Another simplifies authentication by eliminating passwords. We are talking about what may be the beginning of the end of traditional passwords as we know them: passwordless authentication.
Identifying the problem
Before going into detail about the concept of Passwordless, it is necessary to put it into context and understand the problem it is trying to solve. Currently, we could say that traditional passwords fail in concept and use, but what do we mean by this?
In general, much of password security is based on their complexity and how they are handled. For example, a password with 30 characters combined with upper-case letters, lower-case letters, numbers and special characters is more secure than a 6-character password consisting only of numbers.
Furthermore, this password, which we define as ‘super secure’, is unique for each website. In other words, each environment we use has a different 30-character password that we change regularly.
To be honest, no one complies with this. It is impossible to remember a list of passwords of this type in your head. Furthermore, as a concept, it also has its weaknesses, as there are many attacks in which it is not even necessary to know the password in ‘plain text’. In other words, in certain scenarios, even a 60-character password would not be enough.
Alternatives to the use of passwords
Given the problem with the use of passwords, different alternatives with different approaches have been proposed. These are valid and recommended measures that we can use to better protect our accounts.
Password managers
Password management systems act as password storage containers. They also allow new passwords to be generated in accordance with security standards.
There are various types of password managers, and these tools can be found as cloud services or local applications. They may also have an associated cost depending on the choice, or they may be completely free solutions.
For this type of tool, we could say that the ‘Achilles heel’ is access, where we will have to use an authentication mechanism (such as a password) to access our entire environment. In addition, their use is not very widespread.
Two-factor authentication
Known by its acronym 2FA (or MFA if we are talking about multiple factors), this is considered one of the best security measures for account protection today. This type of configuration involves a second validation in addition to the password, which is usually carried out by something we have, such as a mobile device.
Two-factor systems should be mandatory, as they greatly increase security. Despite this, certain social engineering attacks or malicious applications can be found against these types of systems.
Passwordless to save us all
At this point, we can understand that passwords themselves are a problem, and the solutions proposed greatly increase security, but still carry some risk. In this scenario, Passwordless appears as a possible solution.
The main objective and basis of the Passwordsless architecture is the idea of eliminating passwords from the equation in an authentication system, and this makes sense, as we have seen that they represent the weakest link in the chain.
This requires a change in mindset. With this implementation, our password will be a factor that truly identifies us uniquely, rather than just a set of characters that are difficult to remember. In other words, in these systems we are replacing the traditional password with a fingerprint, facial recognition or a pattern, among many other examples.
They work by combining several technologies, such as asymmetric cryptography and two-factor authentication. This way, when a passwordless authentication call is made, access to the private key is requested. This key is located on an external device and is usually linked to an identification element.
Types of passwordless authentication factors
As mentioned above, the passwordless authentication process requests identification from an external device to perform the corresponding check. This request can take several forms, some of which are highlighted below:
- Authentication applications: Although these applications are commonly known as two-step verification systems, many of them also cover passwordless functionalities.
- PUSH notifications: A notification pops up on the mobile device at the time of authentication confirming that it is us who wants to access the device.
- Security keys: These are not very well known, but are gradually becoming more common. Security keys (which are usually like a USB stick) contain the private authentication key. They are offline devices that are only required for authentication and provide a high level of security.
- Biometrics: Usually linked to one of the above mechanisms, biometrics is requested to uniquely identify us.
It should be noted that some of these authentication methods may follow public standards developed for this purpose. One of the most popular and well-known is FIDO2, which sets out the specifications required for secure authentication.
Availability and use
Passwordless systems are not new; they have been around for several years, but it is true that their development and implementation in different environments is still pending. Even so, examples can be found in operating systems such as Android on mobile devices and Windows 10 on desktops.
Although there is still a long way to go, their use is becoming increasingly widespread and, with it, the level of protection our accounts enjoy. This is certainly a highly recommended measure, as we gain in security and, in addition, we remove annoying passwords from the equation. It can be said that, with this feature, we all win (except the bad guys).
