We’ve said it before, and we’ll say it again: It’s time to get rid of passwords. In part one of our Unofficial Guide to Passwordless Authentication, we looked at the steps organizations should take to move away from using passwords while maintaining strong, multifactor authentication. However, there is a question that we left unanswered: What are the best passwordless factors, and in what situations do they provide the strongest balance between security and experience?
As a reminder, there are three types of authentication factors:
- Knowledge: Something the user knows
- Ownership: Something the user has
- Intrinsic: Something the user is
Each of these factors provides a variety of benefits and can be used for a wide range of applications – these are our assessments of some of the most popular passwordless options:
This factor leverages a communication technology originally developed for smartphones, which today is popular in both iOS and Android environments. With this type of authentication, the user accepts or declines transactions, login requests, and other operations by pressing a button on a pop-up notification on their smartphone.
Advantages: Push offers the highest levels of security by sending notifications through a two-way encrypted channel.
Disadvantages: As with all ownership factors, there is a risk of loss or theft. However, a stolen device with a strong biometric or pin lock would make it difficult to use for an attack. There is also the small risk of users accepting a transaction that is not theirs by accident.
Recommended use cases: Transaction and purchase confirmations; Step-up authentication for web-based transactions determined to be high risk.
Dynamically generated, one-time passwords (OTPs) are an ownership factor that, like Push, can only be used by a person who has full control and access to a device. Though Soft OTPs are sometimes characterized as a knowledge factor, as they are only distributed via a designated app, there is no memorization required. Other methods of distributing OTPs, such as email and SMS message, are insecure and not recommended as a strong authentication factor.
Advantages: Soft OTPs leverage technology familiar to users and is intuitive to learn. Can be used offline for users without consistent data access.
Disadvantages: The user’s device could be lost or stolen.
Recommended use cases: Frictionless second-factor authentication for web-based logins; Cardless ATM transactions.
QR authentication uses a device’s camera to scan a QR code to confirm logins and payments. As each user is connected to a specifically enrolled and identified device, this factor ensures that only legitimate users can carry out authentication processes.
Advantages: Users are familiar and comfortable with using QR codes. They offer high speed and convenience for users.
Disadvantages: Only applies for out-of-band authentication.
Recommended use cases: Passwordless web authentication; Cardless ATM transactions; E-wallet payments.
This factor requests the user to take a selfie with their smartphone in order to validate their identity during a transaction or login process. The selfie is then compared to data collected when the user first registered their device.
Advantages: When implemented correctly, facial biometrics offer a high level of convenience and security.
Disadvantages: The application must be able to detect impersonation by fraudsters using printed photographs or videos, and external factors, such as lighting, may interfere with the process.
Recommended use cases: Step-up authentication for high-risk transactions; Frictionless mobile or web registration with new products for existing customers.
Similar to physical tokens, grid cards are used to answer a challenge question. They store coded answers in either physical or digital form. This legacy factor does not represent the cutting-edge of recent authentication developments. However, it can prove useful in certain situations and must not be disregarded.
Advantages: In markets where not every user has a smartphone or a data connection, grid cards offer a secure alternative.
Disadvantages: While most users do not go anywhere without their mobile phones, grid cards are easier to misplace, forget, or leave at home. Further, any physical hardware can be expensive to distribute.
Recommended use cases: Transaction and login authentication for small, controlled populations that do, cannot use smartphones or internet for access or regulatory reasons.
In part three of The Unofficial Guide to Passwordless Authentication series, we will dive into real-life examples of successful implementation of passwordless access. For more information on transitioning away from passwords, watch this webinar replay.