Passwordless login
Worried about leaked credentials? Steve Cassidy explains how to shut down the risk by ditching passwords entirely
Logging in without a password? That doesn’t sound very secure.
On the contrary – done properly, it’s more secure than a traditional username and password combo. The idea is, rather than relying on a phrase that could be typed in by anyone, you use something that’s physically tied to you. That might be a biometric identifier – such as your fingerprint or the shape of your face – a physical device such as a USB key, or an app running on your mobile phone, which is itself secured with biometrics.
Is this really necessary? We already have a strict policy that enforces strong passwords.
The idea that passwords must be of a certain length and complexity dates from an age when hackers would try to brute-force their way into systems by guessing all possible character combinations. Nowadays, most passwords are obtained by phishing attacks, or by stealing a database of credentials from poorly protected service A and then trying them all on service B, to see if any have been reused. You can reduce the risk by insisting on unique passwords that change regularly, but users tend to hate that: they’ll be happier, and you’ll be safer, if you switch to an approach that skips the password altogether.
That sounds good in theory, but how would we go about implementing it?
In most cases you don’t implement it yourself – this is the sort of thing that’s best done at the level of the OS or service framework. For bespoke application stacks there are plenty of third-party security providers who can help out, while Windows 10 and 11 already support biometric logins, and Microsoft Azure AD lets you enable users to use the authenticator app to access online services. The Google app suite can similarly bring up a notification on any signed-in Android or iOS device that lets users confirm their identity without typing in a password.
Is this the same thing as the single sign-on fad of a few years ago?
The motivation isn’t dissimilar. SSO became popular when big companies realised that their standard Windows XP build included 93 applications that each handled their own identity and passwording. Not only was this a recipe for confusion, it meant there were 93 potential vulnerabilities to worry about. Using a centralised passwordless login platform can help there, but there’s nothing inherent to a passwordless architecture that actually requires SSO. The goal isn’t to minimise the number of different authentication systems you’re dealing with, but to reduce reliance on the most vulnerable methods.
This sounds like a ploy to get us to invest in biometric sensors...
A robust passwordless system should offer a variety of different ways of authenticating – so you can log in with a face scan or a fingerprint while you’re in the office, but when all you have is a patchy mobile signal in the middle of nowhere, you can receive a login code via SMS. This can save you money by reducing support calls from users who can’t get into their accounts – and for what it’s worth, a little fingerprint reader puck ought not to set you back much over £30.
What about customer accounts – should those be passwordless too?
That might not be your decision to make, at least not entirely. If you’re a small business wanting the advantages of shopping baskets, credit card processing and all the rest of the online commerce experience, your bank will want your customers to fit in with its own policies. That’s not a huge problem, though: look after your own customer accounts and let the bank worry about the rest. And in time, customer-side shopping interfaces will adopt the latest and safest technology.
“You can reduce the risk by insisting on unique passwords that change regularly, but users tend to hate that”