Increasingly, passwords create security concerns as they can be easily cracked or stolen. This is where passwordless authentication provides a more secure and convenient alternative.
For modern IT or Internet users, logging in to a website or app using a password is all too familiar. Increasingly, however, passwords create security concerns as they can be easily cracked or stolen. This is where passwordless authentication provides a more secure and convenient alternative.
The ‘what you know’ factor
Password is the “what you know” factor in access control. In security and identity management, there are generally three authentication factors – the other two being “what you have” (cards and keyfobs) and “what you are” (biometrics). Signing in to a system or network using a password is something almost all of us deal with on a daily basis.
Password disadvantages
Yet increasingly, passwords are showing their disadvantages and limitations. Passwords can be guessed, cracked or stolen. Meanwhile, given rampant cybersecurity incidents, users are often required by IT to change passwords from time to time and meet certain criteria, for example using at least 12 characters with numbers and special symbols. This may create the so-called “password fatigue.”
“Password fatigue is real. Users demand faster, frictionless ways to authenticate without remembering complex strings,” said Edwardcher Monreal, Principal Solutions Architect for IAM Consumer Authentication Solutions at HID.
Going passwordless
This is where users can benefit from passwordless authentication, which is seeing increased adoption. A recent FIDO Alliance survey on enterprise passkey adoption, for example,
indicates that 87 percent of businesses have successfully deployed or are deploying passkeys, which leverage the user device’s built-in security features, like biometrics, instead of requiring a password.
According to Monreal, the growth in passswordless authentication is driven by various factors, which are summarized as follows:
- Security and user convenience: Password-related breaches continue to be a top cybersecurity risk, and eliminating passwords removes a major attack surface. Meanwhile, as aforementioned, users are increasingly looking for login methods that don’t require memorizing long, complex word strings;
- Digital transformation: As hybrid work, cloud applications and mobile access become ubiquitous, organizations require more scalable, user-friendly and easier ways to deploy and manage authentication methods, and passwordless authentication provides a means for that;
- Regulatory compliance: Frameworks such as NIST and GDPR encourage strong multi-factor authentication (MFA) practices, which encompass passwordless sign-ins to networks and systems;
- Cost reduction: Password resets are a burden on IT helpdesks, and passwordless authentication can significantly reduce these costs, with the same survey from the FIDO Alliance showing that 77 percent of respondents reported a reduction in help desk calls due to the implementation of passkeys.
“Passwordless authentication is rapidly gaining momentum across various industries as organizations seek to reduce security risks and improve user experience,” Monreal said. “With the rise in cyber threats and compliance requirements, businesses are increasingly adopting passwordless approaches to strengthen digital access control while streamlining user workflows. From enterprises to government agencies, passwordless authentication is moving from a trend to becoming a strategic imperative.”
Implementation
When it comes to implementation, passwordless authentication can be done in several ways. According to Monreal, one of them is using passkeys, which employ cryptographic keys to authenticate. Push authentication is another method where a login approval request is sent to the user’s phone, and the user just taps the "Approve" button to log in. Finally, there is biometric authentication where users are authenticated by their biometric traits such as fingerprint or facial features.
Addressing challenges in passwordless adoption
Despite its increased popularity, passwordless authentication is still subject to certain challenges. Some older applications, for example, aren’t built to support passwordless authentication. Some users, meanwhile, have grown used to password sign-ins and have voiced concerns over lost or changed devices, which may lock them out if fallback authentication methods are not implemented.
Yet Monreal said these challenges are not insurmountable. “Key challenges – like lost device recovery, credential lifecycle management, and PIN resets – will be fully addressed in the future with better systems for enrollment, backup, and recovery. Security keys and passkeys will be easier to manage, even in larger organizations. The consumer space will also embrace passwordless in multiple form factors,” he said.