Moving beyond passwords with passwordless authentication

Starting in the early 2000s, the use of two-factor authentication became widely adopted.¹ In this case, the user receives a one-time code sent to their mobile phones to enter, in addition to the traditional password entered onto the user’s laptop screen. Enhanced security comes from authentication taking place over two devices possessed by the user.

Biometric technologies

Around 2013², primarily based on the popularity of the newest smartphone models, the use of biometric authentication went mainstream. These technologies require no memorization of complex combinations of letters, numbers, and symbols because they leverage distinct characteristics of “you”—your fingerprint, voice, face, heartbeat, and even common movements. Biometrics captured by smartphone cameras and voice recorders are the most prevalent,³ including fingerprint, iris, voice, and face recognition. These approaches fall under the umbrella of “what you are”.

Checking your biometric data against a trusted device that only you own—as opposed to a central repository—has become the preferred approach. For example, a user could scan their retina via the camera on a laptop or smartphone, using biometric identification as a first step to gain access to their online bank account. In a second step, the bank could then send a challenge via text message to the user’s mobile phone, requiring them to reply with a text message to finish the authentication.

Other authentication practices

A separate set of authentication methods fall under the umbrella of “what you have”—not only smartphones, but perhaps security tokens carried by individuals, software-enabled tokens, or even an adaptation of blockchain databases used by bitcoin. Hardware USB keys enable workers to log in by entering their username and password, followed by a random passcode generated by the fob at set intervals of time. Software tokens operate similarly, with a smartphone app, for example, generating the codes. Distributed blockchain technology, as well as risk-based authorization that grants a user access by verifying their location, usage times, or access patterns, are some other technologies that are now widely available.

Regardless of which authentication methods are selected, the benefits are essentially the same. With multiple devices or “gatekeepers” involved in the MFA process, the risk of a security incident stemming from a compromised password is significantly reduced. One development in the move toward passwordless authentication was the foundation of FIDO by several leading technology vendors in 2012. This significantly advanced technical standards for new open, interoperable, and scalable online authentication systems without passwords. And now, a decade after the alliance was founded, the FIDO security standard has continued to expand and has been adopted by many companies.⁴ The latest iteration, known as FIDO2, leverages two-factor authentication as well as security keys (FIDO2 keys) and hardware tokens.

^1. “History of Online Security, from CAPTCHA to Multi- Factor Authentication”, Caroline Delbert, May 31, 2022, accessed September 18, 2023, Message from Beyond Identity

^2. “How Biometric Authentication Secures the Future of Digital Banking”, The Lumin lab, accessed September 18, 2023, How Biometric Authentication Secures the Future of Digital Banking | Lumin Digital

^3. “5 Popular Types of Biometric Authentication: Pros and Cons”, Pavel Jiřík, September 9, 2021, accessed September 18, 2023, 5 Popular Types of Biometric Authentication: Pros and Cons | PHONEXIA

^4. “FIDO becomes an international standard, accelerates its deployments in public and private sectors”, Press release, Tuesday 25 December 2018, accessed September 18, 2023, FIDO becomes an international standard, accelerates its deployments in public and private sectors (digitimes.com)

Contacts