the future of authentication is passwordless: ready to make the change?
As many of you know, passwords are quickly becoming a thing of the past. (If you haven't already, please read our previous post to find out why). According to Gartner's Emerging Trends Impact Radar, passwordless authentication is really picking up and expected to become a major trend within 1-3 years.
Now is a great time to start thinking about how and when your organisation will move away from passwords. It’s also time to decide which alternatives you’d like to implement. There are various options, ranging in security maturity, availability and Total Cost of Ownership. For example, you might choose One-Time Tokens (regardless of delivery method), Biometric authentication, PKI setups and even options for continuous behavioural identification and fingerprinting.
Is ‘passwordless’ truly passwordless?
We know that ‘passwordless’ has become kind of a buzzword. You might even be wondering whether some of the hyped alternative methods really are passwordless.
For instance, if you’re required to set up a password (or a PIN, for that matter) before you can enrol in an advanced biometric authentication mechanism, and that same password is used for resetting your biometric authentication mechanism, then what is the use of that biometric method? And are you really passwordless in that case?
The EU’s STORK Project and Electronic ID (eID) framework have determined that an authentication method cannot be considered ‘substantial’ or ‘high’ unless the issuing process and issuing body are properly sanctioned and trustworthy. This means that once you issue a ‘strong password alternative’ in a process that involves using a password, you cannot claim a high level of trust, nor can you claim to be ‘passwordless’
At OneWelcome we offer passwordless alternatives by means of One-Time Tokens in the form of ‘magic links’ sent to a user’s validated email address. Yet, this is only a basic, low-level-of-trust option. So, we also offer OneWelcome Mobile Identity, which allows users to authenticate by scanning a QR code or confirming a push notification—either as standalone options or as a ‘second’ factor in the authentication process. This can be configured in addition to, or better, as a complete replacement for the password.
We offer registration processes in which you can go truly passwordless, including the ability to set up a controlled, highly secure Identity Verification process in which you enrol your OneWelcome Mobile Identity account without having to set a password. Plus, we only do that when you, for instance, pass a number of checks against your Bank, eID, internal data stores etc. So, you are truly passwordless and have a high level of trust.
Is passwordless an invasion of privacy?
All of these are great features, but there is something more important that makes OneWelcome Mobile Identity different from other vendors’ solutions. That is our strong European heritage. We apply our European mindset and cultural heritage to provide truly passwordless capabilities based on the Privacy by Design principal.
That means we deliver capabilities that don’t rely on irreversible, unchangeable fingerprinting methodologies that don’t guarantee the user’s privacy. We will not track your every move, mouse click or keyboard stroke just to be able to sign you in to an online service.
We believe in data minimalism while providing maximum security and certainty for the user trying to log in. This may seem as if it adds friction to the user journey but in fact, it instils trust in the relationship between you and your customer. It shows your customer that you care about their privacy and that you don’t need to track their every move to be able to provide your service. It also means that in case of a data breach, you don’t leak a tonne of data that would prevent the user from ever being anonymous again. And being a European company, we believe in Privacy by Design. That means users have the right to be anonymous online if they choose, just like they can in the physical world.
Balancing convenience, security and privacy
Going passwordless is about more than just replacing the password in all your processes with something else. It’s about providing your customers with a frictionless, secure set of options that balances convenience, security and, above all, privacy.
This means you have to balance your level of authentication based on the user’s actions. There’s no need to enforce privacy-violating tracking methodologies on a signed-in user who just wants to browse your product pages while filling up their shopping cart. But as soon as that user wishes to check out, you can provide a passwordless step-up authentication mechanism.
A ‘just in time, just enough’ authentication approach like this lets you provide simple, user-friendly and privacy-conscious authentication to your customers, while maintaining your security.
At OneWelcome, we envision a fully passwordless future. We agree with Gartner’s assessment that it may take another 1 to 3 years, but we also believe there will be a lot more interest for companies that follow the European approach, compared to others. That’s why we are focusing heavily on technologies like OneWelcome Mobile Identity, so we can provide the best European Customer and Identity Access Management (CIAM) solution, with advanced security and Privacy by Design.
Discover your opportunities
Want to take advantage of the opportunities offered by passwordless? We’re always happy to discuss your options and explore how you can benefit. Get in touch today to find out more or download the whitepaper 'how to go passwordless'.