How will “passwordless” logins work and what will it look like?
The passwordless revolution has begun. While passwords will most likely still be with us for many years to come, many organisations are moving to passwordless logins and promoting the benefits of dropping those passwords, and we take a look at what that will look like and why passwords may soon be a thing of the past.
With the news that Microsoft is allowing all of its users to scrap the traditional password altogether, “passwordless” login technologies are expected to surge in popularity. Passwordless logins are often touted as a more secure method of logging into accounts than traditional passwords, but how does scrapping the iconic password make an account more secure?
What will passwordless logins look like?
There are a number of potential passwordless alternatives to logging in with passwords, and most of these will use an authenticator app installed on the user’s smartphone.
An authenticator app is an app installed on the user’s smartphone that is designed to work in conjunction with a login page to help authenticate a user.
It means that someone logging into a user’s account will need access to the authenticator app, and thus access to the user’s smartphone.
Many users may already be familiar with these apps when using them for multi-factor (or two-factor) authentication. Authenticator apps can use a variety of different authentication methods, including
- Push notifications. The user will simply need to push a notification generated by the authenticator app (for example below from Microsoft, the user is asked to press the correct number) to login. The user will also need to login to their device using their chosen PIN or biometric to complete the account login, and the app itself may also be locked using PIN or biometric data.
On the left a login screen on a user’s computer. On the right the Microsoft authentication app on the user’s smartphone used to authenticate the login. - A PIN. The authenticator app can produce a PIN code to enter into the account login page. This is useful if the smartphone is not connected to the Internet.
Authenticator apps are likely to become the most popular passwordless login method among home users. In which case, passwordless logins will involve a user entering their username on a login page before being prompted to open their authenticator app on their phone (which may itself be locked using a PIN or biometric ID) and authenticating using one of the options above.
Sponsored Content. Continued below...
Bu why get rid of the password?
You may ask why getting rid of passwords is worth it, considering users still need to go through the rigmarole of unlocking and opening their smartphones, sticking in USB keys, pushing buttons or using fingerprint ID etc.
The answer is two-fold, but are both linked to the same fundamental flaw; human nature.
Passwords are less secure. Many attacks on both business and home users are the result of data breaches, where cyber-criminals have compromised businesses and obtained and decrypted large masses of passwords belonging to its users. And despite persistent advice from the cybersecurity field, many users still insist on using the same password across multiple accounts, meaning such data breaches put multiple accounts at risk. Passwords can also be stolen via phishing scams and keylogging software.
Password are less convenient. The differing, evolving and often contradictory advice about passwords is a reflection on their convenience, or lack thereof. We’re told to create strong passwords, which can be difficult to remember. Many insist on also changing passwords periodically, which can lead to “password fatigue” where users instead default to simpler passwords that are easier to remember.
There are alternatives to authenticator apps. For example a computer itself may use biometric data belonging to the owner, or the user could use physical USB keys to authenticate instead of a password.
Sponsored Content. Continued below...
Two factor authentication
The more security conscious are likely to already have Multi-Factor Authentication or Two-Factor Authentication enabled, meaning two steps are required to login (e.g. a password and an authenticator generated PIN.)
2FA becomes a bit more complicated once passwords are taken out of the equation, since the user will still need to different methods to authenticate themselves.
However many who promote passwordless login argue that a secure passwordless login option negates the need for 2FA since the option itself will need at least two factors to successfully authenticate. For example, a user would need possession of their smartphone (something you have) and will need to unlock it using the phone’s PIN (something you know) and then could lock the authenticator app using TouchID (something you are.)
Sponsored Content. Continued below...
But it’s not plain sailing for passwordless
But of course, there are potential problems that arise here. Namely, what happens if you lose your phone, and with it the authenticator app you need to login. Microsoft do provide “back-up” methods to circumvent the authenticator app, they say. This can include facial recognition technology (which requires a laptop) or a physical USB key (if you have one) or SMS and email PIN codes (but these are often seen as vulnerable, thus making the passwordless option less secure.)
Additionally, those leading the charge on passwordless, with includes Microsoft, have been criticised for leapfrogging too deeply into passwordless far too early, when the technology is still in its infancy and vulnerable to attack. Microsoft is currently being criticized for vulnerabilities found in its Azure cloud computing service – a service that incidentally will play a vital role in their solution to passwordless logins.
But passwordless logins are likely to become increasingly popular way of accessing our online accounts. Let us know if you’d consider this type of technology or whether you’d rather stick to your traditional password (and, we hope, your 2FA solution.)
Keep up-to-date with all the latest cybersecurity threats and our tips to stay safe online. Follow us on Facebook, Instagram and Twitter.
Continued below...
Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)
Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)
