Is Passwordless Authentication Secure?

Pen Chris Collier, Technology Advocate for Identity and Access Management, HYPR

Clock 6 Min. Read | February 25, 2022

Despite increases in cybersecurity spending, stricter regulations, and awareness education and training, cyberattacks continue their upward trajectory. In 2021 alone, there was a 125% increase in incident volume year-over-year. Password credential attacks represented the most successful method for gaining unauthorized access. According to the Verizon 2021 Data Breach Investigations Report, 61% of breaches involve compromised credentials. 

Passwords are also frustrating, especially when attempting to comply with well-intended, but complicated, password policies that require ever-more complexity and frequency of password changes. While this produces a marginal increase in security, it causes passwords to become even more difficult to remember and type — it’s hardly surprising that 65% of people reuse passwords across accounts. Newer authentication technologies that remove passwords from the process promise to solve these challenges but is passwordless authentication secure? 

In order to answer this question fully, we review some terminology and background.

What is Passwordless Authentication?

This seems like a straightforward question, but as with so many topics, the answer depends on who you ask. At its most basic, passwordless authentication is the elimination of passwords from the authentication process. Note the emphasis is on the authentication process, not the login method. There is a significant difference between completely removing the password from the end-to-end login process versus simply automating the process for the sake of convenience; for example, by forwarding credentials from a vault (known as “password store and forward”). While the user experience may appear to be a biometric login method, the backend application is still validating a password.

What is Passwordless Multi-Factor Authentication?

To complicate things further, not all passwordless authentication is multi-factor. Multi-factor authentication (MFA) reduces risk  by requiring users to provide at least two independent authentication factors. Something you know (e.g. password, pattern, security question), something you hold (e.g. cryptographic token, OTP code, out-of-band device), something you are (e.g. fingerprint, facial recognition). MFA prevents attackers from gaining access to a secure system by denying access despite successfully compromising a single credential or authentication factor.

Passwordless authenticators, such as hardware security keys, may require single or multi-factor authentication methods. Depending on the specific protocol, smart keys may require only the presence of the key in a USB slot and a user to touch the key. Therefore smart keys are commonly combined with a password to enforce multi-factor authentication. By requiring a smart key along with a password, the resulting process is no longer passwordless. Therefore, to answer “is passwordless authentication secure” you need to know if the solution in question is single or multi-factor and which authentication methods it uses.

To achieve truly passwordless MFA, the login process must include two or more authentication methods, and it must completely eliminate any dependency on shared secrets.

Benefits of Passwordless Authentication

Done right, implementing passwordless authentication is not disruptive, it is not traumatic to users and it will significantly improve your overall security posture by eliminating the attack vectors associated with shared secrets.

Reducing Attackable Surface

Password-dependent authentication methods expose the entire organization to risk that extends far beyond individual user data. It is commonly accepted that passwords are easily exploitable by attackers, and that people reuse passwords across accounts. As a result, credentials are the primary target of many cyberattacks. These include phishing attacks, key logging and other malware, and social engineering attacks. Removing passwords altogether reduces the overall value to hackers of targeting your employees and customers.

Simplified Login

Removing passwords inherently increases the overall productivity of users, so that they are able to focus on contributing to your core business directives. Staff being required to change passwords regularly, frustration with multi-step login procedures, and admins spending time on monitoring password hygiene and frequent password resets has a cumulative impact on productivity.  Recent research found that nearly half of IT and security experts named poor user experience as an obstacle to deploying MFA in their organization. Moving to passwordless authentication eliminates these issues.

Mitigating Risk from Data Breaches

One of the most damaging consequences of a data breach comes from attackers gaining access to internal lists of passwords that can then be used in future attacks. Even if an organization uses security protocols such as salting or hashing, modern processing power means that most obfuscated credentials can be cracked easily. Besides the immediate security implications, breaches can lead to long-term loss of trust and confidence in your business.

Protecting Remote Workers

The large-scale move to work from home over the past two years now appears here to stay. This has created major security challenges for organizations, with employees logging into corporate resources from insecure home networks, using unsecured devices and installing unvetted apps. Moreover, remote desk protocol (RDP) attacks are at an all time high. Full-featured passwordless authentication solutions let remote workers securely log in to applications, desktops, VPNs, gateways and other remote access points.

Insecure Passwordless Authentication Methods

We’ve said it before but it bears repeating — not all passwordless authentication is created equal. The biggest determination in the security of a passwordless authentication solution rests on the verifying factors it uses and its back end processes. 

Not Truly Passwordless

Many passwordless authentication solutions call themselves such but are just concealed passwords dressed up and combined with added steps. Removing the inherent weakness of passwords should mean doing exactly that: getting rid of a shared knowledge factor that a user has to remember and is stored, in some form, on a server or in the cloud to be verified. This misleading nomenclature causes resistance and hesitation that impedes the adoption of  true passwordless authentication technology and the security improvements that it delivers.

One-Time Passwords (OTPs)

One-time passwords are the codes sent by email or SMS to confirm that the user is in control of the device linked to their account. While intended to fulfill the “something the user owns” factor of MFA, the result is still the use of a password, which cyberattackers, unfortunately, have been very quick and effective at exploiting. SIM-swapping, man-in-the-middle and social engineering attacks have proven highly successful at stealing these OTPs and continuing account compromise efforts. In fact, automated hacking  kits designed to bypass these factors are readily available on the black market. There are also many authenticator apps available to generate OTPs on mobile devices. These mechanisms often depend on a shared secret (seed).

So Is Passwordless Authentication Secure?

While any MFA or passwordless authentication is an improvement over using basic password login, if it relies on shared secrets that hackers can steal, you still face considerable risk. The strongest, lowest-friction passwordless authentication is based on FIDO (Fast IDentity Online) guidelines. FIDO is a set of security and interoperability standards that leverages public key cryptography and robust identity verifiers to ensure security and broad-based usability.

FIDO2 supports biometric as well as other phishing-resistant verifiers, securely authenticating individuals without passwords. It’s considered the gold standard for authentication by the U.S government’s Cybersecurity and Infrastructure Security Agency (CISA) as well as the OMB.

HYPR Secure Passwordless Authentication

HYPR’s True Passwordless™ MFA technology utilizes the biometric mechanisms and secure hardware elements on a user’s smart device, along with rigorous cryptographic protocols, to turn an ordinary smartphone into a secure FIDO authenticator.

HYPR reduces your attack surface while delivering a seamless, zero-friction authentication flow, from desktop to the cloud, including remote access points. It offers a secure offline access mode using device-stored PINs, where there is no shared secret residing on a server or in the cloud that can be exploited.

Learn more about HYPR here or get a demo to see for yourself.

New call-to-action

Chris Collier

Technology Advocate for Identity and Access Management, HYPR

Related Content

Best Practices for Authentication Security in Manufacturing

Historically, critical manufacturing systems and data generally existed in isolated networks and...

Seven Password Security Best Practices

Widely recognized as one of the weakest links in any security posture, passwords continue to be the...

Celebrate World Password Day by Eliminating Passwords

Intel created World Password Day — the first Thursday of May — in 2013 to improve awareness for the...