IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
Tutorials

How to implement passwordless authentication

Worried about leaked credentials? We explain how to shut down the risk by ditching passwords entirely

The drive to kill passwords has been underway for years, with companies including Yahoo and Microsoft campaigning to bring passwordless authentication into the mainstream. Critics have argued passwords are surprisingly insecure, especially in light of modern, relatively fool-proof innovations. 

Altogether ditching what’s been a fixture in the realm of computing for decades, however, might seem daunting. With uncertainty, yet remaining around advents such as biometrics, it’s little surprise that businesses, in general, have refrained from moving away from passwords in any meaningful way. 

To clarify some of the anxieties, and the mystery, surrounding passwordless authentication, we’ve summarised the most pressing questions that might come to mind when you consider eliminating passwords from your business. 

Passwordless authentication: Logging in without a password? That doesn’t sound very secure

On the contrary – done properly, it’s more secure than a traditional username and password combination. The idea is, rather than relying on a phrase that could be typed in by anyone, you use something physically tied to you. That might be a biometric identifier – such as your fingerprint or the shape of your face – a physical device such as a USB key, or an app running on your mobile phone, which is itself secured with biometrics. Most passwords, nowadays are obtained by phishing attacks, or by stealing a database of credentials from poorly protected ‘service A’ and then trying them all on ‘service B’, to see if any have been reused. 

Passwordless authentication: Is this really necessary? We already have a strict policy that enforces strong passwords 

The idea that passwords must be of a certain length and complexity dates from an age when hackers would try to brute-force their way into systems by guessing all possible character combinations.  

Passwordless authentication: Is this the same thing as the single sign-on fad of a few years ago? 

The motivation isn’t dissimilar. Single sign-on (SSO) became popular when big companies realised their standard Windows XP build included 93 applications that each handled their own authentication process. Not only was this a recipe for confusion, it meant there were 93 potential vulnerabilities to worry about. Using a centralised passwordless authentication solution can help, but there’s nothing inherent to a passwordless architecture that actually requires SSO. The goal isn’t to minimise the number of different authentication systems you’re dealing with, but to reduce reliance on the most vulnerable methods. 

Passwordless authentication: This sounds like a ploy to get us to invest in biometric sensors

A robust passwordless system should offer a variety of authentication methods – so you can log in with a face scan or a fingerprint while you’re in the office, but when all you have is a patchy mobile signal, you can receive an SMS login code. This can save you money by reducing support calls from users who can’t get into their accounts – and, for what it’s worth, a little fingerprint reader puck ought not to set you back much over £30. 

Passwordless authentication: What about customer accounts – should those be passwordless too?

That might not be your decision to make, at least not entirely. If you’re a small business wanting the advantages of shopping baskets, credit card processing and all the rest of the e-commerce experience, your bank will want your customers to fit in with its own policies.

That’s not a huge problem, though. Look after your own customer accounts and let the bank worry about the rest. In time, customer-side shopping interfaces will adopt the latest and safest technology. You can reduce the risk by insisting on unique passwords that change regularly, but users tend to hate that. They’ll be happier, and you’ll be safer, if you switch to an approach that skips the password altogether.  

Passwordless authentication: That sounds good in theory, but how would we go about implementing it? 

In most cases you don’t implement it yourself – this is the sort of thing that’s best done at the level of the operating system (OS) or service framework.  For bespoke application stacks, there are plenty of third-party security providers that can help out, while Windows 10 and Windows 11 already support biometric logins, and Microsoft Azure AD lets you enable users to use the authenticator app to access online services. The Google app suite can similarly bring up a notification on any signed-in Android or iOS device that lets users confirm their identity without typing in a password.  

Biometrics aren’t a magic bullet, and, in some ways, they’re worse than passwords. If an attacker gets hold of your fingerprint data or your retinal scan, you can’t conveniently ditch the compromised body part and generate another one. Happily, there’s no need to share your vital statistics with the world. Real purists might stick to app-based approaches, and only use their biometrics to unlock a phone or workstation, which, in turn, generates a one-time login code. 

Related Resource

Build vs. buy: Roll your own auth vs. a pre-built identity layer

Challenges of identity and access management

Whitepaper cover with title and black shaded square graphicsFree Download

It’s perfectly possible, however, to use biometrics securely online, thanks to a set of standards dubbed Fast Identity Online 2 (FIDO2). One key principle of FIDO2 is that your biometric credentials themselves are never transmitted, rather, they’re used on your device to generate a cryptographic key that securely confirms your identity.  What’s more, each website or service requires its own unique key, so it’s mathematically impossible to track individuals across sites. 

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022