Introduction to Passwordless Authentication: Let's Think Passwordless
International System Research Co., Ltd.
June 21, 2019
*Some content updated on January 19, 2021, and October 15, 2021
Introduction to Passwordless Authentication
Let's Think Passwordless
Understand the problem and benefits: No more passwords.
Table of Contents
1. Introduction
"Passwords" have become commonplace, something everyone takes for granted.
Have you ever really thought about the problems with passwords or the convenience of not using them?
Password authentication is a "mechanism to prove that the user is indeed the person they claim to be." If it's compromised, it opens the door to the danger of "unauthorized access." In the worst-case scenario, it can threaten not only an individual's life but also expose valuable corporate assets to danger, potentially jeopardizing business operations. Therefore, we recommend using passwordless authentication, especially leveraging FIDO2-based passwordless authentication in your organization.
In this blog, we'll explain why passwordless authentication is necessary, including its benefits, starting from the problems with passwords.
2. What Are the Problems with Passwords?
The core problem is simple: they're "easily stolen." And when stolen passwords are misused, it leads to devastating consequences.
According to one study, 80% of hacking breaches are caused by brute-force or lost or stolen passwords (credentials). Another study revealed that 90% of respondents experienced data breaches due to password leaks. These findings indicate that passwords are stolen in large quantities precisely because they are so easily compromised.
So, why are they so easily stolen? Because passwords rely on human memory and are reusable. First, take a moment to count how many online accounts you currently have.
With the proliferation of online services, it's said that individuals maintain an average of 27 online accounts. Is it truly possible to make the password for each account complex, let alone set and remember a different password for every single one?
Since we access these services daily, we naturally want quick, stress-free access. This often leads to practices like: "Using simple, easy-to-remember passwords" "Reusing the same password" "Writing down passwords"
These habits are the pitfalls that make passwords so easy to steal.
Because the same password was reused, or because all passwords were kept on a memo or in a data file, a single password, or even all of them, can be effortlessly stolen by a malicious third party. This puts you at risk of suffering enormous damage.
3. What Is Passwordless Authentication, and How Does It Solve Password Problems?
Passwordless authentication is a type of Multi-Factor Authentication (MFA) that allows users to log in to cloud and web services using biometrics or a PIN, without relying on vulnerable passwords. Today, numerous mechanisms exist that allow identity verification without passwords, but utilizing FIDO2-based passwordless authentication enables more secure and robust authentication.
FIDO2-based passwordless authentication sends only the result of identity verification from within the device to the server. This means biometric information never flows over the network and is never stored on the server. As for "security," which is a challenge for password authentication, the risk of credential compromise is significantly reduced.
Today, in addition to FIDO2-compliant authentication devices, almost all devices you use—such as Windows 10, Android, iPhone, and iPad—can be utilized. This makes convenient and secure passwordless login a reality for businesses, tailored to their specific needs.
FIDO2-Compatible Solutions
At this point, some might wonder if a PIN is the same as a password. However, a PIN, or Personal Identification Number, is different from a password in that it doesn't flow over the network and should not. Therefore, it's used for local authentication, and since there's no concern about it being transmitted over the network like a password, the risk of attack is reduced.
4. What Are the Benefits of Passwordless Authentication?
There are three distinct benefits: "Risk Reduction," "Cost Savings," and "The Best User Experience."
First is risk reduction.
The fraudulent method of password theft becomes unusable, and identity verification is made more stringent with biometrics, thus reducing risks.
Second is cost savings.
For organizations, consider how much time users and administrators spend on tasks like "remembering passwords," "making passwords complex," "constantly changing passwords," and "setting new passwords due to forgotten ones." By simply going passwordless, human effort can be reduced, and the elimination of leakage risks means avoiding massive financial losses.
Third is experiencing the best user experience.
"I've saved my password in my regular browser, so I can't remember it when trying to access the service from another PC or smartphone."
"Because password rules vary by service (character type, length), I quickly forget which password I set for which service."
"I set a different password for a regular change, but I can't recall it."
With passwords being so common now, haven't users encountered such situations at least once? To make matters worse, many have experienced the frustration of repeated incorrect attempts leading to account lockouts, requiring complicated application procedures for password resets, and then waiting for support. By eliminating passwords, users no longer suffer from them, and authentication becomes effortless with simple biometric methods replacing passwords, offering the best user experience.
5. Can SSO Increase the Benefits Even More?
Single Sign-On (SSO) can further enhance convenience and strengthen security. When users log in with SSO, they can access multiple services requiring authentication without going through repeated identity verification processes. This means a significant improvement in convenience, as one login connects them to all services.
Additionally, access to services can be restricted by IP address or device, limiting the usage environment. This allows for identity verification under more restricted conditions, thereby strengthening security.
In short, combining a FIDO2-compatible authentication device with a FIDO2-compatible SSO service ensures consistent security, from identity verification to accessing services.
That service is CloudGate UNO, a FIDO2-compatible, cloud-based passwordless authentication service originating from Japan.
If you sign on to CloudGate UNO with a FIDO2-compatible authentication device, you can connect to integrated cloud services with a single login. And even if the integrated cloud services are not FIDO2-compatible, their security can be ensured, and passwordless authentication can still be performed.
"Passwords," which we've used as a matter of course until now.
How do you feel after re-examining the problems passwords pose and the benefits of going passwordless? The passwordless mechanism, which not only solves password-related issues but also simultaneously improves convenience and strengthens security, will likely become even more widespread in the future.
Even so, many might think, "I understand, but it's hard to stop using passwords immediately after decades of reliance..." or "I don't even know how many services support passwordless, so it's still difficult to stop using them..."
However, if problems occur, not just for personal use but also for businesses, it can jeopardize business operations and ultimately threaten your livelihood.
Learn more about SSO
