Google rolls out passkeys. Here are other passwordless authentication methods

While passwords are the most common methods of authentication in the cyber space and are used by millions of people worldwide, creating and managing passwords are not just cumbersome, weak password management is central to the entire cybercriminal ecosystem.  

In May last year, aligned with the Fast Identity Online or FIDO Alliance, Microsoft, Apple and Google teamed up to increase support for a common passwordless sign-in standard in a bid to ditch passwords and ensure a unified, secure way to log into their accounts. Earlier, Microsoft has enabled a no-password log-in for Outlook, Office, Skype, Xbox Live and other online services. And on Thursday, the World Password Day (May 4, 2023) Google said it has started rolling out passkey support to both Android and Chrome, a step that further signals a password-less future. 

In a blog published by Google, Sriram Karra, Senior Product Manager said that passkeys let users sign in to apps and sites just like they unlock their devices: with a fingerprint, a face scan or a screen lock PIN or a more sophisticated physical security dongle. But unlike passwords, they are resistant to online attacks like phishing, which makes them more secure than options such as one-time codes.  

These announcements reaffirm that the future of authentication is shifting as a result of new and creative techniques being developed to strengthen security and safeguard private data. Here’s a list of some other passwordless authentication methods that are used to secure modern devices and systems. 

Biometric Authentication 

Biometric authentication is a form of identification and access control that uses biological characteristics or traits to verify that a person is who they claim to be. Fingerprint scan, facial recognition, retinal scan, and voice recognition are some of the most common types of biometric authentication. Experts believe, as biometric data is hard to duplicate or steal, it is more secure than conventional authentication techniques.  

The authentication landscape is also seeing a rise in AI-powered biometric authentication. Sectors such as BFSI, government and healthcare, are already seeing increased adoption of AI-powered biometric authentication as real-time data analysis using AI algorithms enables more precise identification and verification. Another example is age verification that is increasingly becoming the norm for many online services due to regulations. For example, India’s proposed data protection bill requires all websites that collect or process any personal data to verify the age of the user, and if the user is below the age of 18, the company will have to comply with additional obligations such as getting parental consent, not profiling the child for targeted advertising, and more. 

Experts however noted that it is crucial to address privacy and security concerns and to make sure laws are in place to safeguard the sensitive data of individuals. A legal framework that governs the use of biometric data is the General Data Protection Regulation (GDPR) of the European Union. But more regulatory frameworks (that can provide standards and rules for the gathering, storing, and application of biometric data) are needed in place to solve security and privacy issues. Another example of legislation that particularly addresses biometric data is the Biometric Information Privacy Act (BIPA) in the United States. Before collecting biometric data, businesses must seek written authorization in accordance with BIPA rule. For example, earlier this week, a lawsuit was filed on Monday against cryptocurrency exchange Coinbase with a District Court in California U.S for the unauthorized collection and improper use of customers’ biometric data and for violating the state’s BIPA rule.  

Multi-factor authentication 

Multi-factor authentication (MFA) method requires two or more independent ways to identify a user, such as codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition. Other methods that use one-time passcodes (OTP) like email link, email OTP, and SMS OTP. As the OTP code is generated in real-time and is sent to the user’s device, it offers an extra layer of security, as these OTPs can only be used once and is only valid for a limited time. This also makes it difficult for hackers to guess or brute-force the code. “Every time an attacker or an unauthorized person wants to access someone else's account, the account owner will receive a notification on their mobile phone to grant or deny access,” said Sundar N Balasubramanian, managing director, India and SAARC, Check Point Software Technologies. 

Experts believe that MFA or 2FA may be a good defense against most account hacks, but it has its own pitfalls. People may lose their phones or SIM cards and not be able to generate an authentication code. Moreover, delivery of OTP depends on the email or sms provider responsible for sending it. Besides, there can be possible delays sometimes due to user’s poor internet connectivity. 

Token-based authentication 

Token-based authentication technologies enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital token proves that you already have access permission. One of the use cases of token-based authentication include social sign-in or social authentication, a process that allows users to log into an application using their existing social media accounts, such as Facebook, Twitter, Google, LinkedIn, and more. This makes it easier for the user to sign up, and use just that one-time password. Thereafter, they do not need to create or remember account password if they are using the same device.  

Experts believe that with more businesses getting verified identities via social login, it can effectively reduce fake user accounts. Nonetheless popular social providers like Facebook, Google, and Twitter are geo-restricted in some places like China and many believe no method is bullet-proof. Jocerand Leroy, a cyber-security specialist with French-based life sciences firm Lifen said this login mode using social networks is still limited in companies, particularly because of the dissociation between personal identity and professional identity. 

To sum up, while passwords will be exist for some time to come, they are often frustrating to remember and put users at risk if they end up in the wrong hands. The industry is already working on simpler and safer alternatives to passwords. Till such time, the only way in which organizations can withstand password attacks is by adhering to the password best practices recommended by experts and regulatory standards.