Passwordless Authentication Solutions

Passwords are a problem for security because they can be easily stolen, guessed, or cracked through various means. 

Human-generated passwords are often weak, making them susceptible to brute-force attacks. In a brute force attack, a cybercriminal uses a program to try passwords manually; brute force programs can try anywhere from 10,000 to one billion password guesses per second. 

Unfortunately, passwords that are easy for users to remember are also easy for hackers to guess. Weak, common passwords like “123456,” “password123,” or those using keyboard patterns like “qwerty” can be cracked in as little as a few seconds.

Users often reuse the same password across multiple accounts, making a single password breach potentially disastrous. A criminal who gains access to leaked credentials for one website can use a credential-stuffing program to automatically try those credentials against hundreds of other sites, including online banking portals. 

Furthermore, the centralized storage of database passwords creates a single point of failure that can result in large-scale data breaches. To address these issues,  NIST recommends using strong passwords and long passphrases and employing additional account security measures such as two-factor authentication. However, while these measures increase security, they can also increase consumer frustration with the authentication process.

Consumers generally dislike passwords because they can be challenging to remember, especially when they are required to be complex and unique for each account. And when passwords are forgotten, the reset process is annoying and can be time-consuming, sometimes requiring answers to a set of knowledge-based questions. Companies also require account holders to update passwords periodically to ensure security. Furthermore, entering passwords on various devices, applications and websites can be tedious and repetitive, interfering with user engagement. 

These factors contribute to a phenomenon called “password fatigue” or “password chaos.” The more passwords a user has to remember and the higher their complexity, the more likely they are to engage in risky behavior like reusing passwords, using weak passwords, and storing passwords insecurely. 

Security vulnerabilities and consumer dissatisfaction with passwords make them focus on the improvement of the identity and access management market.

Yes, there are alternative authentication solutions to passwords. Some of these include:

• Two-Factor Authentication (2FA): 2FA adds an extra layer of security by requiring users to provide two forms of authentication, such as a password and a one-time code sent via SMS, email or via push notification to their device.
• Biometric authentication: This method uses physical characteristics such as fingerprints, face recognition, or iris scans to authenticate users.
• Magic links: Users can request “magic” sign-on links that grant them account access from a link sent via SMS or email. 
• Single Sign-On (SSO): SSO allows users to log in to multiple applications using a single set of credentials, reducing the need to remember multiple passwords.
• Security key: These are physical devices with integrated circuits that can store and process data used to authenticate users.
• Location-based Authentication: Users can opt-in to share their location to prove their behavior pattern is consistent with their previous history.

These alternative authentication solutions offer a more secure and user-friendly experience than passwords and can help reduce the risk of security breaches.

Despite the added security benefits of two-factor authentication (2FA), many people still don’t implement it. There are several reasons for this:

• Awareness: Some people are unaware of the availability of 2FA and its added security benefits.
• Complexity: Some people may find 2FA too complex or confusing to set up and use.
• Inconvenience: For some, entering a one-time code is considered an inconvenience, particularly when logging in multiple times a day.
• Limited availability: 2FA may only be available on some websites or applications.

Some authentication factors are “passive” because they don’t require the user to do anything. In the case of Incognia’s location-based authentication, the device location is automatically analyzed and used as an authentication factor.  For this reason, it is also called a “zero-factor” authentication method. 

To increase the adoption of 2FA, it is essential to educate users on its benefits and make the setup process as simple and user-friendly as possible. Choosing factors that reduce authentication friction will ensure that users keep the feature enabled.

Passwordless authentication is a term used to describe authentication methods that eliminate the need for users to remember and enter passwords. Instead, these methods use alternative factors, such as biometrics, security keys, one-time codes sent via SMS or email, or location-based authentication. Passwordless authentication offers several benefits over traditional password-based factors.

Firstly, by eliminating the need for users to remember and enter passwords, passwordless authentication reduces the risk of password-related security breaches. Because no passwords are used, passwords can’t be stolen via breaches and used to execute account takeover attacks. 

Eliminating passwords also reduces user frustration. With no need to remember passwords or enter them repeatedly, the user experience is significantly improved, making the authentication process faster and more convenient.

Finally, passwordless authentication also makes it easier for people with disabilities or memory challenges to access digital services.

Overall, passwordless authentication represents a promising step forward in account security, offering the potential for more secure and user-friendly authentication experiences.

There are several passwordless authentication solutions available in the market. Here are some of the top solutions:

• Microsoft Authenticator: Microsoft Authenticator is a free app for iOS and Android that enables passwordless authentication using biometric recognition or one-time codes. As of September 2022, the app has approximately 5 million monthly downloads. 
• Google Authenticator: Google Authenticator is a free app for iOS and Android that enables passwordless authentication using one-time codes. As of October 2022, Google Authenticator has about 4 million monthly downloads. 
• Yubico Security Keys: Yubico Security Keys, also called Yubikeys, are physical devices that can be used for passwordless authentication. They use public-key cryptography to authenticate users without the need for passwords securely. Yubikey's biggest customers include Google, which has bought over 1 million Yubikey dongles for employee use as of the end of 2020. 
• Apple Touch ID and Face ID: Touch ID and Face ID are biometric authentication systems available on Apple devices that enable passwordless authentication using fingerprints and facial recognition, respectively. According to Apple, around 89% of people with compatible devices enable Touch ID.
• Android Fingerprint and Face Recognition: Like Apple’s Touch ID and Face ID, Android uses facial and fingerprint recognition as biometric authenticators for some mobile devices. According to Mercator, Android and iPhone users are most likely to use facial recognition.
• Windows Hello: Windows Hello offers users of Windows 10 and later the option to log into devices and online apps using biometrics, including iris scans, facial recognition, and fingerprints. As of 2020, 84% of Windows 10 users were also using Windows Hello. 
• Incognia location-based authentication: Incognia uses advanced location signals to reduce authentication friction and detect fraud. Incognia’s technology is highly resistant to location spoofing and offers superior precision for accurate authentication. False acceptance and false positive rates are much lower than today's leading authentication solutions. Incognia’s technology is currently installed on over 200 million devices in 25 countries. 

The list above is just the most popular passwordless authentication solutions available. However, many innovative passwordless solutions have emerged recently, including location-based authentication, rotational password approaches, or behavioral biometrics. When selecting a passwordless authentication solution, it is important to consider factors such as security, ease of use, training time, compatibility with existing systems, and overall cost.

The ease of use of passwordless solutions can vary depending on several factors, such as the user's technical skill level, comfort with new technologies, and personal preferences. However, the following passwordless solutions are generally considered to be among the easiest for consumers to use:

• Mobile authenticator apps: These are free apps for iOS and Android that enable passwordless authentication using biometric recognition or one-time codes. They are relatively easy to set up and use and use user-friendly interfaces to increase consumer popularity.
• Touch ID and Face ID: Touch ID and Face ID are biometric authentication systems available on Apple devices that enable passwordless authentication using fingerprints and facial recognition, respectively. These systems are quick and easy to use, and their seamless integration with Apple devices makes them a popular choice for consumers.
• One-Time Codes: One-time codes sent via SMS or email are a straightforward way for consumers to authenticate themselves without needing passwords. They require minimal setup and are easy for consumers to use daily.
• Incognia location-based authentication: The defining quality of this zero-factor authentication is that no action is required from the user. Instead, authentication is based on location recognition signals that work silently in the background.

The list above is just the most popular passwordless authentication solutions available. However, many innovative passwordless solutions have emerged recently, including location-based authentication, rotational password approaches, or behavioral biometrics. When selecting a passwordless authentication solution, it is important to consider factors such as security, ease of use, training time, compatibility with existing systems, and overall cost.

It is a common misconception that passwordless is synonymous with frictionless. While passwordless authentication can improve security and usability compared to traditional password-based authentication, it does not necessarily guarantee a frictionless experience. Some passwordless solutions can be complex or difficult to use, especially for users who are not familiar with the technology. This inaccessibility can result in frustration, decreased adoption, and potential security risks if users abandon second-factor authentication altogether.

For example, some biometric authentication systems may not be accessible to users with specific disabilities, and some users may be concerned about biometric authentication's privacy implications. 

Similarly, security keys can be lost or damaged, and SMS or email-based one-time codes are vulnerable to man-in-the-middle attacks or social engineering. In one example scheme, a fraudster may call a victim claiming to represent the platform they want to access under the victim’s credentials. Using the victim’s phone number, they request an SMS code and then ask the victim to provide the code over the phone to verify themselves to the fake representative. The fraudster then uses the stolen code to access the victim’s account, successfully committing an account takeover. 

Fortunately, not every passwordless solution requires a setup process and induced vulnerability to compromise. For example, Incognia’s location-based authentication method is entirely frictionless. It leverages location sensors on mobile devices to assess risk, enabling companies to take an adaptive approach that selectively challenges users. This also reduces reliance on traditional, higher-friction authentication methods, reserving them as secondary factors. 

Mobile recognition signals also have the potential to detect more sophisticated account takeover attacks, including those that employ techniques to mimic or bypass device fingerprinting tools. 

It's important for organizations to carefully consider the trade-offs between security, usability, and accessibility when selecting and implementing passwordless authentication solutions. By choosing solutions that are simple, convenient, and accessible to a wide range of users, organizations can help ensure the success of their passwordless authentication efforts and avoid the potential problems associated with friction. Providing a variety of options and putting the power of choice directly in users’ hands is another powerful way to promote security; after all, it’s much less likely for users to self-select their way to an authentication method they can’t or won’t use.  

The following table shows a list of the current choices for authentication and how they rank for both security and friction.

 

Location-based authentication combines elements of passwordless and frictionless authentication to provide a solution that is both secure and user-friendly. This type of authentication uses the location of a user's device to verify their identity.

For example, a mobile app might require that users log in from a specific trusted location, such as their office or home, before accessing sensitive account information. Suppose users attempt to log in from an unfamiliar location. The system may challenge them for additional information, such as a one-time code sent to their phone or a facial recognition check.

Incognia location-based authentication provides several benefits, including increased security, as it increases the difficulty of unauthorized access to sensitive information. It also offers a frictionless experience for good users logging in from trusted locations, removing the need to enter a password or perform additional authentication steps. Additionally, using GPS spoofing apps, emulators, and other sophisticated techniques, Incognia’s spoof-resistant location technology detects attempts to manipulate true location data.

Incognia provides a location-based authentication method that offers mobile users more security with zero friction. Working silently in the background, Incognia's solution uses network, location, and device signals to distinguish trusted users from fraudsters and prevent account takeover.

Consumer internet companies need to adopt frictionless security to win in the future. This means the elimination of authentication factors that create additional friction for users. Today’s authentication options, including one-time passwords (OTPs), authentication apps, and security keys, create friction that users resist. High friction authentication also makes additional support costs.

Incognia offers a frictionless rule-based evaluation signals to deliver a highly accurate risk assessment, protecting the complete in-app journey without any action required by the user.

Using a location-based risk signal before higher friction authentication steps efficiently delivers a better authentication experience to legitimate customers and reduces authentication costs. Additional authentication steps should only be required when the presence of risk is identified.

Why Incognia Passwordless Authentication?

• Passwordless & frictionless authentication signal
• Quick to integrate and implement
• Resilient to location spoofing
• Built-in device fingerprinting and integrity checks
• Powerful network effect proved at scale
• Limited PII required prioritizing data privacy
• CCPA, GDPR, and SOC 2 compliant