Phone-less. Token-less: Less is More for Passwordless Authentication

By now, most organizations, across industries, understand that passwords are a cybersecurity risk and potential point of vulnerability - and for good reason. According to the World Economic Forum, weak and/or stolen passwords are the most common initial attack vector, representing 80% of all breaches. The response, however, is positive: 82% of business leaders say they are ready and willing to implement a passwordless approach¹. Password-based authentication causes friction, which leads to many employees ignoring security protocols altogether due to password fatigue. As a result, employees are subject to terrible user experience in addition to the security risks already inherent to password-based authentication.  

The path to achieving passwordless authentication, however, is not so straightforward. Today, the most common passwordless solutions rely on using a single authentication factor that is based on something you have - such as a hardware token or a mobile device - which inherently present their own security risks, usability challenges, and additional costs. While they do present a better alternative to password-based approaches, they also introduce more potential vulnerabilities that modern hackers are taking advantage of with greater frequency, as they completely remove any verification of that actual person from the authentication process.  

Here's the good news: there is an approach to passwordless authentication that avoids unnecessary cost and risk. Identity-Bound Biometrics (IBB) uses the person as the authentication credential to provide the safest, most secure option for passwordless authentication that won't introduce additional cost to the business or more friction to the authentication process. Interested in hearing more about how IBB can help solve your passwordless challenges? Keep reading to find out.  

The Problem with (Most) Passwordless  

Moving away from the password-based authentication method is a step in the right direction. Unfortunately, most options hinder the true power of passwordless and take a step backwards by relying on tokens, devices or phones to execute the authentication process as a single factor. The core challenges with these methods include:  

• High costs + investments: traditional passwordless methods typically require the purchasing of multiple tokens for each employee or separate mobile devices or data plans.  
• Insufficient security: trust is based on the device or token, both of which can be shared, lost or stolen, and not able to authenticate the actual person completing an action.  
• Implausible or unsafe for core business areas: key groups, functions and use cases within organizations are hindered by methods that impose inefficient or unsafe work conditions on daily operations, which, in turn, can pose legal risk for the employer.  

Simply put, putting your trust in what you have - any sort of device or piece of hardware - does not meet the standards of today's cybersecurity needs. For one, hackers have become too skilled and well-versed in circumnavigating these methods. Even with one-time passcodes (OTPs), a hacker can install malware designed to intercept them and gain access to protected data or they could insert trojans into web browsers to intercept shared data like a magic link.  

For example, the hacker responsible for the August 2022 Twilio cyber-attack gained unauthorized access to steal one-time passwords (OTPs) delivered over SMS from customers of the identity and access management company, Okta.  

In Singapore, hackers posed as 75 bank customers to make nearly $500,000 in fake credit card payments by diverting the SMS OTP from the banks to overseas mobile network systems.  

Secondly, and perhaps more importantly, passwordless authentication based on something you have is inherently flawed because it is based off the assumption that any given individual is in possession of their piece of hardware. However, there is no way to verify this with these methods - in other words you do not have any level of confidence that the authorized user is on the other side of the screen.  

Passwordless authentication using Identity-Bound Biometrics addresses all the major pain points many organizations are experiencing in the shift to passwordless.  

Phone-less, Token-less, Passwordless  

Passwordless authentication with Identity-Bound Biometrics uses the person as the credential for authentication. With a simple scan of a finger at any device in any location, it is the safest, most efficient, most cost-effective and most secure option for a range of common use cases, including shared workstations, zero trust environments, remote access, and scenarios where mobile devices are not permitted such as manufacturing floors and contact centers. Specifically, some of the key benefits of passwordless authentication with IBB include:  

• Security: positively identify the person completing an action with authentication powered by Identity-Bound Biometrics, ensuring the intended user - and only that user - is gaining access.  

• A fully auditable activity log provides transparency and comprehensive records of all logins, record updates, and tracking of users' system and application access.  

• Process Validation: ensure that only authorized people are the ones completing steps or taking actions within a process or transaction. For example, this is extremely valuable for quality assurance on a manufacturing floor or to verify the clinician who prescribed a controlled substance.  
• Ease of use: save countless hours and increase productivity with a consistent, frictionless user experience that's quick and easy, requiring just one-touch authentication for a passwordless login at each workstation - no mobile device or token necessary.  
• Cost-efficiency: reduce your overall cost by installing just one fingerprint scanner per desktop for a minimal, one-time investment and eliminate the need to purchase multiple tokens or cover the cost of mobile devices.  

When authentication is tied directly to the user's identity, you can experience passwordless authentication in its purest form, unencumbered by devices: phone-less and token-less.  

Passwordless authentication with Identity-Bound Biometrics is an approach that you can trust because it is rooted in proven, tried-and-true pillars of cybersecurity - introducing less points of attack means less potential risk and vulnerabilities. When cybersecurity is built on assumptions - as it is with device-based passwordless methods - your private information becomes far more difficult to reliably protect.  

Taking the Next Step Towards a Passwordless Future  

If you're ready to make the move to go passwordless and protect against a potential future data breach, it's crucial to do it in a way that benefits your entire organization and helps you achieve long-term business goals. Here are some FAQs that we've answered to help guide your decision-making process:  

• Question: it's great that there are no hardware costs, but aren't there typically hidden costs and fees associated with a software solution?  

• Answer: Identity-Bound Biometrics is part of the BIO-key's award-winning, unified IAM platform, PortalGuard, which is offered at a single, affordable price. You never need to worry about unexpected or hidden costs and can pay up to 50% less than similar solutions.  

• Question: won't implementing a new biometric passwordless solution take up too much time and resources to roll out?  

• Answer: putting a new solution into place is always a process, but our passwordless authentication with IBB can be fully implemented in less than 60 days. Our world-class technical support team does all the heavy lifting so yours can focus on employee adoption.  

• Question: how will personal biometric data be kept safe?  

• Answer: Biometric data privacy is ensured through non-reversible, cryptographic hashing and salting to render the information inaccessible and unusable for potential bad actors - no actual image is ever stored. Additionally, built-in liveness detection provides strong Presentation Attack Detection (PAD) by imposters trying to use scanned pictures or fakes.  

• Question: why not just use device-based biometric authentication?  

• Answer: Identity-Bound Biometrics provides a different - and superior - level of security. IBB verifies the actual person completing an action (logging into a system, completing a transaction, accessing private information), whereas local biometrics simply confirm that an approved device is being used.  

Interested in learning more about passwordless authentication with Identity-Bound Biometrics? Check out the IBB datasheet for a full overview, product specs and features. Alternatively, we encourage you to reach out directly if you'd like to speak to our team to discuss how you can achieve strong authentication. 

Sources: 

1. https://blog.capterra.com/passwordless-authentication/#methodology