Is passwordless the future of authentication and authorization?

The use of passwords is almost coming to an end. Password-less authentication has become the new norm as organizations seek secure ways of assessing their systems.?

According to a study done in 2019, Gartner estimated that 60% of large global organizations and 90% of mid-sized businesses will implement some form of password-less authentication by 2022. It’s 2022 already, and we know studies are just studies. In this post however, we will cover different forms of authentication in general, what is password-less authentication, different types of password-less technologies, their benefits, cons, etc.

What are the different forms of authentication?

Before I dive more into passwordless authentication, let's first review the most common types of authentication.?

●?????Single-Factor Authentication

It is the basic and less secure method. It requires a username and a simple password.

●?????Two-Factor or Multi-Factor Authentication (MFA)

This is the advanced version of single-factor authentication. It requires the user to input the username: password, and additional input, such as voice recognition, fingerprint, or Captcha tests.?

●?????Single Sign-On (SSO)

This authentication method requires the user to log in to multiple systems or websites using a single login credential. It saves time and energy from having to log in to different platforms repetitively.

●?????Certificate-Based Authentication

The certificate-based scheme uses digital certificates to identify people and devices. Users provide their digital certificates to prove ownership of the servers. The systems keep user certificates so that no third party can use them.

What is passwordless authentication?

Passwordless authentication is a technique that allows users to access systems without providing passwords. Instead, it uses other forms to identify the real users, such as biometric features through a registered token.

For instance, a system could capture the user's face, fingerprints, voice, and other unique, distinctive features. It keeps the information in a database. When anyone tries to log in, the system will compare the user's biometrics with the one stored in the database. If they match, the user will gain access. But if they don't, access will not be allowed.

The first version of passwordless authentication was introduced in 1980 in the form of One-Time Passwords (OTP). In the 1990s, the concept was advanced to Single Sign-On (SSO). Passwordless continued to advance, and the?financial?sector quickly embraced it due to the nature of confidential information it handles.?

Passwordless authentication has been in discussions for a while now, it was infact popularized back in?2004?when Bill Gates advocated stopping or reducing the use of passwords.

While its still evolving, many businesses have adopted passwordless technology because it's safer when compared to user passwords.

Different passwordless authentication methods

Common types of passwordless authentication include:

Biometrics

Biometrics is a type of authentication that relies on a person's unique biological features. Biometric solutions create and keep human physical traits, making it hard for a third party to try to navigate the systems.?

The use of biometrics is effective because the possibility of having two people with the same physical features is very low. Examples of companies (mostly startups) that offer biometrics passwordless as a service include passageID, Procyon, Stytch, to name a few.

Magic Links

A magic link is a one-time authentication that involves sending a link to the user for authentication purposes. Here's how the magic link works:

●?????The user enters the username of where they would like to sign in

●?????User receives a magic link to another email

●?????The user clicks on the link on their mail to complete the sign-in process

A few companies that offer magic links as a service include mojoauth and auth.0.

One Time Codes and Passwords

A one-time code or password works like a magic link, only that a password or code is sent to an email instead of a link. The user then re-enters the password or code sent to them to improve security. One Login.com is a good example of a company that provides one time code and password services. Some of the providers in the previous bullets also offer this capability.

Push Notification

With push notification, the user receives a notification that someone is trying to log in to their systems. The user is required to click on the push notification to complete the sign-in process.?

Some examples of push notification services include Firebase Cloud Messaging, One Signal and Push Engage.

Public And Private Key-Based Authentication

Public and private keys are used to open encrypted messages. Every public key should match one private key i.e., if you encrypt a message using a person's public key, they can only open them using a matching private key.?

This authentication method is highly effective because no one can open an encrypted message when they don't have a matching private key. A few options for public and private key authentication include Git Bash, Bitvise and PuTTY.

Pros and cons of passwordless authentication

Pros?

●?????Better user experience -passwordless authentication provides a seamless user experience because users don't have to worry about forgetting passwords.

●?????Improved security- passwords are prone to hacking when they are weak or shared with many people. Passwordless authentication improves security, minimizing the chances of hacking.

●?????Improved work productivity - workers don't have to waste time setting and resetting passwords with passwordless authentication. The authentication takes a short time so they can concentrate on other productive work duties.

●?????Reduced administration costs - forgotten passwords have significant overheads in your business. Passwordless authentication can help you save such costs.

Cons

●?????Hard to troubleshoot - Passwordless authentication might be hard to troubleshoot when you lose your device and want your account back. An organization needs an experienced IT team for troubleshooting when an unfortunate event happens.

●?????Initial investment - passwordless authentication is economical in the future but requires initial deployment costs which might be high.

Future of passwordless authentication?

Password-less authentication is becoming more popular, and organizations and individuals continue to embrace it.?

Statista says the passwordless market will rise to?$53 billion by 2030?from $12.8 billion in 2021. Besides, big organizations like Microsoft have fully embraced this technology, with nearly?90%?of their staff using passwordless authentication.?

While it has its few flaws, passwordless authentication is highly effective in reducing hacking cases. Some people are still hesitant to adopt it, but it will most likely continue becoming more popular with time.

And, it might get better and better, making it a great security option for both small and big businesses.

Are we ready for passwordless authentication??

According to a study by Lastpass, 92%?of businesses they surveyed believe that passwordless is the future of authentication.?Even though passwords are not completely going away, it's evident that many businesses now consider going passwordless.?

One good thing about passwordless is that it comes in many forms as outlined in this post, so organizations have the option of choosing the best method that fits them. Nevertheless, passwords complement passwordless authentication, so it might not be possible to get rid of passwords at this point completely.

The world is moving towards password-less. Recently tech giants like Apple, Google and Microsoft?announced plan to implement capabilities that will allow users to sign into websites and applications without a password. There are also a lot of startups addressing the passwordless space, starting to get a bit crowded in my opinion. We don't know yet who the winners are going to be. I think the state of passwordless is probably where the state of SSO, MFA, authorization was in their initial days but the opportunity is huge.