Passwordless Authentication: What is It and How Does It Work?

Passwordless authentication could be the key to helping prevent the majority of data breaches.
Ben Walker, Author
Catherine McNally, Editor
Last updated Jun 30, 2022

Our current approach to account security is using passwords for just about everything. And how’s that going? Passwords cause over 80% of data breaches, according to the FIDO Alliance, a group of companies like Amazon, Apple, and Microsoft that wants to make passwords a thing of the past by implementing passwordless authentication alternatives.

So, not great. But what’s the solution?

Apple, Google, and Microsoft think passwordless authentication, or not using a password at all for sign-ins, is the key to better online security. And they might be right. But we’ll see how their push toward passwordless sign-ins across their platforms works now and into the future.

In the meantime, let’s explore what passwordless authentication is and how it works. This could help you better understand how to improve your own cybersecurity efforts.

In this article
What is passwordless authentication?
How will passwordless logins work?
Should you use passwordless authentication?
Passwordless authentication FAQs
Bottom line

What is passwordless authentication?

Passwordless authentication is basically verifying your identity without using a password. The standard use for passwordless authentication is to securely access a device, account, or other application using different passwordless solutions.

You might not think about it, but passwordless solutions have become integrated into our everyday lives. This could include unlocking your smartphone with biometrics, such as facial recognition.

Or have you ever received a one-time code by email or text message (SMS) to log into an account? This is part of passwordless authentication, and it’s likely where the future of cybersecurity lies.

Why is passwordless authentication so important?

Passwordless authentication is so important primarily because having a strong password is helpful, but it’s not always going to cut it. Phishing attempts to uncover your personal information and brute-force cyberattacks are common ways to beat a password — and the bad actors using these methods aren’t letting up.

This has created a need for something new and more secure. Enter passwordless authentication: the safer (and often more convenient) method of securing important information compared to using a password.

Consider the different types of passwordless authentication to better understand how it works.

Types of passwordless authentication

Passwordless authentication methods are often separated into three main categories: biometrics, possession factors, and magic links. The strategies within each category vary, but they all share the similarity of not requiring you to type in a password.

Biometrics

Biometrics are your unique physical characteristics. This could include your fingerprints, voice, eyes, face, and more. Using fingerprints as a method of identification can date back more than 100 years, though the ideas behind biometric identification are thought to be much older.

Here are a few examples of how biometrics are used:

  • Retinal or iris scan
  • Fingerprint scan
  • Facial recognition
  • Voice recognition

You might be most familiar with using biometric technology to access devices such as phones, computers, and tablets. Fingerprint scanners and facial recognition are a part of our everyday lives.

You may have also seen iris and face scanners at certain airports or venues, often used at CLEAR kiosks for expedited verification.

Biometrics are considered secure forms of authentication because of how unique physical characteristics can be. This doesn’t mean it’s a foolproof strategy, but it’s often considered safer than using a password. And the technology continues to improve.

Possession factors

Possession or ownership factors typically grant you access through something you own. This could include a mobile device or authenticator app.

For example, you might receive a one-time code via text to log into your account. Or an authenticator app could provide a code to prove your identity.

Here are some examples of possession factors:

  • Mobile device
  • Authenticator app
  • Security token or hardware token

This strategy is considered more secure than a password because you own the resource used for authentication. It’s not a password floating around in the internet, but often a physical device or piece of software that only you might have access to.

Magic links

Magic links typically grant access by having you click on a link that was sent to your email address. You aren’t necessarily entering a password for the account you want to access, but you also might have to log into your email account.

This could prove to be less than secure if your email account isn’t properly protected. But if your email is secure, this could be a helpful authentication strategy.

How will passwordless logins work?

Passwordless logins are already here and working, but the technology is still being improved. In many cases, you need to create something called a passkey to quickly and securely access different websites and apps with your device.

Here’s the current step-by-step process you might follow for passwordless sign-ins on Apple, Google, and Microsoft devices using Fast IDentity Online (FIDO) authentication:

  1. Have a device or platform that supports passkeys such as Apple, Google, or Microsoft
  2. Register with a website or app where you want to use a passkey
  3. Log into the website or app with your credentials (username and password)
  4. Create a passkey for the website or app and sign out
  5. Use your passkey to access your account in the future

Keep in mind that passkey technology continues to improve. One of the latest improvements includes being able to automatically use FIDO authentication across multiple devices rather than having to re-enroll a new device each time.

It’s also helpful to see that different devices can interact with each other with a goal to provide a seamless user experience. This means you could create a passkey on your Android device that could then work if you use a Chrome browser on a MacBook or iPhone.

How does biometric authentication work?

Biometric authentication is a common form of passwordless authentication. For many of us, this would mean using facial recognition or a fingerprint scanner on our phone or other device to unlock it. You might also use the same biometric information to log into an app on your device.

Biometric authentication works by comparing the data you send against data that’s already stored. For example, to use Face ID on a compatible iPhone, you typically have to go through a series of scans of your face. These scans are often saved directly to your device.

The next time you want to use Face ID, your device will compare the current scan against the stored scans. A match will grant you access to unlocking your phone, entering an app, making a purchase, or any other action Face ID might be used for.

Using a device’s fingerprint scanner typically follows a similar process.

What is the FIDO Alliance?

The FIDO Alliance is an association between many companies, including Amazon, American Express, Apple, Google, Mastercard, Meta, Microsoft, Samsung, Visa, and more. Its mission is to provide secure authentication solutions worldwide, primarily by reducing the use of passwords.

You might wonder why these giant tech companies need to band together to accomplish this mission. Each brand on their own has significant resources to potentially push the needle themselves.

But consider how many devices are out there and where those devices come from. Apple, Google, and Microsoft have their own platforms and devices, which creates a potential roadblock for getting passwordless authentication for everyone.

After all, iOS, Android, and Windows operating systems all work a bit differently — so how can we get them all to seamlessly integrate together with passwordless authentication technology?

The FIDO Alliance offers standards that help implement passwordless authentication across many popular devices and platforms. This includes using public key cryptography (with public and private keys) to provide secure authentication methods.

Having many of the world’s major tech companies using the same standards helps create a more seamless login experience for anyone using their devices.

Should you use passwordless authentication?

Yes, you probably should use passwordless authentication if possible. It’s seen as a more secure strategy than using a password, especially against hackers trying to gain access to your information.

This isn’t to say you’ll for sure be hacked if you use passwords, but passwordless authentication could provide more online security. This could, in turn, help you prevent identity theft by keeping your information private.

Here are some of the primary benefits of passwordless authentication:

  • It’s more secure than passwords
  • It’s more convenient than passwords
  • It’s likely more cost-effective than password management

Potential drawbacks of passwordless authentication include:

  • It’s not 100% effective against cyberattacks (but nothing is)
  • It might not be easy for everyone to get used to
  • It could require some upfront costs to get implemented

If you want to skip all the password resets and having to reuse weak passwords, consider passwordless authentication. It’s already here, it’s secure, and the process is improving every day.

Passwordless authentication FAQs


+

Is passwordless authentication the same as MFA?

Passwordless authentication isn’t typically considered the same as multi-factor authentication (MFA), though they could share a few similarities. Passwordless authentication doesn’t require a password to log into an account, whereas MFA often requires a password and then a secondary authentication method, such as a text message or push notification, as well.


+

How do I get passwordless authentication?

You can get passwordless authentication from Apple, Google, and Microsoft when they expand support for passwordless logins on their different platforms starting in 2022. Types of passwordless authentication include:

  • One-time passwords (OTP) via email or text message
  • Authenticator apps
  • Security tokens
  • Biometrics such as fingerprint scans or facial recognition
  • Magic links

+

Is passwordless login better than 2FA?

Passwordless login is typically considered better or more secure than two-factor authentication (2FA) because it doesn’t involve using a password. Most types of multi-factor authentication use a password as a step in the login process, which creates a vulnerability that could potentially be exposed by hackers or phishing attacks.


+

Can you use passwordless authentication with Microsoft?

Yes, Microsoft offers ways for its users to use passwordless authentication. This includes Windows Hello, which is a way to access Windows 10 or 11 devices using a PIN, facial recognition, or fingerprint — no password required. Passwordless authentication is also available in Azure Active Directory (Azure AD) in the Microsoft Entra suite of products.

Bottom line

Passwordless authentication is likely the future of logging into our accounts. Considering how risky it can be to use passwords to protect our information, using passwordless options offers a more secure alternative.

But the world hasn’t quite adopted passwordless authentication across the board yet. Although many of us continue to use passwords and wait for more secure technology, it’s best to keep our login information as safe as possible. A password manager could help you organize your logins and generate new, randomized passwords at frequent intervals.

Author Details
Ben Walker
Ben Walker is a writer at All About Cookies with a passion for all things internet and technology, whether it's using VPNs while away from home or organizing his life with password managers.