How to implement passwordless authentication

Digital fingerprint
(Image credit: Getty Images)

The drive to kill passwords has been underway for years, with companies including Yahoo and Microsoft campaigning to bring passwordless authentication into the mainstream. Critics have argued passwords are surprisingly insecure, especially in light of modern, relatively fool-proof innovations.

Altogether ditching what’s been a fixture in the realm of computing for decades, however, might seem daunting. With uncertainty, yet remaining around advents such as biometrics, it’s little surprise that businesses, in general, have refrained from moving away from passwords in any meaningful way.

To clarify some of the anxieties, and the mystery, surrounding passwordless authentication, we’ve summarised the most pressing questions that might come to mind when you consider eliminating passwords from your business.

Passwordless authentication: Logging in without a password? That doesn’t sound very secure

On the contrary – done properly, it’s more secure than a traditional username and password combination. The idea is, rather than relying on a phrase that could be typed in by anyone, you use something physically tied to you. That might be a biometric identifier – such as your fingerprint or the shape of your face – a physical device such as a USB key, or an app running on your mobile phone, which is itself secured with biometrics. Most passwords, nowadays are obtained by phishing attacks, or by stealing a database of credentials from poorly protected ‘service A’ and then trying them all on ‘service B’, to see if any have been reused.

Passwordless authentication: Is this really necessary? We already have a strict policy that enforces strong passwords

The idea that passwords must be of a certain length and complexity dates from an age when hackers would try to brute-force their way into systems by guessing all possible character combinations.

Passwordless authentication: Is this the same thing as the single sign-on fad of a few years ago?

The motivation isn’t dissimilar. Single sign-on (SSO) became popular when big companies realised their standard Windows XP build included 93 applications that each handled their own authentication process. Not only was this a recipe for confusion, it meant there were 93 potential vulnerabilities to worry about. Using a centralised passwordless authentication solution can help, but there’s nothing inherent to a passwordless architecture that actually requires SSO. The goal isn’t to minimise the number of different authentication systems you’re dealing with, but to reduce reliance on the most vulnerable methods.

Passwordless authentication: This sounds like a ploy to get us to invest in biometric sensors

A robust passwordless system should offer a variety of authentication methods – so you can log in with a face scan or a fingerprint while you’re in the office, but when all you have is a patchy mobile signal, you can receive an SMS login code. This can save you money by reducing support calls from users who can’t get into their accounts – and, for what it’s worth, a little fingerprint reader puck ought not to set you back much over £30.

Passwordless authentication: What about customer accounts – should those be passwordless too?

That might not be your decision to make, at least not entirely. If you’re a small business wanting the advantages of shopping baskets, credit card processing and all the rest of the e-commerce experience, your bank will want your customers to fit in with its own policies.

The top 12 password-cracking techniques used by hackers

That’s not a huge problem, though. Look after your own customer accounts and let the bank worry about the rest. In time, customer-side shopping interfaces will adopt the latest and safest technology. You can reduce the risk by insisting on unique passwords that change regularly, but users tend to hate that. They’ll be happier, and you’ll be safer, if you switch to an approach that skips the password altogether.

Passwordless authentication: That sounds good in theory, but how would we go about implementing it?

In most cases you don’t implement it yourself – this is the sort of thing that’s best done at the level of the operating system (OS) or service framework. For bespoke application stacks, there are plenty of third-party security providers that can help out, while Windows 10 and Windows 11 already support biometric logins, and Microsoft Azure AD lets you enable users to use the authenticator app to access online services. The Google app suite can similarly bring up a notification on any signed-in Android or iOS device that lets users confirm their identity without typing in a password.

Biometrics aren’t a magic bullet, and, in some ways, they’re worse than passwords. If an attacker gets hold of your fingerprint data or your retinal scan, you can’t conveniently ditch the compromised body part and generate another one. Happily, there’s no need to share your vital statistics with the world. Real purists might stick to app-based approaches, and only use their biometrics to unlock a phone or workstation, which, in turn, generates a one-time login code.


Build vs. buy: Roll your own auth vs. a pre-built identity layer

Challenges of identity and access management


It’s perfectly possible, however, to use biometrics securely online, thanks to a set of standards dubbed Fast Identity Online 2 (FIDO2). One key principle of FIDO2 is that your biometric credentials themselves are never transmitted, rather, they’re used on your device to generate a cryptographic key that securely confirms your identity. What’s more, each website or service requires its own unique key, so it’s mathematically impossible to track individuals across sites.