All You Need to Know About Passwordless Authentication

Passwordless Authentication, a Multi-Factor Authentication (MFA) subset, is trending up today. This essentially means there are two factors in the verification process, which can include fingerprints, magic links, or PINs that are sent directly to smartphones or email inboxes. Let’s take a closer look at the rise of Passwordless SSH authentication and also get you started with the top 10 vendors you must check out in 2022.

The biggest driving factor behind the rise of Passwordless SSH Authentication is the incorrect and risky use of passwords, which are becoming more and more hackable.

Related: Password Hacking – How Are Passwords Breached?

What is Passwordless Authentication?

Passwordless authentication is all about stopping the use of passwords to bolster security, improve brand performance, and conserve valuable IT resources. Single Sign-On (SSO), traditional Multi-Factor Authentication (MFA), and similar methodologies have their inherited benefits, but they all can be bypassed with techniques like phishing, keylogging, password spraying, or brute force raids.

Passwordless authentication works well for all kinds of SaaS apps – legacy, on-prem, cloud-based, and even ones with hybrid setups. It’s also better for users on-the-go who are becoming more dependent on smartphones and tablets. As per Gartner, 60% of large organizations and 90% of midsize enterprises (MSEs) will be using passwordless authentication in over 50% of use cases by 2022. 

Going Passwordless can also help you enforce enhanced security standards while also implementing an improved user experience (UX) to increase customer satisfaction. You can also significantly reduce the total cost of ownership (TCO), since passwords are extremely expensive to maintain. Think IT staff resource wastage and cumbersome damage control processes when data breaches happen. 

Passwordless Authentication Methods

Without further ado, let’s take a closer look at the the main techniques that are powering the shift towards Passwordless SSH Authentication in SaaS app setups.

Biometrics – Apple users are already used to the notches on their iPhones.  Passwordless Authentication puts them to good use by using their face recognition (the chance of two human faces being the same equals less then one in a trillion) capabilities. The same applies to fingerprint readers on Android or Windows mobile devices, laptops, and tablets. Let’s take a closer look at the latter technique.

The private key and public key are two separate entities. For example, the private key can be tied to the fingerprint authentication that the end-user creates with a private tool like a smartphone or laptop. This private key, stored on the device itself, can only be accessed by the end-user. The public key is provided to the SaaS app or website, where the user account is actually being created. 

One-Time Codes and Passwords – While very similar in nature to the aforementioned magic links, One-Time Codes (OTCs), and One-Time Passwords (OTPs) work a little differently. Here, end-users get a unique code to their smartphones (SMS) or via email, which they have to input in order to log in. This one-time code usually comes with a predefined expiry time.

Magic Links – Known by many as a futureproof authentication methodology, it is becoming increasingly popular in B2B use cases. This technique is almost exclusive to email users, who need to enter the email ID that is linked to the account. They are then sent an email with a link that can be used to access the application or website. The SDK simply integrates with the application to make everything work.

Here is how a typical magic link flow looks like:

• The end user tries to access an application or a web service
• The end user is asked to provide a valid email address 
• The app/web service generates a token and forms a magic link with it
• The magic link is sent to the provided email address
• The end user clicks on the magic link
• The app/web service gets the query at the end point of the magic link
• The end user can start using the app/web service

Unique Authenticators – This technique involves the use of push notifications via third-party authentication apps (i.e – Google Authenticator). After the admin sets up the authentication app with the required website or service, a secret key is issued (via a secure channel) to the user wishing to access it. End-users just need to fire up their app of choice to verify their identity. This technique is MFA compatible.

Related: Security Measures to Prevent Authentication Attacks

The Pros and Cons of Passwordless SSH Authentication

So, does this mean that you should quickly run tomorrow morning to delete ALL passwords from your database and solely provide passwordless-based authentication? Let’s wait a bit and consider the pros and cons.

The pros when it comes to passwordless authentication are rather obvious:

• Brute Force Attack Immunity – More often than not, passwords tend to be weak. Human nature drives people to maintain the same password across all SaaS apps, which leads to an increased risk of password breaches.
  
• Improved User Experience (UX) – Users do not need to remember passwords, nor do they have to change them constantly and follow strict password policy rules while doing so. Passwordless offers an easy flow.
  
• Resource Friendly – Getting rid of passwords allows organizations to use up less resources, not to mention the cost saving that comes with it. There are also no password resets ($70 average cost per reset).

The cons of the passwordless approach, amongst other things, are:

• Hard to Implement – In most cases, email + passwords are very easy to implement but a flow where we need to maintain expirations on tokens and shipping out emails, makes the implementation complex and costly.
  
• Still not an Established Standard – While users are used to email and password-based authentication, the “entry point” for passwordless authentication is somehow limited.
  
• Dependency on 3rd Parties – Using password+email-based authentication means we can take care of activation immediately. When one of the users is not getting his activation email, the dependence makes it harder to integrate.
  
• Less Relevant in the Case of IDP / SSO Authentication – With SAML/SSO, there is no need for passwordless SSO authentication (at least on the SaaS app side). Users have one password, the same one used for their email login.

Top 11 Passwordless Vendors You Need to Consider in 2022

Before diving into the list of top Passwordless Authentication platforms in the market today, we wish to emphasize that it is not exhaustive in any way or form. 

1. Okta

This Identity-Management-as-a-Service (IDaaS) is a proven and tested option for big and medium sized organizations looking to simplify their ongoing security processes. Okta boasts a user-friendly centralized dashboard for added ease of use, while also throwing in a complimentary security suite baking into the platform. This self-service authentication solution also has an active developer community.

Pros: Support for MDM, Good Reporting, Customization, Security
Cons: Complex Implementation, Can be Expensive for Small Businesses
Pricing: Starts at $2/user/month

2. OneLogin 

OneLogin is one of the biggest players in the Multi-Factor Authentication (MFA) market today. It offers a very robust and intuitive platform that has the ability to cater to enterprise-level organizations. OneLogin protect offers a wide range of options with seamless build-in integration with multiple third-party authentication applications like Google, Yubicom Duo Security, and more. 

Pros: Great for Enterprise, Good Reporting, Solid Integration
Cons: Pricey, Iffy Support
Pricing: Starts at $3/user/month

3. Keyless.io

This UK-based company is a leading passwordless Multi-Factor Authentication (MFA) solution provider today, despite entering the market just in 2018. Amongst its services you’ll find VPN, VDI, and RDP authentication, along with mobile and web login functionality. This is a user-friendly authentication platform that is fully GDPR and PSD2/SCA compliant for added peace of mind.  

Pros: Comprehensive Reporting, Strong Security
Cons: Expensive, Support is a Work in Progress
Pricing: Starts at $3/user/month

4. 1Password

1Password is one of the best options in the market right now, thanks to its smooth interface, strong integration capabilities, and unrivaled support channels that offer you 24/7 multilingual help when you need it the most. When it comes to Multi-Factor Authentication (MFA), 1Password even offers its own proprietary authenticator to simplify implementation and usage.

Pros: Good Scalability Capabilities, Industry-Leading Support, Functionality
Cons: Learning Curve Involved, Not Ideal for Small Companies
Pricing: Starts at $3.99/user/month

5. LastPass 

LastPass is one of the most budget-friendly options out there today when it comes to Passwordless Authentication implementation and maintenance. Just getting started? This may be the right option for you. However, this solution is not ideal for medium and large sized organizations as it is missing many key enterprise-level features that may hold you back and not match your long-term goals.  

Pros: Easy to Setup and Use, Good for Small Businesses
Cons: No LDAP Support, Lacks Many Enterprise Features, Security Flaws
Pricing: Starts at $3/user/month

Related: Enhancing SaaS App Security with SSO and MFA

6. HYPR

HYPR is a proven and tested solution that allows the eradication of passwords and shared secrets on the frontend and backend, including in the offline mode. All bases of Multi-Factor Authentication (MFA) are covered, including passwordless options and single-gesture ones tied to the user instead of the device. It also has comprehensive cross-platform support and integration capabilities.

Pros: Strong MFA Capabilities, End-to-End FIDO Certification, Integration with SSOs and IdPs

Cons: Bit Pricey, Some Reports of Errors

Pricing: Starts at $4/user/month for Essential and $5/user/month for Enterprise

7. PingZero (PingIdentity)

PingIdentity is another Identity-Management-as-a-Service (IDaaS) market-leader that has thousands of happy SaaS customers. As the name suggests, PingZero is the passwordless enterprise MFA solution on offer here. PingZero can be easily customized to match a wide range of use cases and the support team is repor doing a great job of ironing out installation and integration issues.

Pros: Easy to Use, Customizable, Good Pricing Plans (Budget Friendly)
Cons: Long Installation Process, Integration Issues
Pricing: Starts at $3/user/month

8. IDEE

Looking to upgrade your Multi-Factor Authentication (MFA) capabilities as you scale up? IDEE can be the answer. This next-gen solution can be implemented over existing SSO ecosystems. It comes with a plug-and-play interface that is easy to understand and is bundled with a proprietary authenticator app for faster time to market. The passwordless authentication solution is fully GDPR-compliant.

Pros: Easy to Use, Strong Feature Set, Good Security
Cons: Not Cheap, Iffy Integration Capabilities
Pricing: Starts at $3.5/user/month

9. Yubico

Yubico is also offering a comprehensive passwordless authentication solution that covers most bases, including full adherence to the latest FIDO2 authentication standard and an option to go the smart card passwordless route. It’s a highly versatile solution that can be an option for healthcare and places where a dynamic approach is required. There have been mixed reviews about the support.

Pros: Fast Implementation, Flexibility, Good Security
Cons: Iffy Support, Poor Documentation, Can Get Expensive
Pricing: Not Available

10. SecureAuth

SecureAuth has established itself as a force to be reckoned with in the authentication space, be it SSO or MFA. It’s a truly global offering, with support for over 10 languages, including Arabic, Chinese, Japanese, and Korean. Security capabilities are also good, with build-in protection against IAM System attacks and automatic blocking of Brute Force campaigns against users.

Pros: Strong Security, Good Reporting Capabilities, Customizable
Cons: Not Ideal for Small Companies, Learning Curve (Training Required)
Pricing: Not Available

11. Trusona

This US-based company goes with the slogan – “Authentication your customers will MF(A)’n love”. What else do you need? Jokes aside, Trusona is allowing SaaS application developers to reduce customer support costs by deploying a self-service MFA solution. The company, founded in 2015, boasts a 99% login success record, with 70% reduction in password reset processes. 

Pros: Support for MDM, Good Reporting, Customization
Cons: Complex Implementation, Can be Expensive for Small Businesses
Pricing: Starts at $4/user/month

Passwordless: The New Authentication Standard

Passwordless authentication is trending up and is soon becoming the industry standard. The idea of not requiring users to remember new passwords for multiple accounts enhances the level of trust in the authentication flow, eventually boosting engagement and satisfaction metrics. At Frontegg, we have taken all of these requirements into consideration when building our end-to-end user management platform.

If you have any questions as to what model is correct for you and what implementing passwordless authentication should look like in your use case, feel free to reach out and get in touch with our experts. We are here to help.