Passwordless: The use of passwords to access a system or service is a consolidated practice, but the use of this system only sometimes offers users a good user experience. To be secure, a password must be strong enough; therefore, not a word present in the vocabulary and composed of letters, numbers, and special characters. The password thus becomes difficult to memorize and, precisely because it is complex, one prefers to use one for various services: the average user’s reasoning is more or less this “I choose a secure password, I memorize it, and I always use that one.”
Table of Contents
A valid password should be strong and secure, but it often becomes difficult to memorize
Unfortunately, using the same access credentials on multiple services, although convenient, does not offer a good level of security: in the event of a system being compromised, the problem is easily spread to others with damage that is difficult to predict. But without reaching extreme situations such as compromising a system, the problems related to passwords are also very simple, such as trivial forgetfulness for example. Passwordless solutions are a possible alternative that is very advantageous for the user, but we will also see them later for organizations. These technologies are relatively recent, even if their diffusion and adoption date back to recent years.
How passwordless authentication works
Passwordless authentication is fundamentally based on the possession of two elements, one public and one private, for the success of the process. The public part resides on the systems that do the service to which one wishes to authenticate available and is provided during registration; it can simply be the username or another identifier provided in secure mode to the user by the manager himself.
Instead, the private element necessary for authentication resides on a physical device owned by the user. This can be, for example, a hardware token for generating temporary codes or apps installed on a smartphone for the exclusive use of the user. With this latter device, it will be possible to benefit from the security offered by the recognition of fingerprints or of the user’s face. ‘user. Alternatives may be retinal scanning utilizing appropriate hardware or speech recognition. In fact, the principle underlying these solutions is the following: identify the user based on something in his possession or the unique characteristics of the user.
The authentication process, i.e., the operations that the user will have to carry out, can be exemplified as follows: insert the public component in the web page of the service to which one must authenticate and complete the procedure by supplying the remote service with the private component, for example through the personal smartphone on which you will receive a notification and a confirmation request to complete the authentication. But there could be many examples, such as the generation through an app of a temporary code to be inserted on the web page at the same time as the public component or by inserting a smartcard into a dedicated reader.
Advantages of a passwordless solution
In a similar scenario, a situation arises in which even a possible system violation does not put the user’s access credentials into the hands of malicious people. At the same time, the user is relieved of the task of mnemonic password management.
For organizations, there are many advantages; in fact, the workload due to managing problems related to the theft/loss of passwords is significantly reduced. Furthermore, even the users themselves have benefits in terms of productivity by adopting a passwordless solution: access to the services will be much simpler as they do not require mnemonic efforts but the simple possession of their own smartphone or other hardware device selected by corporate IT.
Microsoft is also investing in the passwordless world.
To be considered a valid alternative, a passwordless solution must be implemented appropriately: it must appear to the user as a simpler alternative and capable of identifying him, for example, only through his smartphone. In fact, even Microsoft is refining passwordless authentication systems on several fronts and starting with Windows 10, which has integrated technologies capable of supporting the most recent passwordless solutions, also making dedicated apps available to the user to install on their smartphone. Furthermore, this kind of solution can exploit the potential offered by the TPM platform for the correct management of the encryption to which data and information are subjected.
Passwordless technologies benefit all users involved in the process. For the end user, everything translates into secure and simplified access to online services, while organizations will have these software solutions available from reliable partners.