Passwordless — The Buzzword

The term “Passwordless” is the new buzzword in industry. All of a sudden everybody wants to adopt passwordless mechanisms be it Consumers, small businesses or Big Enterprises. It appears simple but the underlying mechanism is complex to understand and implement. In this blog, I will scratch the surface to explain you the jargons at high level and we will delve into details in my later blogs.

What is Passwordless?

Passwordless refers to a method of establishing user’s identity without the use of passwords or any memorized secrets. System needs to use a mechanism such as Magic links, OTPs, biometrics, etc. which can uniquely identify the user

Why go Passwordless?

There are three major reasons to go passwordless:

• Enhanced Security: Passwords are one of the biggest security threat now a days, these can be easily shared with others, attacked in several ways and even guessed. Verizon’s DBIR study says 81% of hacking related breaches leverage stolen and/or weak passwords.
• Seamless user experience: Passwordless offers frictionless user experience. More users are unlikely to abandon the onboarding flow which means more users are like to adopt and stay loyal.
• Reduced overhead: It reduces Total cost of ownership (TCO) as there is no need of storing, protecting, resetting passwords. It reduces count of helpdesk tickets and in-turn results in savings.

How to go Passwordless?

There are multiple ways to go passwordless

• Magic links: Users are presented with links over email/sms/whatsapp which can be clicked to complete the verification procedure.
• One time passwords: Users are sent time based one time passwords/passcodes (T-OTP) over email/sms/whatsapp/authenticators which need to be entered while logging in to the system. Users are allowed to login upon verification.
• Biometrics: Users are identified with the factor of inherency meaning “Something you are” such as fingerprints, retina, voice or facial recognition.
• Hardware tokens: There are hardware devices available in the market such as USB smartcards, yubikey which generates RSA like tokens used for authentications.

Is Passwordless secure?

There is lot of debate happening around, Mechanism can be compromised if Emails are hacked, SMS are intercepted or Devices are stolen. But at the same time, technology is evolving that can help revoking the rights.