How can it even work?
Microsoft recently announced the ability to remove your password from your Microsoft account. It would have no password at all.
So-called “passwordless authentication” would be used instead.
While it’s not at all obvious, there are scenarios where it’s actually safer than signing in with a password. Honest.
Become a Patron of Ask Leo! and go ad-free!
Passwordless authentication involves not using (or even storing) a password for an online account, but using an alternate mechanism to confirm your identity. The alternate mechanisms are those used as the second factor in two-factor authentication; they just become the only factor. With no password to expose or steal, it can be safer in many instances than traditional authentication. Two-factor authentication remains the most secure of all.
It’s like two-factor authentication, just without the first factor
The simplest way to describe passwordless authentication starts by reviewing how two-factor authentication is typically implemented.
Traditional single-factor authentication is simple. When you sign in, you provide:
- A password (something you know).
When two-factor authentication is enabled, to sign in, you provide:
- A password (something you know).
- A code or link from a device, email, or text message you then receive (something you have).
Using passwordless authentication, we lose the password. To sign in, you provide:
- A code or link from a device, email, or text message you receive (something you have).
Why passwordless authentication is interesting
The thing that makes passwordless authentication so lucrative for service providers is that with no password to use, there’s no password to store, and there’s no password to steal.
Many account breaches happen when only passwords are used for authentication, and those passwords get compromised somehow. The problem is that there’s no shortage of ways to compromise a password.
- Data breaches, when the service being compromised has poor password storage security.
- Keyloggers and other malware on your machine.
- Password re-use allowing a compromised password to successfully sign in to an unrelated service.
- Phishing attempts tricking you into typing in your password.
- Many more.
Without a password involved, all of those techniques simply fail.
Passwordless isn’t perfect
If your second factor — the thing you have — becomes the only factor you use to sign in, we run into other issues.
- You could lose the second factor, be it a device or access to a phone number or email account on which to receive sign-in confirmations.
- The second factor could fall into the hands of someone unauthorized. If it’s the only factor needed, they could use it to sign in to your accounts.
I keep calling it the “second” factor, but with passwordless authentication, it’s the only factor.
The bet, if you will, is that these two risks are more directly under your control, and much less likely to happen than a traditional password compromise.
The result is that in many cases, passwordless authentication using a single factor can be more secure than using a password.
Personally, I’d love to use passwordless more often, but there can be glitches in the system. They’re not serious and don’t impact the security, but they can significantly impact the convenience, if not the availability, of the feature.
If you use Remote Desktop to access a Windows machine, and you sign in using a Microsoft account, then passwordless authentication isn’t an option. Remote Desktop requires a password. This is what stops me from even trying it out on any of my Microsoft accounts. It may not be an issue for you.
It can be slower. Medium.com uses passwordless authentication as one account option. When you sign in to Medium, you provide an email address, and they email you a link to sign in. Your ability to receive and click on that link proves you have access to the email account and acts as your authorization to sign in. The problem? Email’s not instantaneous. I find myself having to wait a few minutes each time I sign in.
Depending on the service and the type of alternate authentication method used, this may or may not be an issue for you.
Two-factor remains the gold standard
While passwordless may be lucrative — since it’s one less thing for you to remember or manage — and more secure, it’s still only a single factor.
To truly secure your account, two-factor authentication remains preferable: use both a password and a second factor. That way, hackers would need both to sign in, and the chances of that happening are even smaller.
Interestingly, two-factor is traditionally a password plus something else, but it doesn’t have to be. You can still be passwordless and use two factor — with two alternate authentication mechanisms. Perhaps your ability to click on a link sent to an email account and provide the code displayed on an authentication device.
I’m not aware of any services that do this, though.
At least not yet.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 8:18 — 7.1MB)
19 comments on “Is Passwordless Authentication Safe?”
I set up my Microsoft account to go passwordless. I used a Yubikey to do so as well as the Microsoft Authenticator App. Interestingly, using the Yubikey as my primary means of signing in also requires a PIN to be entered before touching the key. So it is still two factor authentication.
Windows Hello also asks for a PIN to be setup to sign in to your account, which I think could be a weakness. When starting my computer, I’m asked to enter the PIN to sign in.
I also have setup recovery means to get back into my account in case everything goes south. Alternate email, recovery code, Authenticator App and a verified phone number.
Isn’t a “pin” just another password? So i go from a 16 digit password to a 4 digit. Is that any safer?
Covered here: How Can a PIN Be as Secure as a Password?
It gets better. The pin doesn’t have to be all numbers and can be more than 4 characters. It can use letters and special characters. In other words the same thing as the good old password, but now it’s tied to your hardware signature and indirectly to you MS account. MS makes it easy to be cynical. This is another case of marketing gyrations to create a false sense of “newness”.
The thing that makes password-less login using a pin safer than a password is the fact that your pin is stored on your PC, not in your Microsoft account, so you do not have to worry about a Microsoft server getting hacked, and having your Microsoft account credentials pop up on the ‘dark-web’. Also as stated above, the pin can be longer that 4 characters and can consist of both alpha characters and numbers, essentially any character you can enter from your keyboard.
For what it’s worth, I have enabled the password-less login feature on my Microsoft account. To log into my PC, I touch a USB fingerprint scanner (backed up with an 8 character pin in the event the fingerprint scanner cannot read my fingerprint for some reason). When I need to access my Microsoft account, I touch the fingerprint scanner and respond to a prompt in the Microsoft Authenticator app.
There is no such thing as a totally secure login strategy, but for me, since I do not have to deal with remote log-ins, password-less login is about as good as it gets.
“Email’s not instantaneous. I find myself having to wait a few minutes each time I sign in.”
I found this to be a problem with 2-factor identification. However, I found if I used my gmail account the response almost always took only a few seconds.
Just a heads up, guys — E-Mail isn’t 100% reliable. Sometimes, there is no “delay,” in receiving the link, because it never shows up at all — not even in your spam folder.
Websites usually have an “I didn’t receive a code” or something similar to resend the code in case it fails the first time.
If it failed the first time, what changes between the first send and the second one?
In my own case? As you might guess, the answer was, “Absolutely nothing whatsoever.” In other words, the resends didn’t show up, either.
In another (and quite different) case, they did show up — all four of them. Simultaneously. Now, which one do I click on?!?
Admittedly, the idea has very considerable merit… but the bugs most definitely haven’t all been worked out yet. :o
Which one to click on. The last one. In some if not all cases, the new link invalidates the previous ones. Sometimes the emails get lost or take a long time to get into your inbox. If they never get there, it could be a bug in the website’s software.
I am a senior citizen whom worked in the tech industry. Adapting to new procedures on my computes comes easy for me but, explaining these new features to my spouse and asking her to use them after she has been using the old way without accident. She wants to turn it on and it just works. Lets work on a way to eliminate the core problem, the hacker.
Rather than no password, how about stopping the anal requirements? My company just went to a 16 character password just to get into our laptops. I have to change multiple passwords every 90 days at most of our vendors which always ends up in losing access until lots or snarling and gnashing of teeth happens. I use RoboForm, but it doesn’t work all of the time. I’m for a simple password and the two-factor.
A 16 character password is reasonable. Leo has been recommending a minimum of 14 characters. Periodic password changes are a waste of time in most cases. I say most cases because there are cases where a password change might be necessary, for example, if your account has been hacked etc.
Google went passwordless quite a while ago. It involves confirming on the phone that you approve of a distant log-in just requested and then either
1. answering correctly one of three numbers which appear and must jibe with a number that comes up on the other place, or
2. Thumbprint on the phone.
My daughter recently went through a divorce, house sale and purchase. Because she works long hours and is not very computer/financial competent I did much of the paperwork & correspondence for her. Two factor authentication was a real pain as often code numbers were sent to her phone which she could not access immediately to forward on to me which stopped me helping her.
For the last couple of years, when I start up the online banking app on my smartphone, I get a message that my bank is talking to it. Once it is satisfied, it asks for three characters from my PIN. Quick and easy!
European banks do security much better than most US banks. My bank in Germany has a second factor, actually more of a 3 factor verification via their phone app. 1. You type in your account PIN. 2. You type a different password or scan your fingerprint to open the app. 3. You tap a button in the app to confirm the transaction.
The European 3D-Secure credit card verification system has just become ridiculously complex.
Before, I used the e-credit card system offered by Visa and my bank, which provides unique credit card numbers for online purchases (so they would be useless if they were hacked from a website). It worked this way :
1. Enter the e-credit card username, which is a string of 8 random letters provided by your bank (you can’t change it).
2. Enter the password, which is limited to 8 characters, and there cannot be any special characters.
So : on the face of it, it was ridiculously bad security. Maybe the bank-provided username mitigated it a bit, but an 8-character password, frankly…
Then, they added a second factor, and it worked thus :
1. Enter the e-credit card username.
2. Enter the password.
3. Enter a string of characters sent by phone, the number of which must be registered with your bank (and you must contact your bank to change it). This could be a landline, which was my choice.
That was good security, although they could have allowed a proper password before getting there, and that ridiculously weak 8-characters password limit was not changed.
Then, they went one step further, and it became just bonkers :
1. Enter the e-credit card username.
2. Enter the password of the credit card.
3. Enter the username of your online bank account (which is a string of characters provided by your bank, and can’t be changed).
4. Enter the password of your online bank account (this is annoying, because it can’t be automated with a password manager : you have to type it manually on a virtual, on-screen keyboard).
5. Enter the string of characters sent by phone, which is supposed to be the second factor, and is now in fact the 4th factor, or the 5th, depending on how you count.
With all that, the e-credit card password is still 8 characters, no special characters allowed.
I’m now told the possibility to use a landline for the 2nd (or 4th, or 5th) factor will be taken away, and you will have to use a mobile phone number. Adding the risk of SIM-swapping, which does not exist with a landline. My bank pretends, of course, it’s safer.
Time to find a different bank.