Passwordless Authentication: What You Need to Know

Between phishing scams, ransomware and social media cyberattacks, security incidents are now a daily occurrence for many businesses. Attackers are growing in sophistication and are looking to catch your employees off guard to gain access to your critical data. As your employees are typically your front line of defense in the fight against cybercrimes, it’s critical to set them up for success with simple but effective security protocols they can follow to keep your organization safe.  

Passwordless authentication greatly enhances the effectiveness of a typical multifactor authentication (MFA) deployment but doesn’t add any burden to employees. We recently sat down with Corsica’s CISO, Ross Filipek, to talk about how passwordless authentication can help businesses keep employees, and their data, safe. 

What is Passwordless Authentication? 

In a typical Microsoft 365 or Azure Active Directory environment with MFA, users authenticate in three discrete steps. First, they enter their email address. If it’s a valid address for that domain, they’re then prompted to enter their password. If the password is valid, they’re finally prompted to acknowledge an MFA push notification to their mobile device. 

Passwordless authentication involves a subtle change to the sequence described above, but it’s a change that creates a highly attack-resistant process. With passwordless authentication, users still enter their email address. But if it’s a valid address, they’re then shown a random one-time passcode that they then need to enter into the Authenticator app on their mobile device. So now we’ve removed static passwords from the equation and combined the second and third steps described above. 

I have MFA. Isn’t that enough? 

Not in today’s cyberthreat landscape. MFA is intended to offset the risk of static passwords, which are still routinely phished and acquired by attackers. However, attackers have become good at tricking users into acknowledging fraudulent MFA push notifications, and when this happens it effectively allows the attacker to bypass the protections that MFA was intended to provide. 

The reason passwordless authentication is so effective is that, even if an attacker manages to steal a user’s password and attempt to sign into that user’s account, the user has no way of knowing what random one-time passcode to enter into the Authenticator app. In other words, passwordless authentication is highly phishing-resistant. When there’s no static password to phish, and no method to trick a user into acknowledging a fraudulent authentication factor, Business Email Compromise (BEC) and Account Takeover (ATO) attacks are unlikely to succeed. 

Is there an example you can think of where passwordless authentication could have prevented a breach? 

In a highly publicized incident earlier this year, many organizations using Single Sign-On (SSO) via a leading identity services provider were breached. In this attack, cybercriminals cloned the SSO portals of the targeted companies and sent the users SMS messages with links to the spoofed portals and told them they’ve been logged out and need to re-login. When the users clicked the links to access the spoofed portals and entered their email addresses, passwords, and MFA passcodes, the attackers were in position to intercept all this information and then use it to obtain fraudulent access to the users’ accounts. 

This attack was unsuccessful against one of the targeted organizations, however, because that company was already using passwordless authentication. 

Is the process easy for employees? They already struggle with security protocols. 

The passwordless authentication process is arguably easier for users to navigate than the standard MFA process used today by many organizations. With passwordless authentication, users no longer need to enter their passwords, which helps to save a bit of time during logon. And those users are already using the Authenticator app, so passwordless authentication does not create an additional burden there. 

Does this replace the need for passwords for everything? 

It can replace the need for passwords within organizations that have integrated all systems and applications with single sign-on (SSO). 

Get started with passwordless authentication. 

Corsica’s team of IT and security experts are here to help you implement protocols and training programs that keep your employees safe, and your business secure. To learn how Corsica can help you approach security with confidence, speak to a member of our team today.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

MDM vs. MAM: Which one is right for you? - Corsica Technologies

MDM vs. MAM: Which One Is Right For You?

How should you handle mobile devices that have access to company data and systems? This is a crucial question for today’s on-the-go, hybrid workforce. Maybe you give your team company-owned mobile devices. Or perhaps your employees find it more convenient

Read more
Managed Network Services - Everything You Need to Know - Corsica Technologies

Managed Network Services: Everything You Need To Know

For overworked IT teams, managed network services are a lifesaver. Rather than monitoring network logs, troubleshooting switches, and working overtime to mitigate vulnerabilities, you can engage a trusted partner to manage your network for you. But not all providers are

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.