Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
HISTORICAL ARCHIVE · Originally published June 1, 2021
Archive

What is Passwordless Authentication?

A primer on passwordless authentication — what it actually means, how FIDO and biometrics replace shared secrets, and why hardware-bound credentials sit at the centre of the model.

PasswordlessFIDO

This is an earlier piece from the AmbiSecure engineering archive. Where the field has moved on, the link above points to current coverage of the same topic.

Passwordless authentication does not mean "no factor". It means the factor is no longer a user-supplied shared secret. The model replaces stored hashes with hardware-bound credentials and biometrics that never leave the user's device — convenient for the user, but more importantly, structurally harder to phish.

What is Passwordless Authentication?

A passwordless authentication system is one that swaps the use of a traditional password with more secure factors. These extra-security methods may include a magic link, fingerprint, PIN, or a token delivered via email or text message.

Why Do We Need Passwordless Authentication?

Secure authentication is the need of the hour due to a whopping increase in data breaches. Passwords are dying a natural death as they aren't able to provide secure authentication as promised. The report "The World Will Need to Protect 300 Billion Passwords by 2020", produced by Thycotic, concludes that humans will be using over 100 billion passwords. Connected machines themselves will utilize in excess of 200 billion passwords.

A passwordless authentication is a form of authentication which allows users to log in without the hassle of typing passwords or in most cases without human intervention at all. These extra-secure methods include sending links or secret tokens via an email, Single-Sign-On, PIN, Finger-Print, or use of Hardware security tokens like Smart Cards.

Building further on the need to go passwordless, several tech companies got together to launch the Fast Identity Online (FIDO) Alliance in 2012. The FIDO alliance publishes an open standard with a mission to empower less difficult and more grounded user authentication.

The standards provide a framework for removing common attacks against passwords such as credential stuffing, password reuse, phishing, and man-in-the-middle (MITM) attacks. The most recent, FIDO2, enables passwordless authentication based on public-key cryptography.

FIDO2 specifications include WebAuthn and Client to Authenticator Protocol (CTAP). WebAuthn makes hacking harder by enabling online services to use FIDO Authentication through a standard web API that can be built into browsers and related web platform infrastructure. It is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari, as well as Windows 10 and Android platforms.

CTAP enables an external authenticator – such as a physical FIDO security key or a mobile phone – to work with browsers that support WebAuthn for easy authentication to online services.

The aim of Passwordless Authentication is to prevent

  • Password Spraying — hackers try to log in to all accounts with the same password
  • Brute Force Attacks — trying combinations until one succeeds
  • Spear Phishing — email spoofing for sensitive information
  • Social Engineering — psychological manipulation to obtain credentials

The bottom line: Passwordless Authentication should be one of the most important New Year's Resolutions. Removing passwords helps Enterprises, businesses, and Individuals to reduce costs and attack risks.

Going beyond passwords

FIDO2 simplifies and secures user authentication. It uses public-key cryptography to protect from phishing attacks and is the only phishing-proof factor available. AmbiSecure key and card offers superior security by combining hardware-based authentication and public key cryptography.

AmbiSecure helps organizations accelerate to a password-less future by providing support for the FIDO2 protocol. Ambisecure key or card do not require a battery or network connectivity, making authentication always accessible.

About Ambimat Electronics

Close to 4 decades of design experience. Ambimat Electronics is a single-stop solution enabler to leading PSUs, private sector companies, and start-ups. Solutions include AmbiPay, AmbiPower, AmbiCon, AmbiSecure, AmbiSense, AmbiAutomation.

References

  • https://www.inc.com/joseph-steinberg/300-billion-thats-how-many-passwords-may-be-in-use-by-2020.html
  • https://www.zoho.com/blog/vault/5-reasons-to-adopt-passwordless-authentication-in-2021.html
  • https://blog.shi.com/solutions/demystifying-fido-and-the-path-to-passwordless-authentication/
  • https://www.loginradius.com/blog/start-with-identity/2019/10/passwordless-authentication-the-future-of-identity-and-security/
  • https://enterprise.verizon.com/en-au/resources/articles/analyzing-covid-19-data-breach-landscape/

Looking for the current take?

This archive piece reflects thinking from June 1, 2021. For a current-generation treatment of the same topic, see our modern coverage.

Read the current article

Related historical reading

Is Passwordless the future?

Examines whether passwordless authentication can scale beyond pilots — the standards, attack-surface trade-offs, and operational realities that decide its trajectory.

Read article →

Fast Identity Online (FIDO)

Examines whether passwordless authentication can scale beyond pilots — the standards, attack-surface trade-offs, and operational realities that decide its trajectory.

Read article →

Browse more historical AmbiSecure writing.

The full archive lists everything we have published, with the modern-equivalent counterpart linked wherever one exists.

Open archive