X
Popular Searches

Passwordless Logins vs Multi-Factor Authentication

Shutterstock/K.Chuansakul

When upgrading to the scale of a business, reputable login and password protection methods need to stand up to scrutiny. But between forgoing passwords altogether for alternative identity verification methods and adding a layer of security to traditional passwords, which is the right choice?

Cybersecurity for Businesses

Cybersecurity for businesses is essential to protecting their digital assets. But while it’s relatively easy to implement strong and all-encompassing physical and digital security systems that cover all aspects and eliminate emerging gaps, the balance of the system can easily fall into chaos when the human element is introduced into the mix. Unlike with how devices, apps, and systems would react with the security system, it’s much harder to predict the actions of people in the system.

Most cyberattacks directed at individuals and corporations tend to take advantage of the human element. In 2017, over 90 percent of cyberattacks took advantage of people within the network both as primary and secondary means of attack. Although, the exploits weren’t limited to taking advantage of direct human error and poor cyber hygiene. They also employed phishing schemes over a long period of time to create a way in.

So while raising cybersecurity awareness among your staff members, especially those with high access privileges, is necessary, it’s also important to secure access points to mitigate errors and exploitation. But between eliminating the risk of a password that could be guessed or leaked and adding a verification method beyond a traditional password, which one should you use?

What Are Passwordless Logins?

Passwordless logins, also known as passwordless authentication, are an identity authentication method that allows users to log in to computer systems and accounts without having to enter a password combination. The login approach uses an asymmetric encryption method and two cryptographic keys—private and public. What makes it different from traditional login methods is the lack of knowledge-based credentials, where the system and the user need to have identical copies of the password.

To qualify as a passwordless login, the login credential needs to be something the user acquires the moment of logging in, like receiving an email or an SMS message with a link or a randomly-generate code. Another option is having the login key be a bit of information that’s unique to the user and can’t be changed or replicated like biometrics; anything from their fingerprints to face and voice.

What Is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a digital identity verification and authentication method that adds one or more steps to log in on top of passwords. Its main purpose is to prevent unauthorized access to an account or device in case the password fails.

There are many ways you can add MFA to an account. It may overlap with passwordless logins if the second and third steps of the login process include an email or SMS message code, or scanning in the user’s biometrics. More common methods include using a one-time password (OTP) that’s generated on a separate device. One of the previous approaches is often layered with a login token the user can scan or insert in the form of a USB stick into the device to log in.

How Well do They Work With Businesses?

Whatever the solution, just because it works for users or small teams, doesn’t mean it’d work just the same with businesses. The level of security threats varies drastically between average internet users and corporations with a known name and a general public understanding of what data their systems and networks may hold.

Security

When it comes to login credentials, security is measured by how hard it is for an unauthorized third-party to acquire or spoof the logins. For passwordless authentication, it depends on the method used to verify the user’s identity and how secure it is. If it relies on a code or link sent via email or text messages, then the login info is only as secure as the email or SIM card. This can turn into an endless chain where every next step in the login chain needs its own verification method and security. For instance, emails can be secured by enabling two-factor authentication (2FA), a biometric, or hard or soft tokens.

Biometric spoofing, on the other hand, relies on the accuracy and intelligence of the system used to identify the elements. Technology varies even by consumer-grade companies, where Android devices were tricked by a 3D printed face while iPhone devices weren’t.

When it comes to MFA, because it still relies on a traditional password that could be compromised, a portion of the hacker’s work is done for them if they manage to guess it, retrieve it from a breached database, or use a brute-force attack to guess it. This leaves a big portion of the security in the hands of the second and third authentication methods used and how hard they’re to hack or spoof.

Ease of Use

While it’s essential for all employees in a company to know the basics of cybersecurity, especially if their work includes them logging in to a system, account, or device connected to others in the company, it’s important that the login requirements aren’t too technical. Using location data or biometrics to log in can be straightforward and easy to scan, especially with the rise of face recognition and fingerprints in most consumer-grade smartphones and desktops.

The same can’t be said about soft and hard authentication tokens, codes, and links. Such methods have more than one step to verify and include transferring data. Also, most of them rely on emails and cellphones, which are hackers’ preferred venues of attacks.

Having varying levels of security and technical knowledge in your company might mean you’d have to adapt different security methods and login approaches depending on the department. While this ensures utmost security and reduces the element of human error, it adds work to making sure all logins are still as secure with no publicly known vulnerabilities and are compatible with the main system.

Scalability

Scalability and cost play a primary role in what security measure your company might decide to adopt. Passwords and direct methods of MFA can be easier to implement as they often rely on the employee’s preexisting devices, emails, and phone numbers. But when it comes to tokens and biometrics—whether as MFA or passwordless authentication—scalability and cost can be an issue due to the needed number of physical cryptographic keys, biometric scanners, and location verification software.

To get around the cost and scalability issues, consider segmenting network security. That way, departments with access to more sensitive information can have the most secure authentication methods while other departments are isolated with less sophisticated approaches.

Anina Ot Anina Ot
Anina is a freelance technology content writer who has been writing about security, privacy, cloud computing, and infosec for the last 3 years. She started writing with the goal of making technology and privacy more accessible before switching to writing for B2B and personal security, software development, and SaaS companies. Read Full Bio »

The above article may contain affiliate links, which help support CloudSavvy IT.