Authentication is already a modern necessity, and passwordless authentication is fast becoming one. Let's take a moment to review why, in the broadest possible strokes:
Computing and the Internet gave rise to cybercrooks.
Cybercrooks created the need for passwords.
Passwords gave rise to social engineering, phishing, and other attacks.
These attacks created the need for complicated password rules and multi-factor authentication (MFA).
Password rules and MFA gave rise to IT overhead and legitimate user lockouts.
Legitimate user lockouts and IT overhead have driven demand for passwordless authentication.
In short, companies want all of the benefits of strong passwords and multi-factor authentication, but without the:
Purchase and distribution of extra authentication devices
Need for users to remember complex sequences of characters
Need for users to give up control of their devices
Login workflows that interrupt user productivity
Increased support load from complex logins and legitimate user lockouts
Security concerns that come from many common workarounds to these problems
This pie-in-the-sky set of goals has created a building groundswell of desire for "passwordless authentication," which many solution providers now claim to offer.
The problem? Most passwordless authentication technologies actually aren't passwordless at all. Not in any way that solves the problem.
Let's take a look at some of them and see why.
"Passwordless" via PIN
This is perhaps the most common "passwordless" solution on the market right now, and the reason why it's actually not passwordless goes without saying.
A PIN is just a password made up of numbers. Yes, solutions often combine a PIN with device fingerprinting and other background MFA data—but they don't solve the fundamental problem.
Users and IT staff are still asked to manage strings of characters and cope with frustration, user interruptions, and login failures.
"Passwordless" via Hardware Token
With hardware tokens users don't have to remember sequences of characters, but the flow of their work is still interrupted by a login prompt, and by either inserting and tapping their token or manually copying strings of characters from it.
Users also have to keep track of these devices—so they're still something to remember—and the company has to purchase, track, and distribute them, which means continued overhead.
Worse, if they're stolen when being used without a password, all security is gone—possession means full access.
"Passwordless" via Biometric Scan
Biometric scans are more "passwordless" than either PINs or hardware tokens, but user fingerprints and faces can't be changed—so biometric scans can be far more costly for users and companies in the end if user data is breached.
They also still require the purchase and distribution—or at the very least, the control—of user hardware.
And because they add another repeated UX step to the workday, they are once again a site of productivity interruption and a site for the generation of support tickets.
"Passwordless" via Mobile Push
Mobile push as "passwordless" is growing in popularity—and it, too, fails to solve the problems that true passwordless ought to solve.
To make use of mobile push, companies must either purchase expensive mobile phone hardware or demand control of users' personal phone hardware—both a heavy lift.
The temptation to use mobile push without either should be avoided. Without device security, anyone who gets ahold of a phone will be able to authenticate as its owner immediately.
"Passwordless" via Proximity Devices
A few "passwordless" solutions rely on devices of one kind or another being in proximity to the user's workstation.
Like hardware tokens and mobile push, as a "passwordless" technology these solutions can be insecure—because in the absence of a shared secret like a password, anyone with the device in their possession has full access.
And once again, this kind of "passwordless" is still fiddly for users—it involves carrying, keeping track of, and charging devices—along with inevitable support tickets.
Let's Review the Territory
What's clear from this brief survey is that all of the "passwordless" technologies currently popular on the market involve one or more of the following compromises:
Users must still remember a string of characters
Companies must still buy or manage devices
Users must still carry and manage devices
Users are still regularly interrupted for an authentication step
Security is reduced by the absence of a password
In other words, most of today's "passwordless" technologies don't solve the list of problems that led companies to search for passwordless solutions in the first place.
What would a true passwordless solution look like?
A workflow or application is launched
The system silently evaluates the user's identity without devices, PINs, scans, or passwords
A recognized user begins working immediately, no authentication steps required
An unrecognized user is be prevented from working until proof of identity is provided
The system is able to recognize the right users with a very high degree of accuracy
Not only is there no authentication step for any one workflow—there is no authentication step all day. No hard tokens. No soft tokens. No fingerprints. No device dependencies. None of it. Just recognition.
Is It Possible?
Is there a technology that can silently "recognize" authorized users—without PINs or other pseudo-passwords, without having to store information about appearance that represents a liability, without new hardware to make this possible, and without having to trust devices or third parties?
Pie in the sky?
Is a true passwordless solution on the market yet? One that solves each of the problems outlined above? Not that we know of. Unfortunately, true passwordless isn't here yet.
But it's coming soon.