Password-less Authentication

What it is, how it works and what it solves…

TL;DR:

Most of you have already been using it, for years.

It’s really removing the need for you to constantly remember passwords, PINs, Passphrases to log in to certain apps.

Authentication is not going away, ever. But the dominating forms will change.

It’s really for convenience of end users.

If you have no idea what I mean by “Password-less” when speaking about authentication, that’s perfectly fine. It’s a not so new concept that’s really getting a lot of love from players like Microsoft, Google et al. In this short post I will be going over what it is, how it works, and hopefully make it make sense when your IT inevitably starts using the word “passwordless” around you.

What is “Password-Less Authentication”?

To answer that, we first need to speak about what passwords and what authentication are. Authentication is a method for proving your identity or confirm your right to access some sensitive information or system. Passwords, are merely a method for authentication, specifically, they’re a knowledge based authentication method. Authentication can come in multiple types (factors):

1. Knowledge: Something the user knows (password, partial password, passphrase, a PIN).
2. Ownership: Something the user has (ID card, security token, cell phone with a built-in hardware token, software token).
3. Inherence: Something the user is or does (face scan, voice recognition, fingerprint).

Now that we have covered that lightly, we can try to start making sense of the Passwordless push in tech. In a nutshell, the passwordless push is going to eliminate the need for an end user to constantly have to enter their previously required form of knowledge based authentication (Passwords, PINs, Passphrase, etc.), and in its place will be either an ownership based or inherence based form of authentication.

How is it going to work?

Well, there are going to be many ways to deploy passwordless authentication. Each service/company that deploys it will probably have different methods. But in this post I am only trying to clear the air on what it is for y’all. The funny thing is, many of you, on certain platforms, are already using a passwordless authentication structure. If any of you have an iPhone and use the face scanner then or used the fingerprint scanner on other devices, then you’re a passwordless vet already and this shouldn't be too foreign to you. Seriously, if you’ve been sent:

• An email log in link
• An SMS log in link
• A log in notification

… then you are someone who is already taking advantage of this authentication method. If you ever hear the term “Passkey” get thrown around, that’s basically the same thing.

Each service that is compliant with the FIDO2 standard will then offer up some options on which authentication type they will replace passwords with. It uses cryptography to secure/confirm the stuff under the hood, so your data is safe, if the platform is trustworthy and has good security. But we won't dive too deep into those concepts in this post.

What is this supposed to solve?

Well, that would depend on who you ask. Your IT team is going to love it because it’s going to lift the constant “Password Reset” tickets on the helpdesk. End users are going to enjoy the convenience of not having to type in long and/or complex passwords. Just authenticate using a magic email link and wham, you’re in. The constant struggle with online security is constantly trying to strike a balance between security and convenience. If a system is too secure and complex, then you run into a few problems:

1. People will not want to use it.
2. People will think of ways to circumvent using it.

This is a constant battle in information security/cybersecurity. For certain situations, they make plenty of sense. Instead of using a password to log into your machine every time, you could use a form of biometrics. Instead of logging into your company portal using yet another password, you could use your main 2FA app (Google Authenticator, Microsoft Authenticator etc). Passkeys would typically be tied to a device, like your mobile phone, tablet etc. so when you want to authenticate, the key would be on that device and the confirmation, using asymmetric cryptography happens behind the scenes to grant you access to whatever service/platform you would like to enter. It is also said that due to this, phishing attacks can be mitigated. Also, even in the event that your log in data did get into the hands of a bad actor, unless they have the device, they essentially have nothing*.

CAUTION:

Nothing is foolproof, I won’t get into the potential pitfalls of this system in this post, this was merely a post to explain in brief detail what this new passwordless push was about.

In conclusion, this push, which you will see more of in the upcoming months/years, is not something that is alien to most folks, you just didn’t have a name for it yet. It’s going to make enterprise environments a lot more streamline for signing in to your daily driver platforms to hopefully allow you to access quickly and hassle-free. A small change that can potentially have massive impact. If you would like to learn more, please do not hesitate to reach out to me on LinkedIn.