Passwordless Security Guide

What is Passwordless authentication?

Passwordless authentication is an authentication method in which a person can log into a computer system or an online service without being required to enter a password or knowledge-based secret. Going further, modern methods described as  "true passwordless" authentication involve the use of a cryptographic key pair to authenticate a user.

With passwordless authentication, a person uses their smartphone, hardware token, or computer instead of a password to access local and online services. In either case, their personal device is used in concert with public-key cryptography (PKC) to enable secure authentication to the system. Most passwordless login methods combine some form of multi-factor authentication (MFA) into the system. 

Here is an example of a user authentication flow without passwords:

What are the benefits of Passwordless Security?

Passwordless has a measurable impact on an enterprise's security, IT and business departments. Benefits include the elimination of password reset costs, reduction of account takeover fraud, and increase in user productivity. Check out our passwordless case studies to learn more about how enterprises have benefited from password elimination.

Eliminating Password Reuse, Phishing and Credential Reuse Attacks
Phishing and credential stuffing attacks exploit passwords and their reuse. Instead of typing in passwords, passwordless is far more secure yet it enables your workforce with lightning-fast authentication that's up to 300% faster than password-based login.

Reduction of Password Reset Costs
Businesses save thousands of hours in helpdesk and service costs caused by password fatigue and the frustration that comes with long, complex passwords.

Enhanced User Experience Across Consumers and Employees
Usability drives adoption. Passwordless provides a fast and easy UX that’s designed for everyone. With True Passwordless Security you can create a pleasant experience that prevents cart and checkout abandonment. It also frees up time and resources for your customer support team to focus on providing stellar service instead of password resets.

Reduction of Customer Account Takeover (ATO) Fraud by up to 99%
Customers habitually reuse passwords across services. This poses a widespread security risk because credential harvesting has a domino effect that impacts organizations worldwide. By eliminating passwords, you protect your customers against large-scale credential reuse attacks.

Increased Workforce Productivity
The modern day employee wastes an average of 24 hours per year logging into workstations. Businesses improve workforce productivity by shaving down valuable time wasted on legacy MFA apps and typing in long, complex passwords.

What are examples of Passwordless authentication?

Examples of passwordless authentication range across consumer, employee, and government use cases. Popular Business-to-Consumer (B2C) use cases include mobile payments, banking, insurance, and healthcare applications.

In the workplace, the dominant examples of passwordless security are single-sign on (SSO), remote access and workstation login. Passwordless IAM has also been deployed at scale across the enterprise.

Is passwordless authentication safe?

Yes,  "True Passwordless" authentication — where there is no password or other shared secret between the person and the service —  is widely considered far more secure than password-based authentication. Recent technology advances have enabled businesses to move away from password-based authentication methods, and industry leaders such as Google have proclaimed the end of passwords and are driving open standards forward to increase adoption.

What is the FIDO standard?

The FIDO standard applies to the open authentication standards of the Fast Identity Online (FIDO) Alliance, an industry consortium of technology leaders who have assembled to make online access secure and seamless by eliminating passwords and other shared secrets. The FIDO standards have been used to enable Strong Authentication in mobile, web, and desktop applications.

FIDO standards include the UAF, U2F, and FIDO2 WebAuthn standards, and are deployed at scale across a variety of consumer and enterprise use cases. Explore the FIDO Authentication Guide to learn more about how FIDO standards are being used for consumer and workforce environments.

How does FIDO work?

FIDO authentication works by replacing shared secrets between the service and the person, replacing these untrustworthy legacy relationships with public-key cryptography (PKC). To do this FIDO leverages the use of "authenticators" such as hardware tokens or smartphones to enable passwordless access into other devices and services, or what FIDO refers to as a "relying party." According to the FIDO Alliance website,

"The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button."

Example of a FIDO Authentication Flow:

What is FIDO2?

FIDO2 is the latest open authentication standard championed by the Fast Identity Online (FIDO) Alliance. FIDO2 enables users to more easily authenticate to online services, mobile and desktop applications, and a variety of enterprise use cases — without the use of passwords. The FIDO2 specification has been adopted by the World Wide Web Consortium’s (W3C) as the Web Authentication (WebAuthn) specification, as well as the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

In many ways, FIDO2 is the technical foundation upon which service providers build passwordless authentication experiences.  FIDO2-based solutions deliver passwordless authentication by leveraging embedded or roaming devices and their authenticators. These communicate with supported web browsers and applications over different communications protocols for secure, quick access.

What is WebAuthn?

Web Authentication, or WebAuthn, is a component of FIDO2, a leading open standard for passwordless authentication. The standard has been adopted by the World Wide Web Consortium’s (W3C) as the dominant method for passwordless web-based login. WebAuthn provides a uniform standard for secure, passwordless access to web-based applications, allowing a supported web application to communicate with a person's web browser, smartphone, or platform authenticator to grant access securely and quickly.

What is the FIDO Alliance?

The Fast Identity Online (FIDO) Alliance is an industry consortium of technology leaders who have assembled to make online access secure and seamless by eliminating passwords and other shared secrets. The Alliance consists of board members such as Microsoft, Google, HYPR, and others who collaborate to develop and advance authentication standards that help reduce the use of password-based authentication.

What is FIDO Certification?

FIDO Certified products are software solutions that have undergone rigorous testing around security, usability, and scalability. Certification by the FIDO standards body, or lack thereof, speaks to a solution's enterprise readiness and deployability. While all FIDO Certified products adhere to similar standards, the solutions vary in speed, usability, and accessibility. Read the FIDO guide to learn more about comparing FIDO products.

Do FIDO-Certified and FIDO-Supported products differ? How?

The official term is “FIDO-Certified.” Be cautious of vendors who advertise Passwordless authentication by claiming to be “FIDO-Compliant” or that they “Support FIDO.” Using such compliance badges as a marketing gimmick is an old yet effective tactic. People should ask vendors if both their mobile client and validation server are FIDO-Certified, and can verify their claims with the FIDO Alliance’s online registry of Certified technologies.

There are many great features that will make a strong passwordless solution stand out among a vast number of peer products. Download the FIDO Buyer's Guide to better understand the differences among FIDO products by using HYPR as a benchmark of features, functionality, and form-factor.