What is passwordless?
In common parlance, “passwordless” is short for “passwordless authentication.”
The information that users can provide for authentication can be mainly categorized into three types:
- Something the user knows, such as passwords, password recovery questions and answers (often questions and answers are based on personal past experiences).
- Something the user has, such as a mobile phone, one-time password (OTP), or hardware token.
- Something the user is, such as fingerprints, face recognition, and other biometric identifiers.
Passwordless authentication is an authentication method that allows users to sign in to computer systems without entering (or remembering) a password or any other knowledge-based secret. In the most common implementations, users need to enter their user identifier (username, email address, phone number, etc.) and then complete the authentication process by providing secure proof of identity through other means.
Why use passwordless authentication?
While the use of passwords is gradually decreasing, they are still widely used worldwide. The main reason is that password-based systems are the easiest and cheapest to implement.
Furthermore, passwords are the primary cause of data breaches. To make them easier to remember, many people use fixed patterns in their passwords, such as using birthdays or letter combinations from a number pad for purely numerical passwords. This makes cracking passwords much easier. In reality, many people unknowingly use the same password across multiple platforms, further increasing the risk of password compromise.
Last but not least, passwords are a hassle for users: they are difficult to remember and cumbersome to manage. To avoid using a unified password across all scenarios, users need dedicated tools to record various passwords. Additionally, since passwords are used in different places, they may need to be constantly looked up. This poses significant inconvenience to password use.
On the other hand, passwordless technologies like biometrics or OTP are highly convenient and user-friendly. Ideally, users could instantly authenticate with their biometrics anytime, anywhere. In today’s world where mobile phones are indispensable, all verification related to “something the user has” can usually be done through the phone.
What’s the difference between passwordless authentication and multi-factor authentication (MFA)?
Passwordless authentication and multi-factor authentication (MFA) are sometimes mentioned in similar contexts. Therefore, it is necessary to define these two terms separately and understand the difference between them:
- Passwordless authentication replaces password-based authentication with other factors.
- MFA refers to using two or more authentication factors to verify a user’s identity.
“Factors” are seriously the three different types of authorization information we mentioned earlier. For example, if a user only uses an email address + OTP during authentication, this is a factor associated with “something the user has”, and we can consider the user’s authentication to be passwordless.
Common MFA implementations include using a second (passwordless) authentication factor to enhance a password, but MFA can also be completely passwordless. For example, an application could use a fingerprint as the first authentication factor and email address + OTP as the second authentication factor.
What’s the difference between passwordless and SSO?
Based on the previous definition of passwordless, SSO is one type of passwordless method (users has/owns an account for SSO provider).
In addition, SSO provider accounts generally have high security. Besides usernames and passwords, most cases require mandatory MFA to ensure users have complete control of the account. MFA often involves using passwordless factor verification, including but not limited to passkeys, OTPs, and fingerprints.