Getting to passwordless login
The death of passwords cannot come soon enough on mobile
Since the beginning of the internet, passwords have been used as the main – and many times the only – form of account authentication. Whether to access social networks, bank accounts, websites, and mobile applications, we always need to have our memory ready to enter the combinations corresponding to each platform. The problem is, as hacker attacks evolve and social engineering fraud gets more sophisticated, passwords are now more vulnerable than ever. The good news is that more secure and user-friendly solutions already exist, allowing mobile applications to offer passwordless login today, making passwords obsolete.
The death of passwords cannot come soon enough
A person has, on average, somewhere between 70 and 80 passwords to remember, which makes it hardly surprising that people often use simple passwords and reuse them across accounts. To make matters worse, the increasing frequency and sophistication of hacker attacks, the most recent being the theft of 8.4 billion passwords, make stolen passwords easily accessible to cybercriminals and fraudsters. Efforts to educate users to create secure passwords and not repeat them have proven to be the equivalent of rolling a stone uphill.
Passwords as a form of authentication are no longer secure or convenient for users, and on mobile, the friction of passwords is amplified, where users have extremely short attention spans. In reality, in the design of mobile apps, password-based security is working against user experience.
For mobile apps, many companies are clinging to their password-based authentication, but on mobile, those passwords just really need to go, now.
To shore up the weak security of passwords, services are increasingly offering users options to activate multi-factor authentication (MFA) options to add security to accounts. And for some types of mobile apps, such as financial apps that directly manage money, MFA is becoming a requirement. However, while MFA solves the weak security of passwords, it does not solve the problem of high friction for users.
With MFA, users have to not only deal with the friction created by passwords but must now also manage the added friction of additional authentication factors.
With passwords increasingly exposed, the most natural path forward is for this type of authentication to be phased out, to be replaced with passwordless authentication.
Passwordless is the generally used a term to describe authentication without passwords, and beyond the requirement of no passwords, passwordless login can have many forms.
Getting started with passwordless login
As with many new technologies, one of the hardest decisions for passwordless authentication is how and when to integrate it into existing products and services. For passwordless authentication on mobile, the number of options for implementation has increased rapidly in the past few years. The addition of new technologies and sensors on the mobile device offers opportunities for new types of authentication using recognition signals, biometrics and behavioral biometrics.
The role of zero-factor authentication
On mobile one of the fastest ROI implementations for passwordless is to leave existing authentication flows in place and place zero-factor authentication before the current password-based authentication step. Zero factor authentication is based on recognition signals versus explicit tokens or credentials. The benefit of this approach is that it requires no action by the user, technology is used to recognize the user.
For Incognia, we make use of the location and motion sensors on the mobile device to recognize the unique location behavior pattern for each user since for mobile, location is the strongest trust signal. Unlike static credentials, such as passwords, Incognia’s recognition signal is dynamic and constantly updating making it extremely difficult to mimic or fake.
With Incognia zero factor adaptive authentication in place, it is then possible to do an initial risk assessment to separate low-risk from high-risk logins.
The low-risk logins can be offered a friction-free passwordless login experience. The high-risk logins can proceed either to the existing password-based authentication and/or 2FA and MFA authentication sequence. The result is that for the vast majority of logins that are low-risk, no passwords are required.
The passwordless login flow with Incognia would therefore be as follows:
- The user enters their username
- Incognia checks for anomalies in the user’s location behavior pattern and the device characteristics
- Incognia delivers a risk assessment
- For low-risk logins, the zero-factor adaptive authentication approval is sufficient and the user is authenticated with a no friction login experience
- The user is directed to additional authentication steps for high-risk logins, either the existing password-based flow or into step-up authentication flow.