Discover all there is to know about passwordless authentication.
Table of Contents
What is passwordless authentication? How does it compare with MFA?
The terms multi-factor authentication and passwordless authentication are thrown around loosely as if they’re exactly the same. While there is a lot of overlap, they’re not synonymous with each other.
Passwordless authentication describes authentication flows that rely on at least 2 out of 3 types of authentication factors:
- The inherence factor, i.e. something you are like fingerprints, face scans, voice recognition, etc.
- The possession factor, i.e. something you have like an authenticator app, a mobile phone, hardware tokens, etc.
- The knowledge factor, i.e. something you know like a PIN code.
It’s an improved version of traditional MFA approaches, that cancels the need for a password. It enables users to log in with a biometric scan on their mobile phone, instead of entering their username and password followed by a second factor, e.g. an OTP sent by SMS.
Why is passwordless authentication the future?
Organisations are transforming. They need to. Users expect user-friendly, always-on mobile technology. In doing so, they’re driving organisations to transition from legacy systems toward cloud, web-based applications, resulting in hybrid environments.
This transition has increased the importance of secure and frictionless authentication for users. And that’s exactly where classic authentication methods fall short. Specifically passwords.
What’s the problem with passwords?
Passwords have three significant flaws. They cause 81% data breaches, they’re bad for UX and they’re expensive.
Passwords cause data breaches
Passwords are a liability. Studies have shown that compromised passwords cause 81% of all cyber threats. That’s because passwords are susceptible to phishing, credential stuffing, guessing, brute-forcing, and other cyber threats.
The way users use passwords exacerbates the fundamental flaws of passwords. The average user has 80 accounts that require a password to log in. And each one of these passwords should be unique. But most of us use the same password repeatedly, making It easy for attackers to breach accounts once they’ve compromised a password.
To counter this, organisations require their users to come up with longer and more complex passwords. This causes password fatigue, which is stress caused by trying to stay up-to-date with changing password requirements and repeatedly forgetting and mistyping passwords. Password fatigue leads to sloppier password use and even more password breaches.
Passwords ruin your users’ experience
Password fatigue is further evidenced in this study, where 62% of users find passwords to cause “extreme user frustration”. The reasons are obvious: password-based login is rife with friction and sluggish.
Users waste up to 13 seconds per login attempt if they’re required to log in with a password. 3 out of 10 authentication attempts on a mobile phone fail due to password complexity and screen size. And that’s when users remember their password.
50% of users forget their password at least 5 times a month and request a password reset, each reset taking 10 minutes. A study performed by Yubico revealed that users worldwide spend 11 hours per year requesting passwords.
It comes as no surprise that these hurdles frustrate users. Over three-quarters of responders in a Beyond Identity survey reported that password fatigue negatively affects their productivity and mental health. 56% of respondents in the same study experienced high password fatigue every week. This stress impacts productivity, app usage and conversion.
Passwords are expensive and cost revenue
Passwords cost organisations millions in terms of IT support and upkeep. The Gartner Group estimates that 50% of help desk requests are for password resetting, and each reset costs €184.
Cyber breaches and account takeovers are expensive too. In its Cost of A Data Breach Report, IBM uncovered that each record hacked costs €164 on average. This includes lost business, legal fees, and compensation to affected clients.
That’s one of many ways password-based authentication makes organisations haemorrhage money. 85% of customers will abandon their online shopping cart due to an arduous and complex authentication process. 60% of consumers have cancelled transactions because they forgot their password or had to create a new account before making the purchase.
What are the benefits of passwordless authentication?
Fewer data breaches
Common cyber attacks like phishing, guessing, credential stuffing, social engineering and brute-forcing hinge on compromised passwords.
Passwordless authentication prevents those attacks by taking passwords out of the equation. Phishing becomes much harder to pull off. It’s difficult to trick a user into handing over a biometric scan through a malicious email or website. It’s outright impossible to guess a biometric scan to access different apps.
Even if a bad actor would have a user’s biometric scan, they would still need a possession factor or knowledge factor to breach an account. Eliminating passwords improves your security posture.
As we discussed in a previous blog, passwordless technology can improve user experience. But it depends on the authentication factors you use.
Hardware tokens are often used as an alternative to passwords. But carrying a hardware token with you just to log into a mobile app account isn’t exactly intuitive.
Some organisations rely on SMSes to send One-Time Passwords (OTPs) that users need to submit to a login page. The problem is that SMSes interrupt the user’s momentum, increasing the opportunity to derail them from conversion. On top of that, SMSes often get delivered too late or not at all.
Our mobile passwordless MFA solution combines biometric factors on a mobile phone with strong cryptography. A PIN code comes into play as a fallback method in case the biometric scan fails. These factors combined make for the most frictionless and secure form of passwordless MFA. Here’s why:
- The first factor is an app on the user’s mobile phone. It just makes sense in terms of security and UX to use a tool that a user carries around.
- Biometric authentication factors are the most intuitive and frictionless authentication factors. What’s easier than a finger scan on your own mobile phone?
- A fallback method is essential in case biometrics fail. What if a user has a small cut on the finger they use for their fingerprint scan? That’s why we chose short PIN codes as a fallback method.
Lower TCO, more revenue
One of the lesser known advantages passwordless MFA, is its effect on revenue. Organisations can save up to millions on IT support and upkeep by getting rid of passwords. Passwordless authentication eliminates 50% of help desk requests and prevents IT staff from wasting time on password resets. It also enables organisations to fend off account takeovers and reduce their attack surface.
That doesn’t mean that passwordless software can’t be costly. Numerous vendors offer solutions that rely on expensive factors like SMSes or hardware tokens.
SMSes cost up to 15 Eurocents per authentication attempt, regardless whether the SMS gets delivered. Hardware tokens like Yubikeys cost up to 900 euros a piece and have to be replaced if broken or lost. So, choose your factors carefully.
Passwordless authentication systems that remove any friction go beyond cutting costs. They generate revenue. Studies suggest a 54% increase in conversions whenever organisations switch to these kinds of solutions.
Our authentication solution enables you to tap into that well of unfinished business and lost revenue. It eliminates the need for expensive authentication factors and helps companies slash authentication costs. The solution also reduces friction and shortens login time by 92% leading to higher conversions. Find out here how our solution will help your organisation generate revenue.
There are plenty of studies that confirm that users crave passwordless authentication. An Oxford University study of consumer sentiment uncovered that 93% of users prefer biometric authentication to passwords. A survey by Blink revealed that when given the option, 70% of consumers choose passwordless login over password-based.
Passwordless login also inspires trust and reassures users. Over 50% of users prefer passwordless methods over password-based authentication because of safety issues. This begs the question: why do many companies still force their customers to use passwords?
How do you implement a passwordless authentication solution?
Passwordless authentication might be heralded as the future of authentication; the numbers show that adoption has been relatively slow. The obvious culprits are high costs and user reluctance. But the biggest hurdle has been a preceived lack of integration capabilities and coverage of most passwordless authentication solutions.
Implementing passwordless authentication is hard. But there are ways to make it easier.
Organisations that seamlessly went passwordless purchased a solution with integrated IdP and REST API. And they committed to an implementation process. Here are some key takeaways that you can apply.
Categorise use cases and analyse your users' behaviour
The first step is to categorise all possible use cases. Rank the use cases by user experience, IT time and costs, and security and compliance risks. This will exhibit some differences and help you define detailed requirements for your authentication solution to cover all use cases.
Analysing your users is equally critical. It helps understand which user behaviour leads to security risks, which device they prefer, and how they like to authenticate. These findings will help you pick authentication methods.
Evaluate existing systems
You need to know where the gaps are and how bad actors can steal credentials and get access to your data. But it will also help you determine needs and define requirements. You might find that you already have the tools to develop and implement passwordless authentication or need to reassign investments. The key questions you should ask yourself are:
- Are we already relying on any passwordless methods?
- Are we using Identity Access Management (IAM) solutions?
- Are our existing authentication solutions on-premise or in the cloud?
- Can we alter existing authentication flows to refrain from using passwords?
- Do we need to invest in any urgent needs?
The answers to these questions will help you determine your needs, investment, and requirements for your future passwordless solution.
Find the right passwordless solution
Nearly all organisations we talk to are aware of their authentication flaws. They know they need an MFA solution for security reasons. But they fail to realise that a solution should be much more than a security measure. It should add business value and impact the bottom line of an organisation.
That’s why some organisations don’t fully understand how to evaluate a solution’s impact and fail to ask the right questions. So, they buy and force-fit a solution that only partially addresses their needs.
We believe that organisations should consider the following criteria when looking for an authentication tool:
- Security impact
- User experience
- Total Cost of Ownership (TCO)
- Strategic business value
- Integration capabilities
The only way to assess these criteria is by asking the relevant questions. We compiled those questions so you don’t have to. Our Requirements Checklist for Passwordless MFA Solutions helps organisations evaluate vendors and find the right solution for your organisation. Get your free copy now.
Implement the passwordless authentication solution
Passwordless authentication software must provide authentication capabilities for various systems. Get a solution equipped with RESTful APIs, SDKs or integrated IdP via SAML or OIDC that enables easy integration.
Nudge your users towards passwordless
Most users don’t like change, even when the change is for the better. You will undoubtedly experience some form of push-back when rolling it out your authentication solution. Some users might need a bit more help to master your new authentication method. There are numerous ways to push your users over the hump and ensure widespread adoption.
Firstly, communicate abundantly. Repeat why you’ll implement passwordless authentication, how it benefits the users, how it works, and which tools it requires. Remember to publish an FAQ and user guide to help them navigate through the new passwordless authentication method.
Secondly, make sure your new solution excels in UX. A solution should allow users to log in using as few interactions as possible and enable a form of self-registration. Ideally, the solution should provide users with enough context to make informed decisions.
Thirdly, gradually roll out your passwordless authentication methods. Some of our clients have adopted a gradual rollout approach. Here are some takeaways:
Start by making passwordless authentication mandatory for people working in IT and manning your IT helpdesk. When they are familiar with the system, start rolling it out to a segment of users.
Roll out the new methods factors to a segment of users. The new methods are optional at this stage.
Phase out password-based authentication. Nudge your users towards passwordless methods by making it harder to reset passwords, and making the new methods more prominent.
Next, start requiring a second factor on top of the password for the same group of users to achieve MFA. This will make the passwordless alternative more attractive to use.
Evaluate the adoption rate, assess the push-back and use those findings to improve the rollout process for the next segment.
Once most users are familiar with the new authentication methods, make passwordless authentication mandatory.
You could enforce passwordless authentication to every user from the get-go. But this might lead to frustrated users, increased help desk requests, and a drop in app usage and conversions.
Passwordless authentication meets the expectations set by experts and vendors. If implemented correctly, it improves an organisation’s security posture, makes for a frictionless authentication experience and increases profit.
But all passworldess authentication solutions are not created equal. Our mobile passwordless MFA solution helps organisations turn authentication into a competitive advantage by providing a secure and frictionless experience that delights users, protects data and saves money. Click the banner below to find out how to meet your authentication needs with our solution.