A passwordless identity is any user identity that does not require an alphanumeric password for gaining access to applications and services associated with that particular user. Instead, the identity is bound to a public-private key pair that acts as the primary credential for user authentication.
Basically, it is based on a method of user authentication that allows a person to log in to a computer system, electronic device, service, or application without them having to create, remember and enter a password or any other type of knowledge-based secret like a PIN code, a secret number, or personal question.
Asymmetric cryptography is a system for encrypting information that uses a key system, usually known as a public-key or asymmetric key system. This cryptography system uses two keys: a public key which may be known to others, and a private key that may never be known by anyone besides the owner. These key pairs are generated by cryptographic algorithms based on one-way mathematical functions. They are referred to as one-way because they are easy to create and compute, but difficult to invert and find out the original input from the resultant information.
Asymmetric cryptography is reliant on keeping the private key private. This ensures that anyone can encrypt a message using the public key, but only the intended receiver can decrypt the message with their secret private key. Asymmetric encryption is a technology that has been around for a while and doesn’t seem to be going down anytime soon.
Generally speaking, a passwordless identity is based on asymmetric public-key encryption and at its roots is inherently multi-factor authentication as it requires the use of a strong possession factor and a combination of biometrics. However, the passwordless identity method is not the same as most multi-factor authentication systems. Most multifactor authentication (MFA) methods include passwords as a step or option in the multi-factor layering process and are just used as an added layer of security on top of password-based authentication.
They use multiple, different factors in order to authenticate user identity such as a password, a mobile phone that receives a one-time authentication code, and possibly a fingerprint. These are known as Password-based multi-factor authentication. Passwordless identification does not require a memorized secret and usually uses just one highly secure factor out of two available factors to authenticate identity, making it faster and simpler for users.
How Does Passwordless Identity Authentication Work?
A passwordless identity is based on an authentication method of verifying users’ identities without the use of passwords or any other memorized knowledge-based secrets. Instead of passwords, authentication systems that make use of the passwordless identity authentication method verify user identities based on two main factors: A possession factor (something you have) and an inherent factor, (something you are).
The possession factor is any object that uniquely identifies the user. These include things like a one-time password (OTP) sent to a mobile phone via SMS text, an e-mail with a “magic link” or single-use URL, a registered mobile device, a smart card, or a hardware token. The inherence factor involves a person’s biometric signature like a fingerprint, retinal scan, voice and face recognition, and other biometric identifiers.
A third factor of authentication is used for password-based user authentication: the knowledge factor (something you know). This involves the use of passwords, passphrases, or PIN codes. This factor, which is the basis of password-based authentication, is so much more susceptible to easy theft, cracking, sharing by users and can easily be guessed and deciphered within seconds. By completely removing the hacker’s favorite target, passwordless authentication gives users a true passwordless identity all while increasing security, ease of use, and overall cost.
Benefits of Having a Passwordless Identity
Passworded identities, while useful at a time in human history, have begun to outlive their usefulness. For one thing, passwords are too easy to hack or intercept. People, in a bid to reduce the inconvenience that comes with them, make use of generic passwords: most commonly, their names, names of family and friends, or important dates in their lives, like their birthdate, anniversary, or graduation date.
Additionally, people have multiple accounts both online and offline that require password authentication like email accounts, phones, laptops, service subscriptions, and so on. They are usually advised to create a new password for each account they have, but it can be extremely strenuous to create and remember each and every password and its corresponding account.
It is estimated that the average online computer user currently has about 200 accounts that require some sort of password identification, and that number will more than double by 2023. While this statistic seems incredulous, it is true. And this has given way to what has been dubbed ‘password fatigue’: users are tired of creating new passwords that they won’t remember, so they begin to take security risks like writing passwords down, using the same passwords across multiple accounts, or using them with a slight variation (adding a number, special character, or capitalizing a few letters).
They start to share passwords with family and friends to help them remember, and use obvious and easily hackable phrases. These sloppy and careless decisions cause about 81% of the world’s data breaches. While the benefits of passwordless identities cannot be overstated, here are a few of the main benefits:
- Better User Experience (UX): Passwordless authentication technology provides greater usability as opposed to more traditional means of authentication by ridding the user of having to memorize secret words, phrases, or alphanumeric codes, and create new passwords for every account they set up, or periodically renewing passwords. This greatly streamlines the authentication process.
- Better Security: Passwords pose a major risk because users reuse passwords and even share them with others. That risk is eliminated when passwords are removed from the equation and replaced with newer, more secure forms of authentication: fingerprint and face scanning technology.
- Reduced IT costs: Passwords are also quite expensive and require constant monitoring and maintenance from IT staff, especially when users forget them and need to have them reset. Password storage and management is no longer needed, and so IT teams are no longer burdened with setting password policies, detecting leaks, resetting forgotten passwords, and so on.
- Better visibility of credential use: Since user credentials are tied to a specific device or inherent user attribute, they can’t be easily hacked and access management becomes much tighter.
- Scalability: With passwordless identity, users can manage multiple logins without additional password fatigue or complicated registration.
No matter what factor of passwordless identification is used, whether possession or inherent, it is still more secure than password-based identification. Instead of reusing the same password for different sites, forgetting and resetting passwords and all of that hassle, a system based on passwordless identification will rely on an artifact that is unique to them each time they login in. It is largely immune to data breaches, exposing user account credentials, password stuffing, credential theft by malware, phishing and so on. It removes the need to develop a system that supports password resets, as this is usually a password-based system’s weakest link.