What is Passwordless Authentication? The notion of eliminating employee logins is inspired by convenience as much as security. Generally speaking, passwordless authentication is any process that can confirm a user’s identity without requiring their credentials (i.e. passwords). As a newer approach, smaller organizations are increasingly using this method because of its effectiveness in reducing or eliminating password theft, whether by scam, misuse or some other exploitation. The act of going completely passwordless allows access to be determined only when identity has been validated, either by MFA (multi-factor authentication) or another option. As is often the case with trends in the tech industry, new identity-confirming techniques constantly surface. The Push Notification System Among the more common passwordless options, with push notifications, the user is sent a one-time verification code or link to a previously authenticated device. Assuming that user then completes the required action within the pre-set time, the identity is confirmed, and they are granted access to critical files, software or systems. Like other non-passwordbased systems, push-based authentication can be employed as either a standalone option or as part of a series of verifying measures. Unfortunately, as with any type of credentialing, push identity has been hit with some attacks. In particular, users can be bombarded by such prompts – initiated by the bad actor – in the hope that they accidentally complete the verification process. These potentially devastating strikes, which prey upon human error and what has been called “push fatigue,” have grown by as much as 70 percent in recent years, according to research done by Kaspersky Lab. The ‘Magic’ Link This form of verification is similar to push notifications in that the user receives a time-sensitive URL with an embedded token, delivered via email or SMS text. In most cases, the employee is given the choice as to which interface the link is delivered, and an active session is opened in a separate browser window. Plus, because the link expires after a pre-set period, any later login attempt is thwarted. Magic Links can similarly be exploited. They also rely on the 24x7 accessibility of technology, devices and accounts. Without access to all three, one cannot get in. The One-Time Password This single-use credentialling method requires the input of a temporary, automatically generated set of characters that are pushed to one’s email or mobile device. Most often, OTP comes as part of a more-compreBenefits of Passwordless Authentication for IT Infrastructure Benefits of Passwordless Authentication for Employees Increasing security 69% Quicker authentication 65% Eliminating risk 58% Fewer passwords to remember 57% Saving time 54% Convenient access from anywhere 53% Gaining more control and visibility 53% Streamlined access to multiple applications at once 52% Saving cost 48% Not updating passwords as often 44% No benefit 3% Not worrying about password breaches 39% No benefits 1% Source: LastPass, LogMeIn Global Sur vey Workplace Password Malpractice, % Saying ‘Yes’ Do you currently save work-related passwords in a document in the cloud? 49% Do you currently save work-related passwords in a document on your desktop? 51% Do you currently save work-related passwords on your phone? 55% Have you ever shared a work-related password via text or email? 38% Have you ever logged into an online account that belongs to your previous employer after you left? 32% When creating a new password for a work account, have you ever used your company’s name? 37% Does your company share passwords for accounts that are used by multiple people? 46% Do your currently use the same password for personal accounts and work-related accounts? 44% Do any work-related passwords have your significant others name or birthday in it? 34% Do any work-related passwords have your child’s name or birthday in it? 31% Source: Keeper Security; Pollfish THE CHANNEL MANAGER’S PLAYBOOK 18