Why Most “Passwordless” Authentication Solutions Aren’t Actually Passwordless

Passwordless authentication is now a holy grail in identity and access management—but the passwordless solutions on the market today don't actually deliver.

Authentication is already a modern necessity, and passwordless authentication is fast becoming one. Let's take a moment to review why, in the broadest possible strokes:

  • Computing and the Internet gave rise to cybercrooks.

  • Cybercrooks created the need for passwords.

  • Passwords gave rise to social engineering, phishing, and other attacks.

  • These attacks created the need for complicated password rules and multi-factor authentication (MFA).

  • Password rules and MFA gave rise to IT overhead and legitimate user lockouts.

  • Legitimate user lockouts and IT overhead have driven demand for passwordless authentication.

In short, companies want all of the benefits of strong passwords and multi-factor authentication, but without the:

Everyone wants passwordless right now—but what users are getting instead are really just new kinds of passwords and new security compromises. © Plurilock

  • Purchase and distribution of extra authentication devices

  • Need for users to remember complex sequences of characters

  • Need for users to give up control of their devices

  • Login workflows that interrupt user productivity

  • Increased support load from complex logins and legitimate user lockouts

  • Security concerns that come from many common workarounds to these problems

This pie-in-the-sky set of goals has created a building groundswell of desire for "passwordless authentication," which many solution providers now claim to offer.

The problem? Most passwordless authentication technologies actually aren't passwordless at all. Not in any way that solves the problem.

Let's take a look at some of them and see why.

"Passwordless" via PIN

This is perhaps the most common "passwordless" solution on the market right now, and the reason why it's actually not passwordless goes without saying.

A PIN is just a password made up of numbers. Yes, solutions often combine a PIN with device fingerprinting and other background MFA data—but they don't solve the fundamental problem.

Users and IT staff are still asked to manage strings of characters and cope with frustration, user interruptions, and login failures.

"Passwordless" via Hardware Token

With hardware tokens users don't have to remember sequences of characters, but the flow of their work is still interrupted by a login prompt, and by either inserting and tapping their token or manually copying strings of characters from it.

Users also have to keep track of these devices—so they're still something to remember—and the company has to purchase, track, and distribute them, which means continued overhead.

Hardware tokens are now often promoted as parts of “passwordless” solutions. Fair enough as far as it goes—but in user experience, productivity, and support terms, it really doesn’t go very far. © Plurilock

Worse, if they're stolen when being used without a password, all security is gone—possession means full access.

"Passwordless" via Biometric Scan

Biometric scans are more "passwordless" than either PINs or hardware tokens, but user fingerprints and faces can't be changed—so biometric scans can be far more costly for users and companies in the end if user data is breached.

They also still require the purchase and distribution—or at the very least, the control—of user hardware.

And because they add another repeated UX step to the workday, they are once again a site of productivity interruption and a site for the generation of support tickets.

"Passwordless" via Mobile Push

Mobile push as "passwordless" is growing in popularity—and it, too, fails to solve the problems that true passwordless ought to solve.

To make use of mobile push, companies must either purchase expensive mobile phone hardware or demand control of users' personal phone hardware—both a heavy lift.

The temptation to use mobile push without either should be avoided. Without device security, anyone who gets ahold of a phone will be able to authenticate as its owner immediately.

"Passwordless" via Proximity Devices

A few "passwordless" solutions rely on devices of one kind or another being in proximity to the user's workstation.

Like hardware tokens and mobile push, as a "passwordless" technology these solutions can be insecure—because in the absence of a shared secret like a password, anyone with the device in their possession has full access.

And once again, this kind of "passwordless" is still fiddly for users—it involves carrying, keeping track of, and charging devices—along with inevitable support tickets.

Let's Review the Territory

What's clear from this brief survey is that all of the "passwordless" technologies currently popular on the market involve one or more of the following compromises:

  • Users must still remember a string of characters

  • Companies must still buy or manage devices

  • Users must still carry and manage devices

  • Users are still regularly interrupted for an authentication step

  • Security is reduced by the absence of a password

In other words, most of today's "passwordless" technologies don't solve the list of problems that led companies to search for passwordless solutions in the first place.

What would a true passwordless solution look like?

In a truly passwordless work environment—one that reflects the spirit of the term—users would just compute. No passwords, no PINs, no tokens, no devices, and no authentication steps needed. © Dragonimages / Dreamstime

  • A workflow or application is launched

  • The system silently evaluates the user's identity without devices, PINs, scans, or passwords

  • A recognized user begins working immediately, no authentication steps required

  • An unrecognized user is be prevented from working until proof of identity is provided

  • The system is able to recognize the right users with a very high degree of accuracy

Not only is there no authentication step for any one workflow—there is no authentication step all day. No hard tokens. No soft tokens. No fingerprints. No device dependencies. None of it. Just recognition.

Is It Possible?

Is there a technology that can silently "recognize" authorized users—without PINs or other pseudo-passwords, without having to store information about appearance that represents a liability, without new hardware to make this possible, and without having to trust devices or third parties?

Pie in the sky?

No. The technology exists and is already available. It's behavioral biometrics,  and it's what we specialize in at Plurilock.

Is a true passwordless solution on the market yet? One that solves each of the problems outlined above? Not that we know of. Unfortunately, true passwordless isn't here yet.

But it's coming soon.

And if you're interested in true passwordless at the earliest opportunity, you should talk to us  today—because we really do mean soon. ■

Stay informed. Join our low-volume mailing list for Plurilock and cybersecurity news and updates.

PLURILOCK IS THE LEADER IN ADVANCED AUTHENTICATION

Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.

Follow

        

Contact Plurilock

Have a question or comment? 

Plurilock Lead Capture Block

Welcome to Plurilock!

We’d love to hear about your interest in our products.

Great!

Okay, cool.

We'd like to provide you with more info. How can we reach you?

Enter your email above to agree to receive commercial electronic communication from Plurilock via email.

Thanks!

Someone from Plurilock will get in touch with you soon.
 
In the meantime, learn more about our ADAPT and DEFEND products—and be sure to check out our Blog for in-depth cybersecurity coverage.