- Return on Security
- Category Report: Passwordless Authentication
Category Report: Passwordless Authentication
Unlocking the future, one login at a time. Embracing passwordless authentication has become increasingly essential as it revolutionizes how we secure our digital identities. Dive into the world of passwordless authentication and explore how it's reshaping digital protection.
Table of Contents
Terms You Might Hear
Customer Identity and Access Management (CIAM)
Enterprise Identity and Access Management (IAM)
Client to Authenticator Protocol (CTAP)
FIDO (Fast Identity Online) Alliance
Multi-Factor Authentication (MFA)
Single Sign-On (SSO)
Time-based One-Time Password (TOTP)
Two-Factor Authentication (2FA)
World Wide Web Consortium (W3C)
Identity and Access Management (IAM)
Identity Governance and Administration (IGA)
Privileged Access Management (PAM)
Types of Passwordless Authentication Deployments
Customer Identity and Access Management (CIAM) - CIAM focuses on managing customer identities to customer-facing applications and services.
Enterprise Identity and Access Management (IAM) - Enterprise IAM focuses on managing employee identities for access to internal resources.
(These deployments are typically done on separate platforms for resiliency.)
Methods of Passwordless Authentication
Passwordless authentication can use one or all of these methods
Biometric - FaceID, TouchID, fingerprint scans, or other forms of "something you are"
Email - one-time use of "magic links" sent via email to authenticate without a password
Social Login - Using social media (i.e., Twitter, Facebook, etc.) or ecosystems platforms (i.e., Apple, Google, etc.)
Hardware-based - Using a physical key or token with Bluetooth or NFC to authenticate (i.e., Yubikeys, etc.)
Different types of Yubikeys
Who says you have to stop at these methods? Why not also make it a fashion statement?
Passwordless authentication, but make it fashion
— Mike Privette (@mikepsecuritee)
Jun 30, 2022
Why It Matters
Passwordless authentication removes the reliance on easily compromised passwords and improves user experience.
Traditional passwords are vulnerable to phishing, brute force attacks, and credential stuffing.
More people have more online accounts than ever before. Too many accounts can lead to password reuse and single points of failure.
Password managers have helped tremendously with password hygiene but still have user adoption problems.
Enter the Passwordless Authentication product market space.
"Passwordless" shifts the concept of a password - it goes from something you know (the password itself) to something you are (biometrics), combined with something you have (a specific device). Passwordless authentication offers a more secure alternative to traditional passwords and verifying identities.
Authentication and authorization still happen, just in a different context and on a different plane abstracted away from the user. Each player in the industry does this slightly differently, which is not ideal.
Passwordless authentication combines multiple states of biometrics, devices, and other factors to authenticate users without typing in a password.
A few of the players in this space include:
If you want to see the full list of players in this space that I keep track of, check out this Airtable view.
This is not always an exhaustive list. If I'm missing a company that purely focuses on this category, please let me know!
💡 I tried to keep this post to the companies doing only passwordless as their primary business as opposed to a feature or product from a bigger company like Microsoft, Okta, etc.
Platform giants will drive the most adoption. Given the nature of how passwordless authentication works, Apple, Google, and Microsoft, will do more for passwordless authentication adoption and drive the industry forward than any security vendor.
Convergence and assimilation. "Passwordless" will become as ubiquitous as the username and password did and squeeze the product category out of existence. Passwordless vendors will all be acquired or out of existence in 5-10 years. Passwordless authentication will just become "the way" you authenticate in the future.
Privileged Access Passwordless Authentication (PAPA). Passwordless will move further into enterprises for higher-risk authentication functions. Look for integrations into privileged access management applications and workflows. Make sure you really know who that admin is when they escalate privileges. (P.S. I just made this acronym up, so you heard it here first! Feel free to use it and let me know if you do.)
Make passwordless authentication a core piece of zero trust. Zero trust for employees and customers. Leverage passwordless authentication deployments to drive multi-factor authentication (MFA) adoptions
Private and compliant. Lead with user privacy in mind for passwordless authentication deployments with the growing number of state and federal privacy regulations. Earn users' trust and keep regulators off your back.
Companies want to be secure, but they buy for compliance.
Standardize to win. The easier, more standardized, and more plug-and-play the solution is, the easier it will be to adopt for companies and end users alike. Users want a seamless experience (interoperability), and companies want an easy-to-implement and manage solution (supportability).
Aggregated trust. Passwordless authentication relies on third-party services for identity verification. This incentivizes authentication aggregation, which is great for a user experience, but could create a riskier position overall for individuals. The fewer places you use to authenticate, the more devastating a compromise can become. Just look at what is happening with password managers.
Passwordless meet Web3. The push to de-centralized, permissionless, and zero-knowledge identities and transactions with Web3 and the convergence of third-party trusted identity authentication sources will collide. Web3's decentralized identity stores can create a more privacy-focused authentication source for passwordless applications (As for the smart contract you agree to after identity verification or the exchange you connect to, that's a different challenge to solve... ).
Hard but worth it. Passwordless adoption is a game-changer. Integrating passwordless authentication can be challenging, but the rewards of enhanced security and improved user experience can outweigh the effort.
It's not all or nothing. Not every customer-facing application or internal workflow may be worth the overhead. Look at your authentication pain points, support ticket volume, and customer or internal users' appetite for change.
Working together. Passwordless authentication is to logins, as multi-factor authentication (MFA) is to account security. They are complementary technologies that, when combined, can make a powerful force. The CISA recommends moving to phishing-resistant MFA, and passwordless authentication helps with that.
Enhance digital transformation. Passwordless authentication can bridge a user experience gap for both end-users and security teams.
You need a strong foundation first. Companies with legacy authentication systems could benefit from going to passwordless authentication, but it's probably not the best place to start improving your overall security program. This is an advanced authentication deployment.
What makes one of these platforms “good?”
Results may vary here. There is so much nuance and different interpretations of what "passwordless" means, and is solved in different ways by different players. Take extra care to do due diligence in this space.
Look for solutions that can combine passwordless authentication, device authentication, and risk-based authentication.
Look for solutions with broad industry-standard support like WebAuthn and FIDO2. This follows CISA recommendations and is the most phish resistant.
Look for solutions with flexible and adaptable options that can accommodate various authentication methods (i.e., biometrics, security keys, etc.).
Thanks for reading this far!
This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.
If I missed something (or am just wrong), let me know!
At the time of writing this post, I have no active investments in any of the companies mentioned above.
If your company is looking to get more of a highlight, consider sponsoring.