Passwordless vs MFA: The Future of Authentication

"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down, and they just don't meet the challenge for anything you really want to secure."

Bill Gates said that in 2004 during a now famous RSA Security keynote presentation—and he has a point.

Constantly evolving consumer markets force businesses away from legacy systems to the modern cloud- and web-based applications. While the option to pursue a passwordless future has been available to enterprises for some time, many are still hesitant to move away from the traditional methods of securing data. Nearly 97% of IT leaders predict barriers to implementing the technology needed for a passwordless future, citing a lack of buy-in, technical expertise, or simply the sense of urgency from business leaders.

To be honest, passwords are a fatally flawed authentication mechanism and are riddled with vulnerabilities, making them the #1 target for cybercriminals. They’re hard to remember, often reused over multiple accounts, and difficult to reset, and even when they are protecting our data, they’re easily compromised.

According to Verizon’s 2022 Data Breach Investigations Report, over 80% of web application breaches were caused by stolen credentials—nearly a 30% increase from 2017.

Most business leaders have implemented multi-factor authentication (MFA) procedures to add an extra layer of security to their data. While it is a significant addition to the primary authentication, MFA is still not without errors.

Multi-Factor Authentication

MFA uses more than one authentication factor to verify a user’s identity. However, these multi-factor solutions, which include one-time codes, SMS confirmation, mobile push notifications, and “security” based questions, are not as ideal for usability reasons.

While MFA ensures more reliable security, it introduces more friction and decreases the user experience. Password lockouts pause productivity and increase login fatigue. Account recovery becomes a struggle if users forget their secondary login details. MFA systems still rely on usernames and passwords as the primary authentication methods, making them susceptible to credential stuffing, phishing, brute force attacks, and other cyber threats.

Passwordless Security

Passwordless authentication is precisely how it sounds: replacing passwords with other authentication factors that are intrinsically safer. Eliminating reliance on passwords reduces frustration, increases security posture, and—perhaps most importantly—saves time.

Users can achieve passwordless security in a few ways:

• Biometrics: Physical characteristics, like fingerprint or retina scans, and behavioral traits, are used to uniquely identify a person. Even though modern AI has enabled hackers to spoof certain physical attributes, behavioral characteristics still remain extremely hard to fake.
• Possession factors: Authentication via something a user owns or carries with them. For example, the code generated by a smartphone authenticator app, OTPs received via SMS or a hardware token.
• Magic links: The user enters their email address, and the system sends them an email. The email contains a link, which grants the user access when clicked.

A passwordless approach is not the end-all-be-all for data security, but it is the start of establishing single, strong user identity and trust.

What to Expect in the Future of Authentication

Protecting our data and sensitive information is crucial for online safety, but passwords are the riskiest and weakest ways to do it. According to a Forrester report, password management takes up so much time that many large US-based corporations allocate $1 million annually just for password-related support costs. In most cases, these support costs continue to increase, despite joint efforts to introduce automation and reset tools to alleviate this password burden.

Much of the delay is caused by a lack of know-how. Most IT teams aren’t equipped to implement passwordless systems, highlighting the need for external expertise. Certain companies are noting this knowledge gap and positioning themselves to fill it. One such company, Calian, offers a passwordless setup, along with penetration testing to identify vulnerabilities and managed security services to fill the gaps.

Even though passwords are far less prevalent than ever before, they are still being used worldwide. If and when all businesses shift from insecure passwords to more secure systems, they’ll save an average of 28 minutes a day—small potatoes, but that adds up to roughly 120 hours per year.

While multi-factor authentication still prevails as the preferred method for securing personal and work accounts, it alone is not enough to prevent identity-based security breaches. Vulnerabilities still exist and continue to be exploited.

Ultimately, no authentication system exists that can’t be hacked. It may not be obvious, but it doesn’t mean that the most sophisticated hackers can’t work their way around it. However, passwordless methods that use facial, vocal, or biometric recognition to secure systems will ultimately be a more fruitful and powerful blockade against the ever-rising sophistication of present—and future—cyber criminals.