Passwordless Authentication: Basics and Benefits
As technology advances, so do the ways we protect our data and personal information. Traditional passwords and security Q&A methods are no longer as effective as they once were. That’s why many financial institutions, including banks and credit unions, are now doing away with passwords across some or all channels. Let’s look at what passwordless authentication is, how it works and why it’s become such a popular security measure.
What Is Passwordless Authentication?
Passwordless authentication is a security method that doesn’t require users to enter a password in order to access their accounts. Instead of using traditional passwords, users can use biometrics or one-time codes to prove who they are. It eliminates the need to remember, write down, store, recover or change passwords.
Passwordless authentication is becoming increasingly popular because it eliminates the risks associated with traditional passwords, such as phishing attacks and brute force attacks (which occur when hackers try to guess your password).
How Does Passwordless Authentication Work?
How passwordless authentication works varies depending on the solution you choose. Generally speaking, there are two popular methods: biometric verification and one-time codes.
With biometric verification, users can access their accounts by scanning their fingerprint or face, or by speaking to have their voice verified. With one-time codes, users will receive an SMS message or email with a unique code that they need to enter before they can access their account. This code changes every time the user logs in. These single-use codes demonstrate that a user has access to a specific, preauthorized and recognized device.
Popular Passwordless Authentication Solutions
There are numerous passwordless authentication solutions available today. There are also many specialized authentication vendors that serve specific markets and use cases. The best passwordless authentication platform to implement depends on the use case and existing tech stack.
Each solution offers different features and levels of security depending on an organization’s needs and user requirements. Here are some examples:
- Auth0 offers its own range of biometric sensors for fingerprint scanning.
- Duo Security focuses on two-factor authentication (2FA) and offers both face and fingerprint biometrics.
- Microsoft’s Azure Active Directory passwordless authentication options include face, iris and fingerprint scanning, as well as PIN gestures.
- The MS Authenticator App is a mobile version that uses the device itself, a one-time number and face, touch or PIN as a passwordless credential.
- Illuma Shield™ offers passive voice authentication for telephony systems, particularly call center environments in financial institutions. This form of passwordless authentication happens in the background during the initial seconds of natural conversation.
- Other providers often use active voice verification that requires users to repeat a spoken phrase such as, “My voice is my password.”
How Secure Is Passwordless Authentication?
Is passwordless authentication safe? Passwordless verification measures vary in the level of security they provide. They are typically much more secure than traditional passwords.
- Live, real-time biometric authentication is considered highly secure since it can’t be stolen, guessed, phished or hacked.
- One-time passwords (OTPs) are still passwords and can sometimes be intercepted or otherwise overcome by tech-savvy identity thieves.
- Many passwordless systems include multi-factor authentication to increase the level of overall security. This approach must be carefully considered to balance security vs. convenience for the user.
What Are the Benefits of Passwordless Authentication?
There are numerous benefits associated with using a passwordless authentication solution over traditional passwords:
Improved User Experience – Passwordless authentication makes it easier for users to access their accounts without having to remember complex passwords or deal with long login processes including security Q&A. With no passwords required, users can quickly access their accounts without worrying about forgetting critical information and being locked out of their accounts by mistake.
Increased Account Security – Since passwords aren’t stored anywhere (either on a central system or on the user side), there are no passwords for hackers to steal and use in account takeover attempts. Passive biometrics in particular are proving very difficult for fraudsters to circumvent.
Note: There is recent evidence that using a single pre-recorded phrase (such as, “my voice is my password”) for active voice authentication may be vulnerable to AI mimicry. However, this is because the AI only has to match a short, known phrase rather than engaging in real-time conversation. Passive voice authentication works very differently and offers much better protection against such attacks. It uses an algorithm for verification that identifies the characteristics of the voice in natural conversation where the caller can say anything (in any language) in real time. Mimicking a targeted voice accurately while engaging in dynamic real-time conversations with a human contact center agent is extremely difficult with today’s voice synthesis tools.
Illuma, a Credit Union Service Organization (CUSO), specializes in voice authentication software that replaces traditional knowledge-based authentication practices in call centers. Illuma provides frictionless voice authentication and fraud prevention for credit union contact centers to substantially reduce call handle times, improve member experience, and increase account security.
The company’s platform, Illuma Shield™, continuously analyzes the unique characteristics of the speaker’s voice and calling device using state-of-the-art Signal Processing, Machine Learning, and Artificial Intelligence. This proprietary voice authentication system rapidly and seamlessly validates the identity of callers during natural conversation without requiring security Q&A or spoken password phrases.