How Secure is Passwordless Authentication?

This guest blog was contributed by Jason Martinez, HYPR.


Passwordless authentication is a prominent topic in security circles. Recently, it’s even brought together tech’s three largest rivals. In May 2022, Microsoft, Google, and Apple jointly announced their support for a universal passwordless authentication system built on Fast Identity Online (FIDO) standards.


The reasons why passwordless authentication has become a necessity are numerous. Primarily, authentication defenses are easier to crack by hackers than an organization’s firewalls and hardened perimeter. In addition, passwords and shared secrets are simply too easy to steal, and the statistics are alarming:

So, the need for removing passwords from authentication is clear, but what exactly is passwordless authentication and is it secure?


What is Passwordless Authentication?


Passwordless authentication essentially means no passwords are involved in proving a user’s identity, but how is that applied in practice? Legacy systems that have been in place for most of the existence of computers required only a username and password pair to gain access to a system. This system was and still is virtually everywhere. But, due to the weakness of passwords as a security measure, moves have been made to strengthen authentication through 2-factor authentication (2FA) and multi-factor authentication (MFA).


Multi-factor authentication is a system whereby users must provide two or more factors to prove their identity. Those factors must be something they know (password, PIN), something they have (device, hardware key), or something they are (fingerprint, retina scan). 2FA, on the other hand, generally describes a system that requires a password plus one other factor. Passwordless authentication means the “something you know” factor is eliminated from the authentication process.


How Passwordless Authentication is Implemented


There are a number of methods used to verify a user’s identity using only the “something you have” (possession) and “something you are” (inherence) factors. These include:

  • Hardware Security Tokens: These are small devices or keys which can be inserted directly into a laptop or desktop through or a special reader. Each device contains data that uniquely identifies it as belonging to a specific user.

  • Biometric Identifiers: An attached device that requires a biometric identifier, usually a thumb or fingerprint, to unlock system access.

  • Magic Links: To prove they have ownership over the accounts associated with their identity, a link is sent to the user’s email account which, when clicked, authenticates them for access.

  • Smartphone Push Notifications: A user’s smartphone is commonly used as a possession factor of identification. The authentication system will send a push notification asking the user whether or not they are attempting a login and want to proceed.

  • SMS or Email One-Time Password (OTP): In this instance, the system sends a code or password to a user’s registered number or email. After the user inputs the OTP, they gain access. These are also commonly time-limited.

  • Public Key Infrastructure (PKI): A PKI is a cryptographic system using a public-private key partnership to securely identify a user. In MFA, this would likely see the user leverage a biometric identification process to unlock the signed digital certificate, which proves their identity.

Types of Passwordless Authentication: How Secure Are They


There is no such thing as a 100% secure system but removing passwords from authentication is certainly more secure than continuing to use them. However, after that, the level of security of each individual method of authentication varies. Here we’ll take a look at the major passwordless methods used in MFA to see where they stand in terms of security.


SMS or Email One-Time Password (OTP)


OTPs are still technically shared secrets and suffer from the same issues as passwords in general: if it can be shared with one person, it can be shared with many. Phishing kits are widely available online, which help a hacker extract the OTP a user receives by running a simultaneous login. Social engineering attacks can also be used to trick users into handing over OTPs.


Verdict: Not Very Secure


Magic Links


The idea of the magic link is that only the user will have access to their email, which is a bold assumption. This simply shifts the burden of secure authentication onto the email provider. If the attacker has access to a victim’s email account, then the magic link system delivers no security at all.


Verdict: Not Very Secure


Smartphone Push Notifications


An attacker would have to be extremely dedicated or lucky to come into possession of your smartphone so this is a somewhat secure “possession” factor. However, the aforementioned simultaneous login can be used to circumvent it as well through something as simple as push fatigue, which sees users accept a push notification even if they aren’t attempting a login.


Verdict: Secure


Hardware Tokens


Again, an attacker would have to try very hard to steal a secure hardware token, so in terms of security, they are very robust. The main issue with hardware security tokens is their cost, as deploying and managing a system can be very expensive.


Verdict: Very Secure


Biometric Identifiers


It is very difficult for an attacker to spoof your biometric features. As such, most attackers outside of nation-state actors will not even attempt it, making it among the most secure passwordless authenticators available.


Verdict: Very Secure


Public Key Infrastructure (PKI)


PKI underpins most secure online data communications, with identity being confirmed through “handshakes.” For authentication, as each user’s key is encrypted and only ever used at the point of authentication, it is very difficult for attackers to steal it to spoof the user’s identity.


Verdict: Very Secure


Conclusion


Overall, any authentication system that uses passwords is going to be less secure than one that doesn’t so passwordless will always be more secure than the alternative. However, within the sphere of passwordless authentication there are varying levels of security and difficulty posed to attackers. The most secure systems will try to leverage biometric features along with a device, either directly or to further unlock a private key for use in a PKI.


###