Passwordless is being positioned by some as one of the “next big things in security.” But what does that really mean? What does using a non-password login look like for the user and for the business? What’s the actual process and what is the benefit? How is it “safer”?
These are really great questions, and we’re glad you asked. We brought in an expert, David Turner from FIDO Alliance, to answer all of the questions you have related to passwordless security.
David Turner has worked on identity products throughout his entire career and currently works as the Director of Standard Development with FIDO Alliance, helping to create and establish cybersecurity standards across the industry.
Here’s some of what was covered.
Why should we be looking at getting rid of passwords?
For one, complexity. Passwords are a “nightmare for users”, according to Turner. The frequent changes and mandatory character counts that keep passwords secure are frustrating (although necessary) and having to remember dozens of passwords across accounts can be next to impossible, inducing a lot of password reset requests.
But there’s also the ‘knowledge factor’. Once someone knows your password to one account, they will try it on other accounts, making it much easier for threat actors to breach multiple accounts. Plus, once a password is created, it can be stolen. Passwordless login ensures a much lower risk of stolen credentials, and helps protect users from the process of password creation, management, and potential theft.
What exactly is passwordless authentication?
Passwordless is like the evolution of 2FA or MFA. Currently, some logins require a stepped up security process that starts with entering the username and password, after which users will receive a code via text or push login from an authenticator app or add in a passkey from a yubi key. This additional step helps stop attackers if a password is stolen, because without this additional identifier, the login can’t be completed.
But with passwordless technology, it removes the step of a password altogether and simply authenticates with the advanced verification method. For instance, you come to a website and instead of being asked to log in, you’re prompted to authenticate with a FIDO credential, which gets unlocked by authenticating with facial recognition, a fingerprint, or some other unique identifier.
This means that no passwords are sent over the web, so fewer are stolen at login. There’s also no passwords stored on the server, so there’s no passwords to steal during a breach.
Why does going passwordless matter if the user experience is the same?
It’s true, some users won’t see a big difference. To some degree, users have always had to do some kind of security confirmation when trying to access accounts. Using password managers has cut down on the need to type in a password or user name during login, so many users use just one step to sign into their accounts. Switching to a completely password login method is still streamlined, but it’s much safer. It makes accounts much more secure, and protects them from certain types of attacks.
Don’t miss out on this deep dive on passwordless! These questions were from only the first 15-minutes of this hour-long webinar. You can watch the full webinar on-demand here.