Passwords are on their way out. Many people are already familiar with being authenticated without providing a password, such as through using FaceID on iOS, or by scanning a fingerprint on Android, and organizations are increasingly turning to passwordless authentication; a method of proving an online user’s identity using an alternative factor other than a password for reasons of enhanced security.
We take a deeper look at passwordless authentication: why it’s more secure, and a great deal more convenient for users.
There are many issues with passwords, in terms of the security of using passwords, and the effect they have on the user experience.
The main issue is the most obvious and something we have all been guilty of: forgetting your password. It’s hardly surprising; the average person has an overwhelming 80 different passwords.
Keeping track of all these passwords becomes a challenging memory test, and it doesn’t help that each of these accounts likely has different requirements as to password complexity. Consequently, the user experience is negatively affected if they cannot remember the correct one.
The huge number of passwords the average online user is supposed to remember inevitably leads to the next problem, which is the recycling of passwords. It’s estimated that 2 out of every 3 people use the same password for multiple accounts to help them remember it.
Reusing passwords poses a serious issue to users’ security. Major data breaches such as the recent Easyjet breach in the UK, where the details of 9 million people were compromised, often leads to legitimate login details of compromised accounts being purchased by bad actors on the dark web.
This in turn leads to credential stuffing attacks, where criminals exploit the tendency of users to reuse passwords by taking large amounts of compromised account details and inputting them en masse to various different sites in order to find out if they can access any other accounts using the same legitimate password.
It’s worth noting that doing so can drive big profits, meaning the culprits are usually well-established criminal organizations using high-end machine learning technology.
On top of all this, using passwords as a method of authentication can ironically hinder a user’s security.
A Verizon report found that 81% of hacking breaches occur as a result of weak, stolen or reused passwords.
Password login details are actively targeted by methods of online fraud such as phishing, man-in-the-middle and rat-in-the-browser (RitB) attacks, where fraudsters direct users to fake, official-lookingbrowser pages so as to encourage them to input their passwords.
The fraudsters steal this data and can then gain access to users’ accounts.
As passwords are so easy to access or intercept, organizations have been searching for other methods of authentication to replace them. Different examples of passwordless authentication include verification via:
Issues of fraud attacks do remain even when authentication is passwordless. SMS authentication, for example, has reportedly been targeted many times.
Additionally, users can still be targeted by RitB attacks, especially where they have reused passwords for various accounts, as fraudsters can create official-looking but fake browser pages where users are encouraged to input their OTP.
In terms of physical biometrics, although this is a more efficient and accurate way to authenticate users through their device, this information can to some extent be captured, replicated and reused.
Behavioral biometrics, on the other hand, are completely unique to each user whilst being impossible to imitate. Parameters of behavioral biometrics can include the typical way in which a user types, moves the mouse, even the unique angle at which a user usually holds their phone. Any attempt to replicate a user’s unique pattern of behavior in itself would be deemed suspicious to a tool analyzing behavioral biometrics.
Behavioral biometrics are therefore most accurate and comprehensive way in which to authenticate a user through their device, verifying that every user is who they say they are and are not being manipulated or taken over.
And authenticating users through their behavioral biometrics can all be done invisibly and continually in the background throughout a user session, without adding any friction to the journey and maintaining that golden advantage of passwordless authentication: a more positive, frictionless user experience.