Passwordless vs. MFA: What's the Difference?
Michael Rothschild, VP of Product Marketing, HYPR
6 Min. Read | July 21, 2022
Enterprise cybersecurity is under assault from unprecedented threats, exacerbated by the expanded attack surfaces brought about by remote work. For example, research from HP shows there was a 238% increase in cyberattack volume over the pandemic, with those numbers continuing to rise today.
A survey by the Ponemon Institute of IT and infosec leaders found credential theft (56%) and phishing (48%) to be the most common attack types experienced and Microsoft’s Defense Report stated they’d found phishing attacks alone to be responsible for 70% of data breaches. The current situation makes clear the need for a more robust security posture, especially around authentication defense.
This has brought various authentication terms, some new, some more familiar, into the security conversation, such as multi-factor authentication (MFA), passwordless authentication and phishing-resistant MFA. To implement best practices and reduce risk, decision-makers need to cut through the jargon to find the system that will give them the best protection and ROI. In this blog, we’ll break down the passwordless vs. MFA discussion.
Passwordless vs. MFA: Definitions
There are many different terms around IAM and authentication protocols, but what do they mean, and specifically, what are the differences between passwordless vs. MFA when it comes to secure authentication? We’ll start by defining the two terms.
Multi-Factor Authentication (MFA)
MFA requires a user to provide two or more independent verification factors. These factors can be something you know (e.g., password, PIN, pattern), something you are (e.g., retina scan, face recognition, fingerprint), or something you have (e.g., smart device, security key).
Passwords are the most vulnerable aspect of authentication and are both the favorite target of attackers and the biggest vector of attack. Introducing multiple independent factors makes it more difficult for an attacker to gain system access or achieve account takeover (ATO).
As the name suggests, passwordless authentication verifies a user’s identity without any use of passwords or knowledge-based factors. There can be single-factor passwordless authentication (e.g. a YubiKey) and passwordless MFA (e.g. a solution such as HYPR).
However, the term “passwordless” becomes murky as some methods seem to remove passwords but actually still use them in some form during the authentication process. For example, some passwordless authentication processes may ask a user for a fingerprint to verify a “something you own” factor but then forward an activated password for the act of authentication on the backend.
Magic links are another example. Rather than a password, they authenticate using a token embedded in a URL sent by email or SMS. While this is not a knowledge-based factor, it is a shared secret that operates in the same way a password does, and any shared secret can be “shared” with attackers.
This means that there also needs to be a further differentiation between fully passwordless solutions that completely remove shared secrets from the process and those that simply hide them from the user’s experience. Fully passwordless systems that do not use a shared secret at any point in the authentication process are often termed phishing-resistant MFA.
Passwordless vs. MFA: What’s the Difference?
The vast majority of MFA still relies on passwords as a factor, although the biggest tech companies in the world and the federal government have called for the elimination of passwords from all authentication.
As MFA deployment, in general, remains well below the levels it should be, many organizations are still in the discovery phase of their transition. However, that can also be a positive, as it’s an opportunity to implement passwordless MFA from the outset. To decide if this is the right course for your business, it’s critical to understand the differences between passwordless vs. MFA in four key areas.
Not all MFA is passwordless, and not all passwordless authentication is MFA. A phishing-resistant passwordless MFA solution adheres to guidelines from the National Institute of Standards and Technology (NIST) and Cybersecurity Infrastructure and Security Agency (CISA). Identity is verified using an inherent biological feature (something you are) combined with private cryptographic keys (something you have). The authentication process itself uses public key cryptography so that there is no secret credential to intercept and no database of stored credentials that can be leaked or hacked.
MFA ranges from easy to crack (SMS OTPs) to extremely difficult (FIDO token backed by biometric identifier). While more secure than just a password, how much more depends both on the verification factors used and the authentication process itself. Traditional MFA often uses a one-time password (OTP) sent to a device as the “something you have” factor. While convenient, OTPs are, in the end, passwords and attackers can easily circumvent them using phishing kits and other techniques. As mentioned above, The backend authentication method also significantly affects MFA security; if there are no secrets being shared, then there is nothing to steal.
One of the biggest stumbling blocks for the roll-out of MFA is the fear of a poor user experience. As MFA can require the input of a wide variety of factors, some can be more onerous during sign-in than others. Passwords have always been, and remain, one of the most frustrating things about user authentication. Throwing an additional authentication action on top of this only increases this, and can lead to a significant impact on productivity. Moreover, users often forget or are forced to rotate passwords, leading users to share passwords or create documents to track all their passwords, creating security risks.
MFA deployments vary in complexity depending both on your environment and the solution itself. This is less a passwordless vs. MFA issue and more about choosing a solution that offers flexibility and can scale with your company. Be careful of locking in your MFA process to a specific IdP or SSO vendor or you will end up with multiple authentication protocols to deploy and manage, multiple authenticator apps for your users, which could lead to resistance on all fronts.
Increased security threats around authentication, such as phishing and push attacks, mean that enterprise cybersecurity needs more robust systems. Phishing-resistant multi-factor authentication is the answer, but this excludes the majority of MFA approaches. This makes it critical for decision-makers to understand the differences between passwordless vs. MFA that utilizes passwords and other phishable factors.
To learn more about passwordless authentication, download the Passwordless Security 101 guide.
HYPR’s True Passwordless™ MFA solution eliminates the trade-off between security and user experience with phishing-resistant MFA built with the user in mind. Our seamless desktop-to-cloud authentication flow lets users turn their device into a FIDO token that leverages public key cryptography to ensure secure authentication.
To find out how HYPR can help secure your users and network, request a personalized demo.