it limits the devices users can authenticate from and on, restricting the attack surface.

Click the banner below to receive exclusive security content when you register as an Insider.

“It’s safer because basically you are removing the possibility that if somebody steals or phishes your password, they can’t then use that to access whatever they’re trying to access,” Goerlich says. “They need those factors that they might not necessarily have with them.”

Passwordless also limits phishing attacks, according to Goerlich. “The authenticator will look at that URL and match it up before it provides the credential,” he says. “So even if criminals are using the things that they’ve used for years, which is words that look similar or zeros instead of O’s, the authentication mechanism is not fooled by that, and therefore the common phishing techniques break down and are not applicable.”

Additionally, passwordless authentication is beneficial for hybrid work, Goerlich says. When users are working from home, it’s difficult to validate who they are to reset their passwords, so password reset costs have increased. Passwordless authentication eliminates the need to do that, he notes, as well as the need for a user to come into headquarters to reset their authentication.

Passwordless is “providing a really good user experience, and it’s reducing a lot of the friction that users face when trying to maintain access to their systems in the hybrid environment,” Goerlich says.

There are challenges in hybrid setups in enrolling and onboarding employees and ensuring they are not, for example, also enrolling their kids, or that they are maintaining tokens appropriately. In some cases, organizations are onboarding remote employees live in video chats, Goerlich says. “It’s really just working out what the processes are, and that takes time.”

What Is the FIDO Authentication Standard?

FIDO stands for Fast Identity Online. The FIDO Alliance is an organization that sets standards focusing on identity-related interoperability.

“The FIDO Alliance has created what’s called FIDO authentication, which is a standard that makes interoperable passwordless authentication possible,” Scarfone says.

FIDO puts forward standards such as the universal second factor, which is behind security keys and tokens, Goerlich notes.

FIDO2, the latest standard, was launched in 2018, and support for it expanded in 2020 across Apple products. “FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments,” the alliance notes. “The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).”

sumkinn/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.