What is passwordless authentication?
Passwordless authentication is signing into a service without using a password. This is often done with certificates, security tokens, one-time passwords (OTPs) or biometrics. Passwordless authentication is generally considered more secure than using passwords.
Types of passwordless authentication
Authentication factors are generally divided into three categories:
- Knowledge factors, or something you know: passwords, passphrases, security questions;
- Possession factors, or something you have: certificates, hardware tokens, authentication devices; and
- Inherence factors, or something you are: biometrics, fingerprint, face scans.
Passwordless authentication uses possession or inherence factors to authenticate, instead of knowledge factors.
What are possession factors?
One of the most common and well-tested forms of passwordless authentication is the use of certificates or asymmetric keys. Many other forms of passwordless authentication rely on certificates to function in the background. These use cryptographically matched pairs of keys to sign a request.
Hardware tokens, such as smart cards, secure tokens, near-field communication tokens and Rivest-Shamir-Adleman secure tokens are a human-friendly way to contain a certificate in a hardware device. These hardware devices handle the authentication signing process and keep the secret key protected from being leaked.
Time-based OTPs (TOTPs) are when the server and a device use a shared secret and the current time to generate an OTP that changes. Typically, these change every 60 seconds and are six numbers long. In the past, hardware devices with liquid-crystal display screens would show the OTP. These days apps on a smartphone fill this need -- for example, Google Authenticator or Microsoft Authenticator.
Sent OTPs are when the server sends a one-time-use password to a known contact channel, such as by email or Short Message Service text message. This can be an alphanumeric code that the user types into an authentication prompt or a magic link that the user clicks to authorize the device.
Notifications or prompts are when the server sends a notification or authorization prompt to an already-trusted device. The user can accept the prompt to authorize the other device. Sometimes, the user may need to select the correct numbered prompt.
What are inherence factors?
Biometrics, such as fingerprints, face scans and voiceprints, can be measured and stored to prove that the person is authorized.
Identification documents, such as birth certificates, government IDs or passports, can authenticate a person. These are difficult to verify digitally, though. Some governments have begun issuing IDs with embedded smart cards or radio frequency identification tags.
How does passwordless authentication work?
Passwordless authentication works by proving that users are who they claim to be by demonstrating that they have something unique, such as a phone number or certificate, or that they have the correct physical characteristics. The two most common passwordless authentication methods are one-time-use authentication and certificate-based authentication.
How does one-time-use authentication work?
In a one-time-use authentication scenario, the server issues a challenge that can be accepted only if the user has the authentication factor. An OTP can be sent to a registered phone number or email address to accomplish this. After that, the user enters the OTP into the login box. In the case of a TOTP, the server verifies that the code entered by the user matches the one generated by the server based on the current time. For push notifications, the server sends an alert to a smartphone app that the user must accept.
Passwordless authentication based on certificates is built on asymmetric public/private key pairs. The device generates a key pair and sends the public key to the server during provisioning. The private key is stored in a secure location, such as a Trusted Platform Module, smart card or security token. A passcode or biometric lock may be used to further secure the private key.
During authentication, the server generates a challenge, which is sent to the device. The user unlocks the private key, which is then used to sign the challenge. The server accepts the signed challenge and verifies the signature to authenticate the user. Using this method, no secrets are exchanged between the server and the client.
Some popular certificate-based passwordless authentication systems are the following:
Advantages and disadvantages of passwordless authentication
Passwordless authentication has its advantages and disadvantages.
Advantages of passwordless authentication
Passwordless authentication is considered much more secure than using passwords. There are many well-known attacks against password authentication. This means that they can often be leaked, guessed or reverse-engineered. All of these attacks can also be done remotely without the user's knowledge. Passwordless authentication is resistant to these types of attacks and often alerts the user if something is wrong.
Types of attacks that passwordless authentication is resistant to include the following:
- Brute-force attacks. Passwordless authentication does not rely on human-readable data and is, therefore, much harder to guess.
- Credential stuffing. The secrets in passwordless authentication are not set by a human and can, therefore, not be reused.
- Keyloggers. Well-implemented passwordless authentication does not allow the same code to be used twice, stopping keyloggers from being able to gather useful information.
- Man-in-the-middle (MitM) attacks. Passwordless authentication using asymmetric keys does not send any secrets, preventing MitM attacks and similar replay or pass-the-hash attacks.
Users are less likely to need to reset passwordless authentication. It is common for users to forget or mistype their passwords. Passwordless authentication, on the other hand, relies on things users have or are and, therefore, only rarely needs to be reset -- for example, only if their smartphone is lost or stolen. This can reduce the load on help desks and improve user satisfaction.
Disadvantages of passwordless authentication
Passwordless authentication can be more complex or expensive than using passwords. These systems are still relatively uncommon and may require outside services to function.
Biometric authentication cannot be reset. While it is relatively simple to change a password or certificate, it is impossible to change a person's fingerprint or face if these were to be compromised.
Passwordless authentication usually requires a secure channel during setup. Secrets are often exchanged during the setup process. If these were to be leaked, it could compromise the security of the system. For example, during the setup of TOTPs, the security token needs to be shared. If this were to be leaked, an attacker could create their own TOTP.
OTPs can be intercepted or stolen if users' email accounts are hacked or if their phone numbers are stolen though a Subscriber Identity Module swap attack.