This article needs additional citations for verification. (April 2020) (Learn how and when to remove this template message)
Passwordless authentication relies on a cryptographic key pair – a private and a public key. The public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device and can only be accessed when a biometric signature, hardware token or other passwordless factor is introduced. In most common implementations users are asked to enter their public identifier (username, mobile phone number, email address or any other registered id) and then complete the authentication process by providing a secure proof of identity in the form of an accepted authentication factor. These factors classically fall into two categories:
- Ownership factors (“Something the user has”) such as a cellular phone, OTP token, Smart card or a hardware token.
- Inherence factors (“Something the user is”) like fingerprints, retinal scans, face or voice recognition and other biometric identifiers.
Passwordless authentication is sometimes confused with Multi-factor Authentication (MFA), since both use a wide variety of authentication factors, but while MFA is used as an added layer of security on top of password-based authentication, passwordless authentication doesn't require a memorized secret and usually uses just one highly secure factor to authenticate identity, making it faster and simpler for users.
"Passwordless MFA" is the term used when both approaches are employed and the authentication flow is both passwordless and uses multiple factors, providing the highest security level when implemented correctly.
The notion that passwords should become obsolete has been circling in computer science since at least 2004. Bill Gates, speaking at the 2004 RSA Conference predicted the demise of passwords saying "they just don't meet the challenge for anything you really want to secure." In 2011 IBM predicted that, within five years, "You will never need a password again." Matt Honan, a journalist at Wired, who was the victim of a hacking incident, in 2012 wrote "The age of the password has come to an end." Heather Adkins, manager of Information Security at Google, in 2013 said that "passwords are done at Google." Eric Grosse, VP of security engineering at Google, states that "passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe." Christopher Mims, writing in the Wall Street Journal said the password "is finally dying" and predicted their replacement by device-based authentication. Avivah Litan of Gartner said in 2014 "Passwords were dead a few years ago. Now they are more than dead." The reasons given often include reference to the usability as well as security problems of passwords.
Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. (The technical report is an extended version of the peer-reviewed paper by the same name.) Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while every scheme does worse than passwords on deployability. The authors conclude with the following observation: “Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.”
Recent technological advancements (e.g. the proliferation of biometric devices and smartphones) and changing business culture (acceptance of biometrics and decentralized workforce for example) is continuously promoting the adoption of passwordless authentication. Leading tech companies (Microsoft, Google) and industry wide initiatives are developing better architectures and practices to bring it to wider use, with many taking a cautious approach, keeping passwords behind the scenes in some use cases. The development of open standards such as FIDO2 and WebAuthn have further generated adoption of passwordless technologies such as Windows Hello. On June 24, 2020, Apple Safari announced that Face ID or Touch ID would be available as a WebAuthn platform authenticator for passwordless login.
Benefits and drawbacks
Proponents point out several unique benefits over other authentication methods:
- Greater security – passwords are known to be a weak point in computer systems (due to reuse, sharing, cracking, spraying etc.) and are regarded a top attack vector responsible for a huge percentage of security breaches.
- Better user experience – Not only users aren’t required to remember complicated password and comply with different security policies, they are also not required to periodically renew passwords.
- Reduced IT costs – since no password storage and management is needed IT teams are no longer burdened by setting password policies, detecting leaks, resetting forgotten passwords, and complying with password storage regulation.
- Better visibility of credential use – since credentials are tied to a specific device or inherent user attribute, they can't be massively used and access management becomes more tight.
- Scalability – managing multiple logins without additional password fatigue or complicated registration.
While others point out operational and cost-related disadvantages:
- Implementation costs – Although it is accepted that passwordless authentication leads to savings in the long term, deployment costs are currently a hindering factor for many potential users. Cost is associated with the need to deploy an authentication mechanism on an existing user directory and sometimes the additional hardware deployed to users (e.g. OTPs or security keys).
- Training and expertise needed – while most password management systems are built similarly and have been used for many years, passwordless authentication requires adaptation from both IT teams and end users.
- Single point of failure – particularly implementations using OTP or push notifications to cellular device applications can create a challenge for the end user if a device is broken, lost, stolen or simply upgraded.
- Munir Kotadia (2004-02-25). "Gates predicts death of the password". News.cnet.com. Retrieved 2020-04-12. CS1 maint: discouraged parameter (link)
- Kotadia, Munir (25 February 2004). "Gates predicts death of the password". ZDNet. Retrieved 8 May 2019. CS1 maint: discouraged parameter (link)
- "IBM Reveals Five Innovations That Will Change Our Lives within Five Years". IBM. 2011-12-19. Archived from the original on 2015-03-17. Retrieved 2015-03-14. CS1 maint: discouraged parameter (link)
- Honan, Mat (2012-05-15). "Kill the Password: Why a String of Characters Can't Protect us Anymore". Wired. Archived from the original on 2015-03-16. Retrieved 2015-03-14. CS1 maint: discouraged parameter (link)
- "Google security exec: 'Passwords are dead'". CNET. 2004-02-25. Archived from the original on 2015-04-02. Retrieved 2015-03-14. CS1 maint: discouraged parameter (link)
- "Authentication at Scale". IEEE. 2013-01-25. Archived from the original on 2015-04-02. Retrieved 2015-03-12. CS1 maint: discouraged parameter (link)
- Mims, Christopher (2014-07-14). "The Password is Finally Dying. Here's Mine". Wall Street Journal. Archived from the original on 2015-03-13. Retrieved 2015-03-14. CS1 maint: discouraged parameter (link)
- "Russian credential theft shows why the password is dead". Computer World. 2014-08-14. Archived from the original on 2015-04-02. Retrieved 2015-03-14. CS1 maint: discouraged parameter (link)
- Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". Cambridge, UK: University of Cambridge Computer Laboratory. ISSN 1476-2986. Retrieved 22 March 2019. CS1 maint: discouraged parameter (link)
- Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567. doi:10.1109/SP.2012.44.
- "Use passwordless authentication to improve security". Microsoft.com. 2020-01-28. Retrieved 2020-04-12. CS1 maint: discouraged parameter (link)
- "Making authentication even easier". security.googleblog.com. 2019. Retrieved 2020-04-12. CS1 maint: discouraged parameter (link)
- "Apple Developer Documentation". developer.apple.com. Retrieved 2020-10-07.
- Smithson, Nigel (June 9, 2020). "Issues with Multi-Factor Authentication: PSA for MFA App Users". sayers.com.
- "Secret Double Octopus". passwordless authentication for enterprise environments.