A Password-Free Experience Isn’t Always Password-Free

Nobody likes passwords. From an IT perspective, passwords are notoriously insecure with compromised credentials accounting for 81% of all data breaches. As well, passwords take precious time, money, and resources to manage. From a user perspective, passwords are annoying. The average American internet user has 150+ accounts requiring passwords, far beyond the capacity of human memory. This promotes bad habits like password reuse and recycling. And poor password hygiene further fuels the security risk. Plus, people are simply tired of being continually prompted to enter their credentials to access different apps and sites.


Image from https://www.ssl2buy.com

Asymmetric encryption is also known as Public-Key Cryptography. Unlike “normal” encryption, asymmetric encryption encrypts and decrypts data using two independent cryptographic keys that are mathematically related.

With asymmetric encryption, FIDO provides a more secure passwordless experience than mobile push, but still relies on a password for initial registration and the password continues to exist post key generation. As well, FIDO keys work on the basis of possession, so if I have someone else’s FIDO token/key, then I can assume that person’s identity. FIDO does not prove the identity of the person holding the key. There are some FIDO keys that are biometric enabled, but these are few and far between given challenges to easily imprint biometrics onto a FIDO key. Plus, FIDO does not address typical workforce use cases like email signing and encryption, digital document signing, and file encryption. Then there is the IT administrative overhead of registering and managing all those FIDO authenticators.

Enter credential-based passwordless authentication, which removes the physical password entirely, replacing it with a digital certificate. The certificate is provisioned onto the worker’s mobile device, transforming it into their trusted digital identity. When the phone is unlocked via the user’s biometrics (i.e., fingerprint or facial recognition) and in close proximity to their workstation, they are automatically logged into the workstation and able to access all of their applications without having to reauthenticate themselves. When the worker walks away with their phone, they are automatically signed out of any apps they were using and logged out of their workstation. Plus, with a PKI-credentials based solution not only can the identity of the user be validated by a public CA, but users are also able to send signed and encrypted emails, digitally sign documents, and encrypt files. A truly passwordless solution for improved security, reduced costs, and happier, more productive users.

Simply put, there is more to passwordless authentication than just removing the password – from security and configuration to the experience you deliver your users. Credential-based passwordless authentication combined with adaptive security provides a strong foundation to realize a Zero Trust approach.


Article by: Entrust