Passwordless is not a new topic. In 2004, Bill Gates stated at RSA Conference: “The Password is Dead.” Well, after almost twenty years, we’re still dealing with passwords, so should we give up?
Passwords still have the identical downside they offered back in 2004: high predictable in most cases; easy to forget; easy to steal via phishing and social engineering.
So why are they still in use?
The main reason is that most users are used to dealing with a password, but now things are changing.
The introduction of Multifactor Authentication (MFA) on almost any payment-related service (think about Open Banking and PSD2) and the need to protect social media platforms have opened doors to more advanced authentication patterns.
Furthermore, the almost universal use of mobile devices and the advancements in behavioral biometrics offer new hope in the journey towards password funerals.
It’s worth better explaining what we mean with passwordless authentication.
Traditionally authentication relies on one or more of the following factors: knowledge-based secrets, ownership-related objects, inherence factors. When we deal with passwords, we are using a knowledge-based secret. Passwordless authentication is an authentication method in which a user can log in to a computer system or service without using a password or any other knowledge-based secret. That means the remaining authentication factors available are owned or inhered by the user. Is it that simple? Not really, since there are other aspects to consider in the modern authentication context. As we mentioned, MFA is part of our daily authentication routine, and it’s even a regulated requirement in the payment industry. What’s changing if we introduce MFA in a passwordless scenario is that we need an authentication method that will work correlating multiple factors (owned or inhered).
At this point, we can imagine how a passwordless authentication flow looks in modern times. Mobile devices are an immediate “owned” element for most users. Furthermore, smartphones are intended as personal devices, always with us, perfect candidates. As an additional factor, we can consider active biometrics elements (fingerprint, face recognition, iris recognition) and behavioral biometrics (keystroke dynamics, gait analysis, mouse use) as user’s inherence. Relying on those factors, users can access an online service by having an app on their mobile device and verifying their identity with MFA through biometrics, with no passwords involved.
Several advantages are to underline. The user experience is as smooth as imaginable. Even if the device is lost, there is a second line of defense. In ROI terms, this translates into higher customer retention rates, lower support-related costs (think about password reset), fewer frauds related to ATO (Account Takeover).
At XTN Cognitive Security®, we believe moving towards passwordless authentication is the future. We have designed the Cognitive Security Platform®, knowing the importance of including behavioral biometrics and device invisible authentication features in a fully integrated fraud prevention environment.