What is Passwordless MFA?
What is Passwordless MFA?
Passwordless means exactly what it sounds like. It’s a radical shift away from using highly hackable character-comprised keys to grant access to privileged resources. Passwordless solutions propose using a myriad of more secure factors to bypass using passwords and the massive security dilemma they present.
How Does Passwordless Multi Factor Authentication (MFA) work?
Factors are typically categorized as one of the following: something you know (passwords), something you have (tokens, phone, FOB), or something you are (biometrics). Traditional authentication takes a look at one factor to verify your identity- this is usually something you know, represented digitally: a password. However, the digital nature of the knowledge makes it incredibly easy to copy and/or steal. To circumvent this problem, multi-factor authentication (MFA) uses two or more unique factors to verify your identity. This can be your username-password in combination with any other number of factors (your fingerprint, a security question, a code). It can also critically be done with multiple factors that do not include a password while retaining MFA’s function and advantages. Acceptto’s Continuous Behavioral Authentication platform utilizes context and behavioral modeling to deliver a risk-based step-up authentication. By using a model of your digital behavior, we pioneer a frictionless authentication method dubbed “biobehavior” that serves as a “something you are” factor. This biobehavioral authentication in conjunction with our wide range of “something you have” options (SMS, TOTPs, email, QR codes, Push, security keys, and more) makes our passwordless authentication frictionless and highly secure.
Why Passwordless MFA is different than traditional MFA
Passwordless MFA does not require the use of passwords and relies on other more secure forms of authentication such as biometrics, location, IP address, push notifications or verification code (SMS, TOTP, email, etc.).
Is Passwordless Authentication safe?
Yes, passwordless is a more secure solution than traditional MFA authentication. Passwordless solutions use authentication factors that are more difficult for threat actors to steal, such as biometrics (fingerprint), security keys, TOTPs (SMS, QR, e-mail), protected PUSH notifications, passwords/PINs, and FIDO authenticators.
Why passwords are becoming obsolete
Passwords are susceptible to brute force attacks, theft, and hacking, making them a very large security risk. Even the most modern, complicated passwords with special characters and numbers present an easy target for threat actors trying to get in. Passwords are easily obtained through phishing attempts, and users frequently use the same password for multiple applications and logins, meaning that one breach puts all the other accounts at risk too. Users are frustrated with passwords and the management of them. We remove this target by eliminating passwords, period.
Why your Employees Hate Using passwords
Passwords are highly frustrating for most of your employees. Remembering passwords and frequent needs for resetting passwords become a great frustration. With a growing requirement for longer, stronger passwords and more frequent resets, the frustration only continues to increase.
How Passwordless MFA overcomes traditional MFA security risks
Passwordless MFA tackles the security risks of traditional MFA by eliminating passwords and the vulnerabilities associated with them such as:
- Credential stuffing: The attacker loads a database of compromised credentials and replays them against the target system in the hopes that one of the credentials in the database matches a legitimate user.
- Password spraying: The attacker replays a list of commonly used passwords in the hope that one of them is being used by a legitimate user. It is estimated that 16% of the password attacks are performed using password spraying, states SentinelOne.
- Brute force attacks: The attacker obtains an encrypted blob that contains credentials of interest (such as the SAM database) then it can use a computer rig to crack through the database until the passwords are revealed.
- Shoulder surfing: Attackers steal personal information or confidential information by peering over the target's shoulders. By its nature, it’s mostly used by insider threat actors.
- Copying Passwords: The attacker copies improperly stored passwords from physical media such as Post-its and password books.
- Phishing: The attacker impersonates a trusted contact and encourages users to click on links that are then used to exfiltrate passwords using an exploit kit. Alternatively, the attacker encourages the user to download a document that contains malware, which is then used to exfiltrate the credentials. See this very comprehensive example here. Both methods of phishing are responsible for 70% of the attacks against passwords, as stated in the Verizon Data Breach Investigations Report.
- Application vulnerabilities: The attacker detects and exploits lags in system and application patches, injecting malware to exfiltrate the credentials.
- Bribe: The attacker pays an insider to either obtain credentials on their behalf or perform malicious actions that allow the attacker to bypass corporate security.
- Negligence: This is a type of insider threat that isn’t willfully malicious. System misconfiguration or unprotected storage and credentials uploaded to code repositories are just some examples of negligence.
- Extortion: The attacker has the possession of, or pretends to have, the possession of materials of a compromising nature, such as explicit photos, and uses that as leverage to obtain access to further information and/or obtain valid credentials.
Why are security leaders embracing passwordless authentication?
Security leaders are well aware of the risks associated with traditional use of passwords and traditional MFA. Passwordless is the future of authentication as a result of its superior security. It is a cost-saving solution by eliminating the management of passwords and IT tickets for password resets. Passwordless also creates less friction with users when accessing applications and systems, which in turn creates more efficiency.
Reasons You Should Go Passwordless
Safer environment. With no passwords, attackers have reduced options to attack an organization’s environment. Reduced operational costs. By removing the need to do password resets, help desk costs significantly decrease, resulting in a net savings for the enterprise. The best user experience imaginable. With no passwords, users will authenticate effortlessly. Not only do users get to focus on real work and save time, it’s actually more secure.
How to implement Passwordless authentication
Replacing passwords with a highly secure and frictionless alternative starts with exploring passwordless authentication. Passwordless authentication is a form of multi-factor authentication (MFA) that replaces passwords with verification factors. These factors are derived from contextual, behavioral factors and often include a secured and encrypted component that is stored on a user’s device, such as a cryptographic key, a biometric template (fingerprint, facial recognition), a device pin, and so on. To see how to implement our MFA solution, which provides a passwordless option, check out our solutions page and MFA eBook.