How is Passwordless more secure?
When using a password to authenticate yourself for a service, you are relying on two main components:
A username which is normally public, and its password.
In theory, your password is a secret, but in practice, you are sharing that secret with at least two other parties: the service you’re accessing and the server on which it is stored to allow verification.
I purposefully use the expression “at least”, as some browsers, text editors, and extensions can track your password upon clicking the “Show password” button:
The logic behind the multi factor authentication is to include “something you know, something you have, and something you are” in your authentication process.
We use that same logic to determine that passwords are a weak form of authentication: because both the username and the password fall into the same category: something you know.
If an attacker can discover or guess the username and password, they can gain unauthorized access.
You can read our previous blog post for better understanding of : Phishing Scams: Redundant and Predictable but Still Trendy – How to Stay Safe
There are several ways to use Password-less authentication.
Biometric Authentication
Refers to security systems that identify individuals based on their unique biological characteristics (facial recognition, fingerprint scanning, or iris recognition), which fall under “something you are.” These identifiers are normally more difficult to replicate or steal especially with the rise of AI and 3D printing techniques.
Another layer of protection is the fact, biometric data is typically stored locally on the device in a secure enclave, making it less susceptible to remote hacking attempts. In this case the device itself acts as the physical security token. Which brings us to FIDO2.
In the case you lose your device, you very much have all your personal and non-personal data lost within (such as your name, login details, and usage history). Whereas when you lose the FIDO2 token, it has no other piece of information other than the certificates of the keys themselves. It is not possible to store any login details including a username on the FIDO2. If someone tries to use it, the key does not indicate which service it’s been registered to or to which user account.
FIDO2 security keys
This option introduces a crucial factor into the online authentication process: physical presence. When you log into your accounts, you’re required to physically interact with the security key by pressing its button. This means that no one can access your accounts unless they have physical possession of your key.
There are multiple brands out there, but the FIDO2 standard remains the same, and we offer our own licensed SpearID Pro FIDO2 key.