How can it even work?
Microsoft recently announced the ability to remove your password from your Microsoft account. It would have no password at all.
So-called “passwordless authentication” would be used instead.
While it’s not at all obvious, there are scenarios where it’s actually safer than signing in with a password. Honest.
Become a Patron of Ask Leo! and go ad-free!
Passwordless authentication involves not using (or even storing) a password for an online account, but using an alternate mechanism to confirm your identity. The alternate mechanisms are those used as the second factor in two-factor authentication; they just become the only factor. With no password to expose or steal, it can be safer in many instances than traditional authentication. Two-factor authentication remains the most secure of all.
It’s like two-factor authentication, just without the first factor
The simplest way to describe passwordless authentication starts by reviewing how two-factor authentication is typically implemented.
Traditional single-factor authentication is simple. When you sign in, you provide:
- A password (something you know).
When two-factor authentication is enabled, to sign in, you provide:
- A password (something you know).
- A code or link from a device, email, or text message you then receive (something you have).
Using passwordless authentication, we lose the password. To sign in, you provide:
- A code or link from a device, email, or text message you receive (something you have).
Why passwordless authentication is interesting
The thing that makes passwordless authentication so lucrative for service providers is that with no password to use, there’s no password to store, and there’s no password to steal.
Many account breaches happen when only passwords are used for authentication, and those passwords get compromised somehow. The problem is that there’s no shortage of ways to compromise a password.
- Data breaches, when the service being compromised has poor password storage security.
- Keyloggers and other malware on your machine.
- Password re-use allowing a compromised password to successfully sign in to an unrelated service.
- Phishing attempts tricking you into typing in your password.
- Many more.
Without a password involved, all of those techniques simply fail.
Passwordless isn’t perfect
If your second factor — the thing you have — becomes the only factor you use to sign in, we run into other issues.
- You could lose the second factor, be it a device or access to a phone number or email account on which to receive sign-in confirmations.
- The second factor could fall into the hands of someone unauthorized. If it’s the only factor needed, they could use it to sign in to your accounts.
I keep calling it the “second” factor, but with passwordless authentication, it’s the only factor.
The bet, if you will, is that these two risks are more directly under your control, and much less likely to happen than a traditional password compromise.
The result is that in many cases, passwordless authentication using a single factor can be more secure than using a password.
Personally, I’d love to use passwordless more often, but there can be glitches in the system. They’re not serious and don’t impact the security, but they can significantly impact the convenience, if not the availability, of the feature.
If you use Remote Desktop to access a Windows machine, and you sign in using a Microsoft account, then passwordless authentication isn’t an option. Remote Desktop requires a password. This is what stops me from even trying it out on any of my Microsoft accounts. It may not be an issue for you.
It can be slower. Medium.com uses passwordless authentication as one account option. When you sign in to Medium, you provide an email address, and they email you a link to sign in. Your ability to receive and click on that link proves you have access to the email account and acts as your authorization to sign in. The problem? Email’s not instantaneous. I find myself having to wait a few minutes each time I sign in.
Depending on the service and the type of alternate authentication method used, this may or may not be an issue for you.
Two-factor remains the gold standard
While passwordless may be lucrative — since it’s one less thing for you to remember or manage — and more secure, it’s still only a single factor.
To truly secure your account, two-factor authentication remains preferable: use both a password and a second factor. That way, hackers would need both to sign in, and the chances of that happening are even smaller.
Interestingly, two-factor is traditionally a password plus something else, but it doesn’t have to be. You can still be passwordless and use two factor — with two alternate authentication mechanisms. Perhaps your ability to click on a link sent to an email account and provide the code displayed on an authentication device.
I’m not aware of any services that do this, though.
At least not yet.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!