5 benefits of passwordless authentication
Traditional authentication with username and password has been the basis of security for over 50 years. However, in light of today's IT landscape, threats and usage patterns, the time has come to retire the password. We will take a closer look at how this can be done and the benefits of passwordless authentication.
Alexander Friedensburg
05. August 2020
1. Effective protection against phishing and password lists
Phishing intends to trick the victim into giving away sensitive information, and then often the combination of username and password. Alternatively, the attacker can use password lists that are for sale at a low cost from previously compromised services, and bet that the employee uses the same password on multiple services.
These forms of attack are basically beyond the control of the IT administration. The first line of defense against phishing is competence, awareness and vigilance of all employees. Nevertheless, there is regularly someone falling for it.
Replace passwords with a stronger authentication factor
Attacks based on password lists originate in many people reusing their passwords, thus exposing the company's otherwise secure services. There are simply too many opportunities for passwords to go astray. If passwords are replaced with a stronger authentication factor with for instance the use of the employee's mobile phone, it will be an effective safeguard against the most common forms of attack.
2. More user-friendly MFA solution
To remedy the inherent uncertainty of the password, it is common to compensate with multifactor authentication (MFA). In this way, authentication no longer relies solely on what the user knows (the password). Now it also needs something the user has, such as a mobile phone. Even stronger security is achieved by adding a third factor; something the user is. That is, to involve a biometric factor - for example, a fingerprint, face or eye.
The challenge is that MFA tends to affect usability. The employee goes from having to enter only the username and password, to in addition having to log in with a one-time code or verify with fingerprints. This is impractical and especially annoying on a mobile device in case of misspelling - then you have to go through the process again. In order not to burden the employees more than necessary, IT therefore balances the security needs against the organization's willingness to take risks.
Replace passwords with a more user-friendly authentication factor
If the employee instead of a password logs in with something he or she has, such as a mobile phone, it will be a far more secure solution than relying on an insecure password. If there is also a need to facilitate multifactor authentication, verification with something else the employee has or is should be added. Whatever the alternative, it will be far more secure and user-friendly without a password.
3. Seamless user experience
Secure authentication can require as little as a fingerprint on your mobile phone. Never again forgotten or misspelled passwords. Simply a brilliant and seamless user experience.
The solution combines something the user has; access to the mobile, and something it is; namely the fingerprint. It is thus a much stronger two-factor authentication than one that is based on passwords - and requires only one action from the user. Sequence and choice of authentication factor is adapted to the company's needs. For external users, it will be possible to send a one-time code as an SMS, or a "magic link" to the user's e-mail.
4. Reduced need for support
For better security, organizations have introduced measures to force the use of complex passwords. They should for instance be of a minimum length, contain special characters as well as change from time to time. All this has improved security but has also made it more demanding for the employees. The complex passwords are difficult to remember, which increases the number of closed accounts that support needs to reopen.
The extent of password-related inquiries to support correlates with perceived complexity on the user side. In other words, an old-fashioned solution is not only inconvenient for employees, but also constitutes a significant cost driver. A passwordless authentication solution, on the other hand, increases the company's productivity and reduces support requests.
5. More time for other than management of password rules
Organizations spend a lot of time documenting, managing, training, and ensuring compliance with the rules for using complex passwords. Employees must familiarize themselves with the rules, and in some companies this must also be formally confirmed. IT must ensure that the policies regarding password management are updated at all times, and ensure that it works with all systems. Without passwords the management of them is not required either, and time can be used for more productive tasks.