Nmedia - Fotolia
Passwords can be a pain -- especially when they're not implemented properly and users are not adequately train...
Traditional password methods expose user devices to phishing attempts and related attacks. Passwordless authentication for mobile devices attempts to eliminate the complexities and hassles associated with traditional passwords.
What is passwordless authentication?
When users log in to a portal that uses passwordless authentication, they receive a one-time authentication code via a text message, mobile app notification or email. This code takes the place of a standard password and enables users to log in to the application automatically. IT can use passwordless authentication for applications, mobile web apps or mobile site portals, but it can also work for connecting to Wi-Fi or a mobile VPN.
Newer offerings from vendors such as Yubico provide a hybrid approach to mobile passwordless authentication. Yubico relies on its YubiKey security token -- a small piece of hardware that provides a layer of authentication -- to authenticate users for mobile web browsers or app portals. Security keys can function as a single factor or as part of a multifactor authentication approach.
Amazon, Cisco and Microsoft offer passwordless authentication in some capacity, but there are lesser-known vendors in the market as well, such as Auth0 and Hypr. Auth0 enables text messages and email notifications as authentication methods. Microsoft's Authenticator app for Apple iOS and Google Android enables users to approve logins to other Microsoft apps with a mobile push notification.
When should IT deploy passwordless authentication?
Passwordless authentication provides value to IT because it keeps mobile users from making poor security decisions. Password-based authentication opens the door for numerous user errors that negatively affect an organization's security. Under password-based authentication, users can set and use short or easily guessed passwords, comingle personal and business passwords, or reuse the same password across multiple applications and systems. With passwordless authentication, organizations can avoid all of these vulnerabilities.
Passwordless authentication for mobile devices isn't automatically secure, however, and its security depends on its implementation. There are certain threat scenarios in which attackers could exploit passwordless authentication, such as when they have access to the user's mobile device or email account. Still, passwordless authentication is more secure than what most organizations have in place: taking the path of least resistance with weak passwords, shared passwords and more.
Passwordless authentication provides both convenience and added security, especially for larger organizations that have trouble keeping track of mobile users' login information. This authentication method simplifies an end-user task that can be frustrating.
IT professionals looking to implement passwordless authentication should do their due diligence, develop requirements and goals for the technology and then perform a proof of concept with a vendor or two to see how the technology works. If an organization implements it correctly, passwordless authentication is a secure means for addressing the login challenges that users and IT face daily.