• Passwordless Authentication

    Passwordless authentication is a modern security approach that replaces traditional username and password logins, with more secure, user-friendly and phishing-resistant methods like biometrics, smart cards and hardware security keys.

    Back to GlossaryBack to Glossary

    Eliminating passwords – a common target for cyberattacks – significantly strengthens security while also simplifying the login process for users.

    This article will define the characteristics and benefits of passwordless authentication, illustrate why passwords are costly and problematic, and present reasons for why users and organizations alike should make the switch.

    What is passwordless authentication?

    Passwordless authentication is the use of more secure and convenient methods such as biometrics, smart cards or hardware security keys for login, instead of traditional passwords. These methods are effective because they leverage physical traits or introduce a possession factor in order to complete the authentication process. 

    The passwordless strategy enhances security because these factors cannot be easily compromised or subverted remotely, and it also improves the user experience by reducing friction, since users do not need to recall or constantly rotate complex strings of characters and numbers to remain secure.

    Why is passwordless more effective?

    Passwordless authentication has emerged to counter the systemic vulnerabilities of password-based systems, including weak credential hygiene, reuse, and susceptibility to phishing. Studies show that 45% of passwords can be cracked in under a minute, while users frequently create weak, reusable passwords across accounts, making them vulnerable to credential stuffing and phishing. Since 2023, cyberattacks have surged 75%, with the average breach now costing organizations $4.88 million.

    The fundamental vulnerability of passwords stems from its reliance on knowledge being the only factor to authenticate. If that factor is compromised, subverted or stolen, there are no other mechanisms in place to prevent unauthorized access. In fact, according to the 2023 Verizon Data Breach Investigations Report, over 66% of application attacks come from compromised passwords, and over 80% of data breaches involve compromised credentials. 

    Passwordless Authentication

    Even supplementing passwords with additional knowledge factors, such as an OTP sent via SMS, is problematic because sophisticated attackers can and have already gained access to the telecommunications network, leading federal agencies, including CISA and the FBI, to now explicitly warn against SMS authentication and recommend stronger passwordless alternatives.

    Multi-factor authentication (MFA) incorporating possession (such as a mobile device or hardware security key) or inherence factors (such as biometrics) to augment knowledge, was initially introduced to enhance security by layering, but has become redundant as modern security has continued to evolve. 

    While adding additional factors does improve security since attackers do need to overcome multiple hurdles, they often still involve some limited deployment of passwords and thus ultimately contain a weak link. True passwordless authentication on the other hand, eliminates the use of passwords entirely by relying solely on phishing-resistant credentials.

    The World Wide Web Consortium (W3C) published the web authentication (WebAuthn) standard under the guidance of the FIDO Alliance, which enabled websites to use public key cryptography to conduct passwordless authentication using secure hardware keys and cloud synced passkeys, in addition to other similar methods, such as biometrics.

    Widespread adoption of smartphones with integrated biometric capabilities has further contributed to the growth of secure, passwordless authentication, including the proliferation of authentication apps and notifications. A number of other factors have driven the adoption of strong authentication methods, including acceptance in verticals like tech, financial institutions, and healthcare providers, new mandates from both government regulations and industry standards, and user demand for a more convenient and secure experience.

    How does passwordless authentication work?

    There are a range of alternatives that can verify user identity without requiring a traditional password, although their specific mechanisms can vary. However, a basic description of how passwordless authentication works generally does include a few common steps:

    1. Registration and setup.
      During the initial account registration, the user nominates a unique identifier, such an email address, phone number or a username, as they normally would during a traditional sign-up process. However, the user must also nominate and configure their primary passwordless authentication method as well, such as biometrics, hardware security keys, or another method, such as creating a passkey on their mobile device.
    2. Authentication request.
      When the user attempts to subsequently log in, the system will initiate an authentication request, resulting in the user receiving a request on screen to present their nominated authentication method, or through another channel, such as their mobile device, if applicable.
    3. User response.
      Once the user receives the authentication request, they must interact with or approve it, but the process for how the user responds largely depends on the nominated authentication method.
    4. Authentication verification.
      After the system receives the user’s response, whether it’s a biometric scan, physical touch on a hardware security key, or accepting an app notification, it verifies that the response matches the expected response, derived from the original authentication request and potentially, relevant information created during registration.
    5. Access granted or denied.
      If the system is able to successfully verify the user’s response, it grants access to the account, otherwise, access is denied.

    How secure is passwordless authentication?

    True passwordless security is actually a much more secure method of verifying a user’s identity, particularly compared to traditional password-based systems. However, its true strength largely depends on specific implementation and chosen authentication methods. Here are some notes or factors that contribute to strong passwordless authentication:

    Biometrics. Biometric passwordless authentication security, such as fingerprint or facial recognition, is generally considered very secure, although may be prone to certain types of attacks, like spoofing using high-quality images or genetic likeness from family members. Regardless, the underlying logic typically relies on capturing a unique input that cannot be easily replicated by anyone beside the intended user.

    Hardware security keys. Hardware security keys that generate unique cryptographic material for authentication, offer a very high level of passwordless security and are extremely resistant to phishing, keylogging attacks, SIM swapping, credential stuffing, adversary-in-the-middle attacks, and brute force attacks. A YubiKey, for instance, stores its cryptographic information in a secure element, preventing phishing, cloning, or interception. Google has reported zero successful phishing attacks on employee accounts since making YubiKeys mandatory in 2017.

    Secure channel. Secure communication channels for authentication requests and responses are crucial. It is generally recommended to employ encryption and secure transmission protocols to protect data in transit even over trusted channels, although there are some proven methods to securely communicate over untrusted channels as well.

    User experience. Improved user experience and added convenience are among the main benefits of passwordless authentication, and powerful factors driving users to adopt it. This, in turn, enhances secure access because it reduces the likelihood of users resorting to insecure practices like password sharing or using weak passwords.

    Account recovery. Although these are generally poorly defined strategies across vendors, systems, and the wider community, reliable account recovery processes for when users lose access to their primary authentication methods remain important. If account recovery techniques offer a fallback to weaker mechanisms, especially those that can be easily exploited, attackers may be able to circumvent the stronger forms of authentication being implemented to protect the account, so it is paramount to register strong backup passwordless credentials and have policies in place to prevent this from occurring.

    Advantages of passwordless authentication

    Passwordless authentication has rapidly gained widespread adoption across industries, with thousands of organizations now trusting this technology to secure their digital assets. Major enterprises, including Microsoft, Google, and Netflix, have implemented passwordless solutions, noting significant improvements in their overall security posture. The shift away from passwords also provides a multitude of other benefits for both organizations and their users.

    Enhanced Security

    The primary advantage of passwordless authentication is its superior security model, which makes it far more resistant to the most common types of cyberattacks. By eliminating passwords, both users and organizations close a critical vulnerability, as there is no password to steal, key log or expose in a data breach. This fundamentally prevents attacks like credential stuffing, where attackers use leaked passwords from one service to compromise others. Passwordless methods are also inherently phishing-resistant because users are never prompted to enter a password and thus cannot reveal or accidentally leak it onto a fraudulent site. With stronger authentication methods in place, the risk of unauthorized access and account takeovers is significantly reduced, which is especially important for sensitive or high-value accounts. Passwordless authentication is also often combined with additional factors, such as a PIN or biometrics, to create an inherent multi-factor authentication system, making it even more robust.

    Improved User Experience

    For users, the shift to a passwordless model provides a faster, easier and more seamless experience. This leads to significantly higher user satisfaction and productivity. Users no longer need to remember complex passwords of a minimum length, containing a mix of upper- and lowercase letters and both alpha and non-alpha numeric characters, or reset them regularly. This directly addresses password fatigue and reduces insecure practices like writing down passwords as a means to recall them. Many modern devices, such as smartphones and laptops, come equipped with biometric sensors (fingerprint or facial recognition), making it easier for users to adopt passwordless authentication.

    Operational Efficiency and Reduced Costs

    Passwordless authentication offers tangible benefits to an organisation’s bottom line. organizations consistently report a reduced burden on IT support teams, as the volume of password-related issues—such as password resets and lockouts—dramatically decreases. This frees up IT staff to focus on higher-value tasks and directly translates into lower operational costs. The increased security also means fewer resources are spent on incident response and remediation after a breach. In fact, organizations using Yubico solutions have reported up to 99.9% reduction in credential-based threat risk and up to 75% reduction in IT support tickets, with 92% of Google employees reporting fewer IT tickets after adopting YubiKeys.

    Stronger Compliance

    With mounting regulatory pressure and evolving cybersecurity threats, many organizations are required to meet stringent compliance standards. Implementing passwordless authentication and stronger authentication measures can help organizations meet regulatory requirements and tighter security standards, such as those described under cyber insurance or federal mandates.

    Scalability and Future-Proofing

    Passwordless authentication is highly scalable, making it easy to implement across various systems and platforms, especially in large organizations or for online services with numerous users. As technology evolves, passwordless methods can also adapt to new and even more secure authentication mechanisms, ensuring that an organisation’s security posture remains up-to-date. This makes it a key component of a future-proof cybersecurity strategy, with broad compatibility across a range of modern device types.

    Types of passwordless authentication

    Passwordless authentication comes in various forms, each with unique advantages and implementation considerations. While they all share the goal of eliminating traditional passwords, the specific mechanisms, security levels, and user experiences differ significantly. Users and organizations must carefully evaluate these options based on their security requirements, characteristics, and existing infrastructure.

    Common types of passwordless authentication solutions include:

    Biometrics/inherence factors. Biometric passwordless technology relies on a sample of unique physical or behavioral traits of the user, such as fingerprint reading, facial recognition, iris scanning or voice recognition. Users access their accounts after their biometric sample is successfully verified against the stored reference data.

    Mobile device passwordless authentication methods. Users authenticate themselves using their smartphones, which can in itself include various methods such as device biometrics (e.g. Touch ID or fingerprint), device possession (e.g. proximity to a paired device), or a secure mobile app with its own authentication parameters or processes.

    Smart cards and hardware security keys. Smart cards and hardware security keys rely upon cryptographic keys for authentication. Users typically insert the card or connect the hardware security key to their device to complete the authentication process, using the stored private key to sign a random challenge that can then be verified by the relying party.

    Social media passwordless login services. Many of the large technology companies, such as Google, Meta, Apple, and Microsoft, are also Identity Service Providers (IdPs), which allow other services access to their authentication and a subset of user account information. After users have successfully authenticated themselves to one of the aforementioned IdPs, secure session information is then sent to the nominated external service about the identity of the user, so there is often no need for additional verification.

    One-time passwords (OTPs). OTPs are temporary, often time-sensitive codes sent to the user via email, SMS, or a mobile app. While not truly “passwordless”, and considered the weakest of the MFA methods, OTP usage does at least reduce reliance on static, reusable passwords by supplementing with another authentication factor.

    Push notifications. Users receive a push notification on a trusted mobile device as they attempt to log in, which they can approve or deny, often used to supplement an authentication process, but may also be used to circumvent the need to enter a password entirely.

    Examples of passwordless authentication systems

    As organizations face growing security challenges, passwordless authentication has evolved from a novel concept to a now established technology category with numerous implementations. The industry has developed robust standards and solutions that make passwordless authentication increasingly accessible and secure for businesses of all sizes.

    Passkeys / FIDO / WebAuthn passwordless. The Fast Identity Online (FIDO2) and WebAuthn standards originally enabled passwordless authentication by using public key cryptography, typically via purpose-built hardware, while passkeys also add the ability to sync across devices using a cloud service. Users register a cryptographic key pair, and for each login, the stored private key is used to sign a challenge presented by the relying party, and verified using the public key. 

    Smart cards / PIV. Smart cards, particularly those following the Personal Identity Verification (PIV) standard, are a foundational passwordless authentication option. PIV cards are physical credentials, often used in government and other high-security environments, that contain an embedded chip capable of storing cryptographic key pairs and certificates. They are designed to provide both logical access to computers and networks, and for physical access to buildings and secure areas. Authentication occurs when the user inserts the smart card into a reader and provides a PIN, with the private key on the card’s tamper-resistant chip signing a cryptographic challenge presented by the relying party via the reader. This process is highly secure because the private key never leaves the card and is protected by the user’s PIN, creating a strong two-factor authentication system rooted in possession and knowledge.

    Passkey types: 

    • Passkeys in security keys.  The YubiKey is a hardware security key that provides highly secure passwordless authentication. Instead of typing a password, users simply tap or insert the key into a device to authenticate. YubiKeys are a prime example of a device-bound passkey that offers a superior level of phishing-resistance and credential security by physically separating the private key isolated on a tamper-resistant chip. YubiKeys also support passwordless authentication by supporting Smart Card/PIV protocols.
    yubikey and laptop

    Synced or Built-In Passkeys:

    • Microsoft Windows Hello. Microsoft passwordless authentication capabilities come in the form of Windows Hello, a solution that allows users to log into Windows devices using facial recognition, fingerprint, PIN or hardware security keys. Windows Hello is integrated into Windows 10 and Windows 11, and there is even Windows Hello for Business that can be used for enterprise authentication.
    • Apple Face ID and Touch ID. Apple iOS devices and Macs use facial and fingerprint recognition for secure and convenient login and to authorize transactions.
    • Google Passkeys. Integrated across the Android and Chrome ecosystems, Google Passkeys allow users to sign into websites and apps using a secure key stored in their Google Account. This provides a passwordless login experience that is synchronised across a user’s various devices and is backed by the security of the Google Password Manager.
    • Duo Security. Owned by Cisco, Duo Security is one of the industry leaders in MFA and has made significant strides in the passwordless space. Its platform enables users to log in to web applications and even operating systems without a password. Duo Passwordless supports authentication via passkeys and FIDO2-compatible security keys, as well as its own Duo Push, which uses a secure push notification to a user’s phone for verification. This allows organizations to move to a phishing-resistant, passwordless model while maintaining a familiar user experience.

    Non-Passkey options:

    • Okta. Okta is a major player in the identity and access management (IAM) space, providing comprehensive passwordless capabilities for both workforce and customer identities. Its proprietary solutions, like Okta FastPass, allow users to authenticate to applications without passwords by relying on factors such as device biometrics, phishing-resistant credentials, or a simple push notification to the Okta Verify app. The platform provides a flexible way for organizations to implement and manage a range of passwordless experiences across various applications and devices.

    How to implement passwordless authentication

    Moving from traditional password-based systems to passwordless authentication requires careful planning and execution. Organizations often underestimate the complexity of this transition, particularly regarding user adoption, legacy system integration, and recovery mechanisms. A successful passwordless implementation balances security requirements with user experience to ensure widespread adoption.

    Implementing passwordless authentication typically involves a series of steps:

    • Define organizational objectives. Clearly delineate organizational goals and objectives for passwordless authentication in terms of security, user experience, and operational efficiency.
    • Choose the authentication method. Select one or more passwordless authentication methods that align with user objectives and their needs, in addition to the security risk profile of accessible information as determined by the enterprise. Generally speaking, the more sensitive the information, the stronger the authentication method should be.
    • Integration and development. Implement the nominated authentication method(s) using any software development kits, libraries, or APIs provided by selected vendors, or potentially, a comprehensive solution offered by one or more vendors. For large enterprises with 500+ users, YubiKey as a Service simplifies deployment for fast, scalable global rollouts, while YubiEnterprise Delivery handles shipping YubiKeys to users across 199 global locations.
    • User registration. Allow users to register their authentication method during the account creation process if necessary. This may involve capturing biometric data, registering a hardware security key, or setting up a mobile app. WebAuthn users will need to enroll their devices and generate cryptographic keys, for example, so it is critical that clear instructions and user guidance are provided during this process. The Yubico Enrollment Suite, particularly options like Yubico FIDO Pre-reg for factory-enrolled keys, can significantly reduce IT burden.
    • User recovery and backup. Implement a secure process for account recovery and provide a backup authentication method if possible. It is important to note that an insecure backup method may be used to circumvent the entire system, so its importance should not be underestimated.
    • Monitoring and maintenance. Continuously monitor passwordless authentication system performance and ensure that security patches are updated and any security concerns are promptly addressed.
    • User education. Educate users about how to go passwordless and provide clear instructions on how to set up, use, and recover from the selected authentication method.
    • Compliance and documentation. Ensure the implementation complies with relevant regulatory requirements. Maintain documentation of authentication procedures for auditing and accountability.
    • User feedback and iteration. Gather feedback from users to identify any pain points or improvements needed. Continuously iterate on the passwordless authentication system based on this feedback to enhance security and user experience.

    Does Yubico Support Passwordless Authentication?

    Yes, Yubico supports passwordless authentication through their hardware security keys and the use of the WebAuthn standard.

    YubiKeys are compatible with a wide range of platforms and services that support WebAuthn and passkeys, making them a versatile option for passwordless authentication.

    Learn more about how Yubico’s passwordless authentication solutions can help your enterprise transition into a passwordless future here.