Passwordless authentication is an

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...

method in which a user can log in to a computer system without the entering (and having to remember) a

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

or any other knowledge-based

secret Secrecy is the practice of hiding information from certain individuals or groups who do not have the "need to know", perhaps while sharing it with other individuals. That which is kept hidden is known as the secret. Secrecy is often controvers ...

. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token. Passwordless authentication methods typically rely on

Public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

infrastructure where the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device ( PC,

smartphone A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...

or an external

security token A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens inc ...

) and can only be accessed by providing a

biometric signature Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify i ...

or another authentication factor which isn't knowledge-based. These factors classically fall into two categories: * Ownership factors (“Something the user has”) such as a

cellular phone A mobile phone, cellular phone, cell phone, cellphone, handphone, hand phone or pocket phone, sometimes shortened to simply mobile, cell, or just phone, is a portable telephone that can make and receive calls over a radio frequency link while ...

, OTP token, Smart card or a hardware token. * Inherence factors (“Something the user is”) like

fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfac ...

retinal scan A retinal scan is a biometric technique that uses unique patterns on a person's retina blood vessels. It is not to be confused with other ocular-based technologies: iris recognition, commonly called an "iris scan", and eye vein verification that ...

face The face is the front of an animal's head that features the eyes, nose and mouth, and through which animals express many of their emotions. The face is crucial for human identity, and damage such as scarring or developmental deformities may aff ...

or voice recognition and other biometric identifiers. Some designs might also accept a combination of other factors such as

geo-location In geography, location or place are used to denote a region (point, line, or area) on Earth's surface or elsewhere. The term ''location'' generally implies a higher degree of certainty than ''place'', the latter often indicating an entity with an ...

network address A network address is an identifier for a node or host on a telecommunications network. Network addresses are designed to be unique identifiers across the network, although some networks allow for local, private addresses, or locally administer ...

, behavioral patterns and gestures, as long as no memorized passwords are involved. Passwordless authentication is sometimes confused with Multi-factor Authentication (MFA), since both use a wide variety of authentication factors, but while MFA is often used as an added layer of security on top of password-based authentication, passwordless authentication doesn't require a memorized secret and usually uses just one highly secure factor to authenticate identity, making it faster and simpler for users. "Passwordless MFA" is the term used when both approaches are employed and the authentication flow is both passwordless and uses multiple factors, providing the highest security level when implemented correctly.

History

The notion that passwords should become obsolete has been circling in computer science since at least 2004.

Bill Gates William Henry Gates III (born October 28, 1955) is an American business magnate and philanthropist. He is a co-founder of Microsoft, along with his late childhood friend Paul Allen. During his career at Microsoft, Gates held the positions ...

, speaking at the 2004

RSA Conference The RSA Conference is a series of IT security conferences. Approximately 45,000 people attend one of the conferences each year. It was founded in 1991 as a small cryptography conference. RSA conferences take place in the United States, Europe, Asia ...

predicted the demise of passwords saying "they just don't meet the challenge for anything you really want to secure." In 2011 IBM predicted that, within five years, "You will never need a password again." Matt Honan, a journalist at

Wired ''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquartered in San ...

, who was the victim of a hacking incident, in 2012 wrote "The age of the password has come to an end." Heather Adkins, manager of Information Security at

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

, in 2013 said that "passwords are done at Google." Eric Grosse, VP of security engineering at Google, states that "passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe."

Christopher Mims Christopher Mims is a technology columnist at ''The Wall Street Journal'', which he joined in 2014. Early life Mims received a bachelor's degree in neuroscience and behavioral biology from Emory University in 2001. Career Mims taught Engli ...

, writing in the

Wall Street Journal ''The Wall Street Journal'' is an American business-focused, international daily newspaper based in New York City, with international editions also available in Chinese and Japanese. The ''Journal'', along with its Asian editions, is published ...

said the password "is finally dying" and predicted their replacement by device-based authentication, however, purposefully revealing his

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

password resulted in being forced to change his cellphone number. * * Avivah Litan of

Gartner Gartner, Inc is a technological research and consulting firm based in Stamford, Connecticut that conducts research on technology and shares this research both through private consulting as well as executive programs and conferences. Its client ...

said in 2014 "Passwords were dead a few years ago. Now they are more than dead." The reasons given often include reference to the usability as well as security problems of passwords. Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. (The technical report is an extended version of the peer-reviewed paper by the same name.) Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while ''every'' scheme does worse than passwords on deployability. The authors conclude with the following observation: “Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.” Recent technological advancements (e.g. the proliferation of biometric devices and smartphones) and changing business culture (acceptance of biometrics and decentralized workforce for example) is continuously promoting the adoption of passwordless authentication. Leading tech companies (Microsoft, Google) and industry wide initiatives are developing better architectures and practices to bring it to wider use, with many taking a cautious approach, keeping passwords behind the scenes in some use cases. The development of open standards such as

FIDO2 The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and th ...

and

WebAuthn Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface fo ...

have further generated adoption of passwordless technologies such as

Windows Hello Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...

. On June 24, 2020,

Apple Safari Safari is a web browser developed by Apple. It is built into macOS, iOS, and iPadOS, and uses Apple's open-source browser engine, WebKit, which was derived from KHTML. Safari was introduced in Mac OS X Panther in January 2003. It was inclu ...

announced that

Face ID Face ID is a facial recognition system designed and developed by Apple Inc. for the iPhone and iPad Pro. The system allows biometric authentication for unlocking a device, making payments, accessing sensitive data, providing detailed facial ex ...

Touch ID Touch ID is an electronic fingerprint recognition feature designed and released by Apple Inc. that allows users to unlock devices, make purchases in the various Apple digital media stores (iTunes Store, App Store, and Apple Books Store), and au ...

would be available as a WebAuthn platform authenticator for passwordless login.

Mechanism

A user must first register with a system before their identity can be verified. A passwordless registration flow may include the following steps: * Registration request: When a user attempts to register with a website, the server sends a registration request to the user's device. * Authentication factor selection: When the user's device receives the registration request, it sets up a method for authenticating the user. For example, the device may use biometrics like a

fingerprint scanner Fingerprint scanners are security systems of biometrics. They are used in police stations, security industries, smartphones, and other mobile devices. Function Everyone has patterns of friction ridges on their fingers, and it is this pattern ...

or facial recognition for user identification. * Key generation: The user's device generates a

public In public relations and communication science, publics are groups of individual people, and the public (a.k.a. the general public) is the totality of such groupings. This is a different concept to the sociological concept of the ''Öffentlichk ...

private key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

pair and sends the public key to the server for future verification. Once they have registered, a user can log in to the system via the following process: * Authentication challenge: The server sends an authentication to the user's device when the user attempts to log into the site. * User authentication: The user proves their identity to their device using the biometric scanner, unlocking their private key. * Challenge response: The user's device digitally signs a response to the authentication challenge with the user's private key. * Response validation: The server uses the device's public key to verify the digital signature and provides access to the user's account.

Benefits and drawbacks

Proponents point out several unique benefits over other authentication methods: * Greater security – passwords are known to be a weak point in computer systems (due to reuse, sharing, cracking, spraying etc.) and are regarded a top attack vector responsible for a huge percentage of security breaches. * Better user experience – Not only users aren’t required to remember complicated password and comply with different security policies, they are also not required to periodically renew passwords. * Reduced IT costs – since no password storage and management is needed IT teams are no longer burdened by setting password policies, detecting leaks, resetting forgotten passwords, and complying with password storage regulation. * Better visibility of credential use – since credentials are tied to a specific device or inherent user attribute, they can't be massively used and access management becomes more tight. * Scalability – managing multiple logins without additional password fatigue or complicated registration. While others point out operational and cost-related disadvantages: * Implementation costs – Although it is accepted that passwordless authentication leads to savings in the long term, deployment costs are currently a hindering factor for many potential users. Cost is associated with the need to deploy an authentication mechanism on an existing user directory and sometimes the additional hardware deployed to users (e.g. OTPs or security keys). * Training and expertise needed – while most password management systems are built similarly and have been used for many years, passwordless authentication requires adaptation from both IT teams and end users. * Single point of failure – particularly implementations using OTP or push notifications to cellular device applications can create a challenge for the end user if a device is broken, lost, stolen or simply upgraded.

References

{{Reflist

External links

"True Passwordless MFA"
– HYPR Corporation
Passwordless Authentication
–

Secret Double Octopus Secret Double Octopus (SDO) is an Israeli software company specializing in passwordless authentication for enterprise environments. History The company was founded in 2015 by a team of entrepreneurs and security researchers from Ben-Gurion Univ ...

Intro to Passwordless
- Passage Authentication methods Computer access control Applications of cryptography Access control Password authentication

History

Mechanism

Benefits and drawbacks

See also

References

External links