Passwordless authentication: What is it and would you use it?
We use passwords everywhere. It’s one of the simplest means of authentication that we are all used to, and know how it works. The problem is that passwords are not very secure, especially given the way that most of us use them. We tend to choose short and easy to remember (but also easy to guess) passwords and, since we use passwords on a myriad of websites and online accounts, we tend to heavily reuse them across websites; We simply cannot remember many, complex passwords. Password managers, which help you create and manage unique, long and complex passwords, are a good solution for increasing the security of passwords. However, password managers are only popular among the most tech savvy of us, leaving all the rest vulnerable to the insecurity of passwords.
So is there any solution? There is definitely no silver bullet to this problem, but there are a couple of different strategies that try to improve the situation:
Enhance the security of passwords using two-factor authentication (2FA).
Remove passwords from the equation and try to authenticate users by other means. This is called passwordless authentication.
How do you perform passwordless authentication?
It typically starts with the user entering their username (or it could be just a button prompting the user to login with a previously used account). Following this, there are a few ways available through which passwordless authentication is implemented. The following are some typical examples:
Receive an email containing a secret link, which the user can click to login.
Receive an SMS containing a one-time code, which the user has to enter in the login page to successfully authenticate.
Receive a push notification and approve the login via a mobile app (sometimes called authenticator app or trusted app) running on the user’s smartphone. The authenticator app has been previously associated with the user’s account and acts as a trusted anchor which can be used to login from other devices, browsers and applications. If the user’s phone offers biometric authentication capabilities (for example on iOS devices, fingerprint with TouchID or face recognition with FaceID), then the authenticator app can ask for the user to further authenticate using biometrics upon approving the login.
Futurae offers passwordless authentication experience using the authenticator app approach. The user receives a push notification (as described above using One-Touch) or alternatively, the user scans a QR code (with Scan Code) which then prompts the user to approve the particular login.
Is passwordless authentication secure?
It depends on the method used and who your attacker is. Email-based passwordless authentication depends on the security of your email account, which for authentication it often relies on… you guessed it… passwords. Enabling 2FA for your email account can help increase security in this case. SMS-based passwordless authentication relies on the security of SMS messages, which has been shown to be vulnerable to eavesdropping attacks (the attack leverages cellular network weaknesses to intercept the SMS message) and SIM substitution attacks (the attacker uses social engineering techniques to get access to a SIM card activated with your phone number, so that he can receive SMS messages destined to your number).
Arguably, the login approval via an authenticator app is one of the passwordless authentication variants which offer higher security. Especially when combined with biometric authentication offered by the mobile phone (or at least a PIN if there is not biometric authentication available), it offers a passwordless 2FA experience as is the case with One-Touch by Futurae. An attacker, in order to login as you, would have to get access to your phone, something that you have (the first factor) and also defeat the biometric authentication of your phone, something that you are (the second factor). But be careful! Only approve login attempts which were initiated by you! In other words, do not just automatically approve any login request incoming to your app, because you might end up approving the attacker’s attempts!
I like having and using a password
Fair enough. After all, passwords have been with us since a very long time and we are so used to them so it can be hard to let them go. In this case, enabling 2FA for your online accounts is a good solution to keep your accounts secure.
At Futurae we offer a range of 2FA solutions. In particular our Zero-Touch authentication technology is designed to make the 2FA experience as seamless as possible. It works by verifying that your phone is nearby whenever you are logging in to a website that is protected with Zero-Touch. This happens invisibly in the background in a matter of seconds, so all you have to do is enter your username and password, as usual, and after a few seconds you will be securely logged in, as long as your phone is somewhere around you.
Password or passwordless?
Do you already use some form of 2FA for some of your online accounts? If you are using e-banking, chances are that you do, as most banks enforce the use of 2FA authentication for their e-banking platforms. For example, you might be receiving one-time codes via SMS, or using an authenticator app or a hardware token, in addition to entering your password.
So, if you are familiar with 2FA, we would like to hear your opinion! Would you prefer to make your 2FA experience easier by using a seamless 2FA approach like Futurae Zero-Touch? Or would you rather forego of your passwords and use passwordless authentication? Or would you rather keep your current authentication solution, with a combination of password and the 2FA mechanism(s) you are currently using? Find out more about the Futurae Strong Authentication Suite can support your business.