8 Ways to Authenticate Without Passwords
Passwordless authentication has a shot at becoming more ubiquitous in the next few years. We take a look at where things stand at the moment.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt9cbcf7cf5f3f91a0/64f0d43e05501c23b1ce5afa/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
So are we finally doing this? Are we finally moving to passwordless authentication?
Microsoft and Google have been pushing this aggressively over the past several months, and Apple has been a major player by being the first out of the box with fingerprint authentication on the iPhone. Most PCs and Mac laptops now offer Touch ID, so inside of a year or two people can use them for passwordless authentication, too.
The industry largely views passwords as outdated and one of the major causes of breaches. According to the Verizon's "2019 Data Breach Investigations Report," more than 80% of breaches leverage stolen or weak passwords. That's why the industry has been pushing for open standards, such as FIDO (Fast Identity Online), which would help security teams and developers more readily deploy passwordless authentication. The FIDO Alliance, which was founded by next-generation authentication company Nok Nok Labs, PayPal, Lenovo, Validity Sensors, Infineon, and Agnitio, first began its development of the passwordless authentication protocol in 2012.
Recent research by Ant Allan, a Gartner analyst who focuses on passwordless authentication, predicts that by 2022, 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.
To be sure, vendors have taken notice. Here are eight of the leading passwordless authentication approaches and a look at what needs to happen moving forward.
Alex Simons, corporate VP of program management in Microsoft's Identity Division, says Microsoft believes it's very important to move the entire industry away from passwords and into a world of strong and simple-to-use forms of authentication.
Windows Hello serves as the first part of Microsoft's efforts to end passwords. Windows Hello lets people use a biometric or PIN to unlock a PC and access their apps and first-party cloud resources. The second part of Microsoft's passwordless approach is the Microsoft Authenticator app, which lets users on any platform (Mac, Chromebook, Android, iOS) use an app on their smartphones to sign in to their accounts without a password. Finally, with Microsoft's support for FIDO2, the software maker aims to work with the industry to deliver strong, easy-to-use, cross-platform passwordless authentication.
In a nutshell, FIDO2 consists of two standards: WebAuthn and CTAP (Client to Authenticator Protocol). WebAuthn functions as a browser-based API that lets Web applications authenticate users with public-key cryptography instead of passwords. WebAuthn supports user authentication with built-in authenticators, such as Microsoft Windows Hello, or a remote authenticator, like a cell phone or FIDO security key. CTAP allows remote authenticators to "talk" to Web browsers. According to Andrew Shikiar, chief marketing officer of the FIDO Alliance, FIDO2 offers an open standard that can run on any device and website.
Microsoft was one of the first Fortune 500 companies to support passwordless authentication using the FIDO2 open standard, Simons adds.
Guemmy Kim, group product manager for account security at Google, says Google has made it a priority to implement two-factor authentication (2FA) so that it is not relying solely on passwords for account security. She says phishing has become one of the most common causes of security breaches, and securing access to online accounts is critical for safeguarding private, financial, and other sensitive data online.
2FA and passwordless authentication based on FIDO standards can help to offer users a safer and convenient security experience, Kim adds. In a recent announcement, Google said it would bring built-in security keys to Android 7+ phones.
"One way to make security more usable and accessible is to bring support for industry standards across our products so that as users become more familiar with these standards across all the services they use, they're also able to take advantage of higher levels of security," Kim says. "With the FIDO2 standard protocol, we are within reach of solving the security implications of phishing together as an industry. Android and Chrome already support FIDO2. Android phone's built-in security key is also built with FIDO2 support. And our next goal is to enable FIDO2/WebAuthn in Google login."
Steve Won, group product manager at Duo Security, says three building blocks have propelled passwordless authentication into the forefront. It started with hardware like Apple's S-Series chips, which are tamper-resistant and can safeguard and manage digital keys.
Next up was biometric authentication in the form of thumbprints and facial recognition pioneered by Apple and Android products. Finally, open standards, such as WebAuthn and CTAP contained in FIDO2, let companies like Duo Security make it possible for users to authenticate with a biometric, replacing traditional passwords.
"Essentially, WebAuthn allows for asymmetric cryptography in which the private key never leaves the user's device," Won explains. "The key is never shared."
Duo Security has posted two educational websites that help security pros learn more about WebAuthn: One provides a general background on the Web authentication specification and passwordless authentication. The other lets developers demo and test the functionality of the WebAuthn spec on their websites with open source libraries.
Ping Identity CISO Robb Reck says the promise of future continuous, risk-based authentication is better security and improved convenience. By using multifactor authentication, Ping Identity can use sensors in people's phones and laptops to continuously authenticate users and allow them to access their resources based on the quality of that ongoing trust. This process only calls for authentication when trust is lost, and then only requests the level of assurance required for the type of transaction the user wants to make.
"The key to a successful end-user experience is providing it regardless of the device the consumers are connecting from," Reck says. "A huge portion of consumer-facing businesses, such as online retail, have moved to the smartphone, so any customer experience initiative needs to consider that platform from the start."
Ping plans to replace passwords with push notifications to mobile devices and offer scannable QR codes, which produce one-time passcodes for users, Reck says. With the PingID mobile SDK, enterprises can balance security and convenience for customers by embedding advanced MFA functionality directly into their own iOS or Android mobile apps. This lets organizations allow their customers to log in with easier methods than having to remember a password.
The same goes for laptops and PCs, Reck adds. Organizations are replacing passwords and supplementing them in the sign-on process to these devices.
"By adding multifactor authentication to processes like Windows login, organizations can either remove password requirements and instead have employees use a friendlier range of mobile push authentication methods, or use those in addition to passwords for a more secure logon process," Reck says. "We're also implementing Windows Hello as an authentication factor in PingID with the same intention."
So are we finally doing this? Are we finally moving to passwordless authentication?
Microsoft and Google have been pushing this aggressively over the past several months, and Apple has been a major player by being the first out of the box with fingerprint authentication on the iPhone. Most PCs and Mac laptops now offer Touch ID, so inside of a year or two people can use them for passwordless authentication, too.
The industry largely views passwords as outdated and one of the major causes of breaches. According to the Verizon's "2019 Data Breach Investigations Report," more than 80% of breaches leverage stolen or weak passwords. That's why the industry has been pushing for open standards, such as FIDO (Fast Identity Online), which would help security teams and developers more readily deploy passwordless authentication. The FIDO Alliance, which was founded by next-generation authentication company Nok Nok Labs, PayPal, Lenovo, Validity Sensors, Infineon, and Agnitio, first began its development of the passwordless authentication protocol in 2012.
Recent research by Ant Allan, a Gartner analyst who focuses on passwordless authentication, predicts that by 2022, 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.
To be sure, vendors have taken notice. Here are eight of the leading passwordless authentication approaches and a look at what needs to happen moving forward.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024