How Secure Is Passwordless Authentication?

Passwordless authentication is often thought of as a novel method of authentication. Authentication, the process by which users offer evidence of who they are, is an important step for many organizations, large and small, private and public. In an increasingly digital and increasingly online world, authentication is a part of nearly everything we do. For many purposes, passwords are the gold standard—used nearly everywhere and known by many.

However, password protection isn’t the only, or even necessarily always the best, authentication method. Rather, there are a number of alternative ways to authenticate users. This may be referred to as passwordless authentication. But, what is passwordless authentication, exactly? What does it look like, and is it safe? How does it compare to authentication which relies on passwords? 

To learn more, read on. We’ll explore passwordless authentication, whether it’s safe, and how it compares to password-based authentication.

What is passwordless authentication?

Passwordless authentication, as the name suggests, is any authentication method which does not require the use of passwords. There are numerous reasons to opt for alternative methods to passwords to the end of secure authentication. These can range from convenience—passwords can be a challenge to memorize or securely store—to security—passwords can be stolen and broken.

So if passwordless authentication doesn’t rely on passwords, what does it rely on? Passwordless security can vary. While a password is considered “something one knows,” other forms of authentication may rely on something one does, something one is, or something one has. These may include, but are not limited to:

  • Biometrics, or “something one is,” such as a retina scan, fingerprint, voice recognition or face recognition.
  • “Something one has—” Such as a digital certificate, a keycard with a magnetic strip, or a proximity badge with a Radio Frequency Identification, or RFID, chip in it.
  • “Something one does—” Such as answering a security question, or entering a code for two factor authentication.

How secure is passwordless authentication?

In few words, it can be very secure—often more so than passwords. This is, in part, because passwords can represent a range of security risks—on top of being highly inconvenient. Passwords can sometimes be easily guessed. They can also be lost, stolen, and reused.

As users are afraid of forgetting their passwords and fearful of being locked out of important systems, they may default to unsafe practices—such as reusing the same password across multiple systems, or using a password that includes easily guessable information such as their date of birth, or the birth date of a loved one. They may also do things such as write down their password on a piece of paper or in an unsecured digital document and lose said piece of paper or digital document. These types of unsafe practices and the factors that drive people to engage in them can make the human element very difficult to mitigate.

Meanwhile, passwordless authentication methods, such as biometrics, can be extremely secure. While a password can be guessed, stolen, or brute forced, biometric authentication systems, for example, can be extremely difficult to fool.

Why use passwordless authentication?

There are many reasons to use passwordless authentication. In some instances, passwordless authentication may be combined with password authentication—such as in the case of two-factor authentication where a user might first enter a password and then enter a code from a text message, or approve the login from an app on their mobile device.

In other instances, passwordless authentication may entirely replace password based authentication methods. In some settings, it may make more sense to use passwordless authentication over password based authentication in the first place. For example, allowing employees into secure areas at a business’ headquarters may be more simply carried out through proximity badges than by using a password lock system for doors.

While the reasons can vary greatly, there are some common factors that are often relevant:

  • Passwords can be stolen.
  • Passwords can be broken.
  • Passwords can be difficult to track and memorize.
  • Passwords can be forgotten.
  • Passwords can be used across multiple systems, making them less secure, and enforcement is difficult.

This isn’t, of course, to say that passwordless authentication methods aren’t without their share of vulnerabilities and drawbacks—or that passwords are never a good option. Still, it’s important to understand that there are many reasons why an organization might opt for passwordless authentication methods in the place of password authentication. These can range from simple convenience to security concerns.

Some of the drawbacks of password based authentication systems include that they can represent difficult to mitigate security risks associated with human behavior, they can be inconvenient, requiring users to create and memorize unique passwords for each new system they use, and they can be compromised through brute force attacks, guessing, and phishing.

The bottom line

The truth is, even though passwords are often the standard, there are many cases in which a password may not be the best authentication method an organization could use. Passwordless authentication can be an ideal solution to authentication needs in many cases. The benefits of passwordless authentication can be numerous—enabling users to have a simpler and more secure authentication experience.

Some passwordless authentication methods include: biometrics—such as eye, fingerprint, or face scanning—something one has, such as an ID card equipped with RFID, or a proximity badge, or an ID card with magnetic strip—or something one does, such as answering a security question, completing a captcha, or entering a 2 factor authentication code received in a text message.

Passwordless authentication methods can be highly secure. They can also be more convenient than passwords for their users. What’s more, password authentication represents some hard-to-mitigate security risks—such as that of human users choosing weak passwords, or reusing passwords across multiple systems, some better protected than others from data breaches.

While no single authentication method or even type of authentication method is the best in every situation, nor is there any authentication method that’s truly invulnerable to attack, passwordless authentication is often a viable and secure solution for authentication needs.