Passwordless Authentication: The Key to Securing Your Business in 2024

Keeping company data safe is a top priority in a fast-paced digital world. Multi-factor authentication (MFA) has been a go-to for adding extra security layers to prevent illegitimate users from accessing your system and data, but not all MFA methods are created equal. MFA is the process of authenticating a user based on multiple factor types. Factor types fall under three categories: Something you know (i.e. passwords), Something you possess (i.e. your cell phone), and something you are (i.e. your fingerprint). If you are relying on knowledge-based authentication, then it is time to rethink those “secret” codes (your pet’s name isn’t as secure as you think it is, trust me). Your memory is no longer the security hero you thought it was. Let’s explore your options when it comes to passwordless authentication.

This blog will explore why passwordless authentication is better than knowledge-based authentication when it comes to choosing methods for multi-factor authentication. It will also touch on Authentication Assurance Levels (AALs), which measure the strength of your multi-factor authentication (MFA) methods. Each of these levels has approved MFA methods that increase in strength and require re-verification more often. Each level has its advantages, whether it’s stronger security or user convenience. Choosing the level that is right for your business, in conjunction with passwordless authentication methods, will keep your business safe from attacks.

Passwordless Authentication

Passwordless authentication is a way to sign into an application or system without a password or knowledge-based security questions. Instead, a user will verify their identity with another form of evidence, such as a fingerprint, a one-time password or code sent to a mobile device, or a hardware device that generates cryptographic keys, like a FIDO2 security key. Passwordless authentication is a preferred authentication method because knowledge-based authentication can be a bigger security risk.

Knowledge-based authentication is vulnerable to security risks because it relies on personal information. Knowledge-based authentication, in the form of a question, might include your mother’s maiden name, the city you were born in, or the name of your pet. The answers to these questions can easily be found in public records or on social media. Knowledge-based authentication in the form of passwords are just as vulnerable. A weak password is typically easy to guess or crack because it lacks complexity, length, and unpredictability. Users will often reuse these passwords across multiple websites, compromising all their accounts if an attacker breaks into just one account. According to StrongDM, small businesses are more at risk for attack since cybercriminals assume that they have these weaker security measures in place. A recent study stated small businesses experience 350% more social engineering attacks than those at larger enterprises because of this.

Passwordless authentication is more secure because it requires you to use biometrics or cryptographic keys which are harder to steal. Passwordless authentication can also simplify the login process and eliminate the need for remembering and resetting passwords. It can also eliminate risky password management practices, such as repeating passwords and security questions throughout multiple sites.

There are many passwordless authentication methods available, each with its own benefits. Here are some of these methods:

• One-time passcodes (OTP): This is a password that is only valid for one login. The user’s username will stay the same, but the one-time password changes with each login. This is a secure method of authentication because a captured username/password pair cannot be used a second time.
• Authenticator apps: This is a mobile app that generates a one-time password. They are typically used as the additional step in two-factor authentication. This is a secure method because the code is kept local to your device and is reset every thirty to sixty seconds.
• Magic links: This is a unique URL that is typically emailed to a user, but can be sent via other messaging platforms. This is a secure method because it is only sent to verified email addresses and expires after a certain period once the link has been clicked.
• Biometrics: This method uses a user’s unique physical characteristics such as fingerprints, facial features, voice recognition, etc. This is a secure method because these unique features are specific to each person and they are encrypted on your devices.
• FIDO2: This is a hardware device that allows users to authenticate themselves by using biometric authentication. The device uses cryptographic algorithms to generate a pair of private and public keys which are used to authenticate the user on their device. This is a secure method because the private key never leaves the user’s device making it nearly impossible to steal or intercept.

Authentication Assurance Levels

Authentication Assurance Levels (AALs) measure the strength of an authentication method and the confidence in it. There are three AAL levels, higher levels meaning stronger authentication and higher confidence. The reason you may choose the lowest level, AAL1, is if you have a low-risk environment where user convenience is a priority. While a stronger authentication level may not be the most convenient for users, it can effectively reduce the risks of attacks.

The first Authentication Assurance Level, AAL1, provides some assurance that the user controls an authenticator connected to their account. AAL1 requires either single-factor or multi-factor authentication using a wide range of authentication technologies (the most lenient of the three levels). Reauthentication is strongly recommended once every 30 days, regardless of user activity.

The second Authentication Assurance Level, AAL2, provides high confidence that the user controls the authenticator(s) connected to their account. Proof of possession and control of two different authentication factors is required, only approved cryptographic technologies are allowed at AAL2 and above. These technologies can include the use of multi-factor authenticators, like a multi-factor OTP device, which generates a one-time password after activation from an additional authentication factor like a fingerprint. Another approved method is with a combination of two single-factor authenticators, like a code from an authenticator app and a memorized secret. A user should re-authenticate once every 12 hours regardless of user activity or after any period of inactivity lasting 30 minutes or longer.

The third Authentication Assurance Level, AAL3, provides very high confidence that the user controls the authenticator(s) connected to their account. AAL3 authentication is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires the use of a hardware-based authenticator and an authenticator that provides resistance to verifier impersonation. A FIDO2 security key may fulfill both of these requirements. It is also required that AAL3 authentication uses two distinct authentication factors from the approved cryptographic techniques. This level also requires a user to reauthenticate once every 12 hours, regardless of user activity or following any period of inactivity lasting 15 minutes or longer.

Zirous Can Help

Your business is unique and may need different levels of security to protect your business. Zirous is partnered with the best security tools. Sign up for a discovery session to figure out which authentication method is right for you and your business. When you book your discovery session, you will get a coffee on us to help fuel the discussion!