March 21, 2022

Passwords - A Nightmare

Passwords - A Nightmare

Being online is an essential part of our life today and people access a variety of applications to perform various jobs.  Majority of applications maintain user's accounts and authenticate users when they visit. Most of the applications ask for username and password to authenticate users. Overwhelmed by password sprawl, many users set weak passwords, reuse on multiple sites and even share with others.


More Passwords, More Risks.

We use weak passwords, we reuse passwords. Or we write down passwords or store them in equally insecure ways. These practices make our data very vulnerable. It’s no surprise then that attackers go after them.

81% of breaches result from weak or stolen credentials

Bad actors take advantage of such practices and launch attacks to steal confidential data. Compromised account credentials are the leading cause of data breaches. It's no brainer that Passwords are the real pain for the people who use them and for who manage them.

Passwordless Authentication

Passwordless authentication is exactly what it sounds like: a way to establish a user's identity without the use of passwords or any knowledge based secrets.

 

Identity can be established by using one or more factors like "Something you know", "Something you are" and "Something you have". Passwordless mechanism removes "Something you know" i.e. Knowledge based secrets out of the equation and relies on other factors.

 

Passwordless has been around for quite some time but popularized in 2000's when SSO and MFA were standardized.

Risk Reduction and Enhanced User experience

 

Passwords are risky and add friction to the user's journey. Passwordless mechanism strengthens security by reducing attack surface and improves user's experience as there is no friction and no password to remember. There are no password reuse or resets and no security questions answers to remember. There are many popular passwordless authentication methods:

 

  1. One-time password (OTP) via SMS/Email/Push: This is a very popular method that sends a one-time code mostly digits to the user's email or phone number. User enters the OTP on the screen and gets access to the application. This is used by many financial institutions and popular in Asian countries.
  2. Magic link: Magic link is a widely used method that sends a link containing the challenge to the user's email or phone number. User provides the approval by clicking the link and gets access to the application. Slack is probably the most well-known user of magic link.
  3. WebAuthn: Short for web authentication - promises to fix passwords on the web with a strong, simple and un-phishable standard for strong authentication. Webauthn is a standard written by FIDO (Fast-identity online). This method uses public-key cryptography to create a keypair for a specific user. WebAuthn at its heart is a credential management API built into modern web browsers allowing web applications to strongly authenticate users, and it’s now a World Wide Web Consortium standard.
  4. HOTP and TOTP: HOTP is hash-based message authentication code (HMAC) and TOTP is time-based OTP.
  5. USB Token device: Users can also be authenticated using a USB token device. There is a cryptographic key that uniquely identifies the device holder.
  6. Biometric: User's can be authenticated by using biometrics on mobile devices or laptops.

 

Passwordless authentication is on the rise for both consumer and enterprise applications. In enterprises, this is typically used in conjunction with Single-sign-on where an employee gets authenticated once and gets access to multiple applications. Passwordless authentication is also used as part of Multi-factor authentication where users are challenged multiple times using different factors. For example, user might be required to provide biometrics and  enter SMS OTP to access mobile applications before making a high value transaction.


Why Passwordless Makes Sense

Password flows are a thing of past and its need a disruption.

Enhanced user experience:  Makes the user's journey seamless, frictionless, reduces frustration and increases productivity.

Strengthens security: Attack vectors are reduced by eliminating password management techniques. No more phishing, brute-force attacks, password stealing and reuse.

Simplify IT operations: It reduces the administrative burden of password-related helpdesk tickets and password resets.


Passwordless is the Future of Authentication. It offers better security and great user experience at the same time. There are multiple ways to go passwordless and evolving, an appropriate method should be chosen keeping your users and use cases in mind, and providing a balanced approach between user experience and security.

SecQure is a passwordless SaaS Platform. We provide secure, plug-n-play SDKs and APIs supporting all programming languages, that authenticate the users without the pain of passwords with highest standard of security. SecQure can be integrated with any platform and technology within minutes.