For many people, the concept of passwordless authentication can be difficult to wrap their head around. How is it that one safely logs in to and interacts with sensitive services without using a password, you may wonder?
We’d like to break down the technologies associated with modern passwordless authentication to clear up any confusion around the matter. This is an especially timely topic, as many of us use some form of passwordless authentication in our day-to-day lives, whether we’re paying for groceries, checking in at the airport, or showing a Covid-19 certificate while eating at a restaurant.
Authentication Factors
First off, the term ‘passwordless’ can be a bit misleading. Even with passwordless authentication, there often needs to be a form of "password" that you can use to access the app or service at hand, even if you have it on hand simply as a backup measure.
In authentication theory, there are three different factors: what you know, what you have, and what you are. Here’s a visualization of the various traditional authentication factors and some examples of each of them:
As you can see, it’s not a simple task to design a two-factor authentication system completely without a password (or similar knowledge factor), as there aren’t many choices to select from.
Mobile Authentication
Let’s take a deeper look at passwordless authentication accomplished using a mobile device, which falls under the “What you have” authentication category.
While the primary benefit of passwordless authentication is straightforward (you log in with your phone!), it’s important to understand that there are some complex related trends out there that all of us should be aware of. Each of the following concepts relate to standard authentication practices — now, it’s becoming increasingly possible to achieve them using passwordless authentication as well.
- Identity Roaming: Put simply, identity roaming makes it possible to use your mobile device for passwordless authentication anywhere in the world and rely on it to work, regardless of your location. Identity roaming also relates to Self-Sovereign Identity (SSI), which is a concept that we’ll dig into more deeply in a separate post. The authentication method to access SSI systems can, in certain cases, be passwordless. Ultimately, the role of passwordless authentication makes identity roaming easier and faster, enabling you to travel securely and conveniently.
- Various Levels of Assurance: We make use of authentication in an array of situations with different so-called “levels of assurance” — in other words, we lean on the same technology to confirm our identity to a government official as we do when paying for a cup of coffee at our favorite cafe. Clearly, these transactions need to be straightforward and efficient in order for them to remain feasible options. Fortunately, there are efforts underway to streamline their use. For example, the regulation of these levels of assurance are now backed up by EU legislation efforts designed to allow people and businesses to use their own national electronic identification schemes to access online public services in fellow EU countries.
In the aforementioned use cases, passwordless authentication removes the need to interact with passwords in each of these scenarios. When factoring in the possibility of using passwordless authentication with various levels of assurance, the need for having secure passwordless authentication becomes clear. Without having security on lock, we’d be exposing our personal data and leaving it open to attack by cybercriminals.
- Ongoing Global Cyber Warfare: Mass surveillance and authentication attacks continue to become more prominent threats across the globe. This is especially true in countries whose citizens have limited digital rights and whose data is readily accessible by government agencies. With our digital identities being more frequently used in everyday services, there’s no shortage of opportunities for large-scale cyber attacks between major political players.
Passwordless authentication systems are usually built on cryptography, which is more resilient than password-based systems and can minimize the impacts of cyberattacks. The use of passwordless authentication might slow down government-grade attacks on its own. However, having a quantum-resistant cryptographic system that backs passwordless authentication would make combating cyber warfare even more efficient in the long run.
Our Solutions: Mobile-First Authentication
Wultra’s approach to passwordless authentication is two-pronged. Our solution is available either as a Mobile Token, a standalone app, or as a Mobile SDK, each method corresponding to the services that banking customers use for secure, passwordless access. Both of our solutions ensure integrity of sensitive transactions in applications that require the highest level of trust assurance and regulatory compliance.
When Using Mobile Banking Apps
Customers of mobile banking usually approve payments that they enter in mobile banking apps using a biometric authentication method, be it a facial recognition or a fingerprint scan. Put simply, the payment is both initiated and approved in the mobile app.
When Using Web Internet Banking
Compare the above with using internet banking service on the web. In this scenario, customers only approve payments that they’ve initiated in internet banking using biometric authentication on their mobile device after a payment arrives via an informative push notification. The operation is initialized in internet banking and finalized in the mobile app. The approval mechanism described above is also known as "push authentication", which is the core mechanism utilized by Wultra’s Mobile Token.
.webp)
