Is Passwordless Authentication Secure?

Passwordless authentication is a form of authorization where users are not required to provide passwords before logging in to their online accounts. Instead, they have to leverage other options, for example, using a magic link that is provided in an email or SMS, fingerprint, or a token. More recently, the FIDO2 Web Authentication (WebAuthn) has emerged as a new and more reliable way of authenticating one's identity online. With that said, let's now take a more in-depth look at this authentication standard.

The WebAuthn is a web-based API developed by FIDO Alliance and standardized by the World Wide Web Consortium (W3C) in 2019. Websites and apps can use this functionality to give their users an easier login experience and offer higher security than using passwords alone. This security model relies on cryptographic login credentials that are unique for all websites and are never stored on servers. Instead, the private key can be stored on a user's device. Currently, such browsers and platforms as Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari, Android, and Windows 10 support the WebAuthn.

As far as passwordless authentication goes, the bottom line, which is to eliminate the problem of using an insecure password, is met. By implementing passwordless authentication, developers can achieve a higher level of visibility over identity and access management. After all, if there are no passwords, then there is nothing to reuse, share or phish.

Nonetheless, the level of security provided by this form of authorization is often challenged since using an option such as email to relay a code/ link can be unreliable as it can always be compromised. While this is a plausible concern, a hacked email could also be used to "reset" a password.

As such, this issue does not result in additional risk for passwordless authentication over the conventional username and password login. Rather, WebAuthn technology eliminates the potential dangers that come with providing passwords to emails or phones by allowing people to use a fingerprint or hardware security key. This is much safer.

Another issue to take note of when it comes to the security provided by passwordless authentication is the type of threat. If you wish to protect yourself from a common threat, in essence, an attack from a non-professional criminal with little to no resources and no specific target, then passwordless authentication is more secure than other alternatives.

However, if you were at risk of sophisticated threats from professional, dedicated, patient, and well-financed entities, then you would want to go beyond passwordless authentication. It is especially the case if more personalized attacks are to be prevented. That said, passwordless authentication could be stepped up by integrating multi-factor authentication, adaptive security, and anomaly detection.

Using a username and password is undoubtedly still the most conventional login technique. Still the approach leaves some more to be desired in terms of security and convenience because the efficiency of this method depends on how well an individual protects their login information.

Passwordless authentication, which is a convenient way for users to secure numerous accounts without memorizing passwords, is gaining popularity as a relevant option for login. This new and robust approach is safe. It is a clear winner and will continue to evolve.

On the 7th of April, our WebAuthn apps are finally live on the Atlassian marketplace!
If you're interested in implementing passwordless authentication for your Jira, Confluence, Bamboo or Bitbucket please check our vendor page: https://marketplace.atlassian.com/vendors/1216274/alpha-serve

All apps have a 30-day free trial, as usual.