Passwordless MFA vs One-Time Codes

Passwordless MFA vs One-Time Codes

Categories: CIAM

Multi-factor authentication (MFA) is essential for secure authentication. Traditional password-based MFA is ineffective and insecure due to passwords being fundamentally insecure. Customers reuse passwords, store them in unsafe locations, lose them, and the list goes on and on. Not all MFA solutions are created equal, but the ones in widest use are not the best for businesses and their customers.

What Are One-Time Codes?

One-time passcodes are one of the most commonly used methods for MFA for both customers and workforces. When a user tries to authenticate to a system, a code is texted or emailed to them or generated within an authenticator application. The combination of this one-time code demonstrates ownership of a trusted device or email account (“something you have”) as well as knowledge of the account password (“something you know”).

Security Considerations of One-Time Codes

One-time codes are commonly sent over insecure channels, such as text or email. Attackers intercept texts by exploiting vulnerabilities in the SS7 mobile network or via a SIM swapping attack.

Delivering one-time codes over email also creates issues. Accessing an email account typically requires a password, which is a “something you know” factor. Instead of providing two distinct factors, using email for one-time codes uses two of the same factors. Also, frequent password reuse often means that both the email and other account have the same password, completely negating the value of MFA.

User Experience Considerations

User experience has a significant impact on online sales and customer conversions. The more steps that a user is forced to take, the higher probability that they will abandon a site and a full shopping cart, signing up, or registration.

Code-based MFA is disruptive to the user and often requires access to a second device to receive the one-time code. If that device is not conveniently nearby or the code is delayed, then the customer is extremely likely to give up. Even if this is not the case, the inconvenience of accessing the device and typing in the code may be enough for a customer to abandon their cart or a registration form. 

What is Passwordless MFA?

Everyone hates passwords. They’re annoying to remember and type into sites and do little for security due to malicious actors using tried and true hacking methods like brute force attacks, credential stuffing, rainbow table attacks, and more. Unfortunately, passwords are often seen as an easy factor to use in MFA.

However, passwords are not the only available option, and eliminating passwords makes it possible to implement stronger, more user-friendly MFA. Passwordless MFA uses a combination of “something you have” (a private key stored on a user’s device) and “something you are” (device biometric) to authenticate users.

Security Considerations of Passwordless MFA

A passwordless approach to MFA has several advantages compared to one-time codes and password-based systems. Some security advantages include:

  • Improved security and reduced phishing threat: Passwords are a weak factor, and many schemes based on one-time codes often boil down to the knowledge of two (potentially identical) passwords. Passwordless MFA eliminates the use of passwords as one of the two factors, improving authentication security and cutting down on the risk of phishing and social engineering attacks that lead to account takeovers and fraud. 
  • Regulatory compliance: Many regulations require MFA, like PSD2 Strong Customer Authentication, which involves the use of two or more distinct factors for user authentication. The combination of “something you have” and “something you are” meets this requirement without any weak factors present.
  • Reduce attack surface: Passwords don't need to be stored as backup or a recovery method so companies don't have to worry about securing shared secrets in their databases that can be stolen and sold on the dark web. 

User Experience Considerations

In addition to improved security, passwordless MFA also provides significant user experience benefits compared to one-time codes, including:

  • Frictionless authentication: Passwordless MFA works based on asymmetric cryptography with tamper-proof private keys stored on the device’s TPM, which delivers the possession factor. The user can also be prompted to provide verification in the form of facial or fingerprint biometric, which serves as the inherence factor. 
  • No second device needed: With passwordless authentication, all authentication factors can be stored and gathered by a single device. This eliminates the need to have a second device handy to receive one-time codes and you don’t need to worry about latency caused by slow code deliveries or code delivery failures.
  • Reliable authentication: One-time codes are frequently delayed or dropped en-route to users. Passwordless authentication only requires a single device, eliminating any potential delays and added friction.

Implement Passwordless MFA with Beyond Identity

Passwordless MFA provides significant benefits to an organization compared to MFA implemented with one-time codes. It streamlines the authentication process and eliminates the risks of password-based attacks.

With Beyond Identity, passwordless is quick and easy to implement for native and web  applications. Beyond Identity also makes it possible to further tune the balance of usability and security by implementing continuous risk-based authentication that only imposes strong authentication requirements when user requests or behavior warrant it.

Passwordless MFA enables companies to better secure authentication for its customers and help avoid a costly data breach. Learn more about Beyond Identity’s customer authentication solution.