Fernando Corbato was a MIT professor in the 1960s. When he was creating a new type of shared computer system, he wanted people to be able protect their files. A password was his solution. Corbato’s solution was the most popular and widely used method of authenticating users for decades. But there’s a catch: Passwords are inherently insecure. Passwords can be stolen, guessed, or brute-forced. Most people use passwords that are not secure and even worse, they are often reused.
Password managers such as 1Password and Dashlane help users to keep track of all their passwords and help creating secure passwords. However, password management is only half of the solution when it comes security. Eliminating passwords is the real solution.
What is Passwordless Authentication?
Passwordless authentication allows users to login without using passwords. This form of authentication allows users to log in using either a magic link, fingerprint or a token sent via email or SMS.
Okta, Duo and other enterprise-oriented companies offer ways to log in to services and apps without entering a password. Biometric login has become mainstream thanks to Apple’s facial recognition technology. Microsoft made it clear that its March 2021 announcement that they consider passwordless system access the future.
The Problem with Passwords
But why go for a passwordless solution in the first place? The reason is simple: the number of cases of stolen or hacked passwords has been increasing over the years. Many cases such as the Yahoo Data Breach, Dropbox User Account Leak, and LinkedIn Data Breach were related to multiple passwords being leaked.
Moreover, new platforms and apps are constantly emerging. Users must register for each one and create passwords. It is becoming increasingly difficult for users to keep up with the pace of change, so that many users use one password for multiple applications. This approach has an obvious problem. If hackers gain access to passwords for a single application that the user users, then they have a high chance of accessing all accounts the user has. Password managers such as LastPass or 1Password aim to solve the problem of users having to remember unique, strong passwords across multiple systems.
But what if there were no passwords to hack? What if users didn’t have to remember passwords anymore? What if passwords were completely eliminated?
Benefits of Passwordless Authentication
In comparison with passwords and password managers, passwordless authentication is a simple way to protect your data and services.
Improved User Experience: Users will sign up faster and be able to use your app, which in turn increases the number of users you can attract. Users hate having to complete forms and go through a lengthy registration process. It’s best for your users if you eliminate the five-minute wait for users to remember their grandmother’s maiden name in order to answer security questions. This is where passwordless authentication can help improve the user experience.
Increased security: Passwordless passwords are completely secure and cannot be hacked.
How does Passwordless Authentication work?
There are many ways to implement passwordless authentication.
Authentication via magic link via email. After the user has submitted their email address, a unique URL with a token is generated and stored. Then, the URL is sent to the user via email. When the user clicks on the link, access is granted. The link has to be clicked within a specified time period, e.g., 3 minutes.
Authentication via e-mail with a unique code. Users are asked to enter their email address in order to use this method of authentication. A unique, one-time code is sent via email to the user. When the user enters the code, the server verifies that it is correct and initiates a session.
Authentication via SMS with a unique code. The same as with email, but users must enter a valid phone number. Users receive a unique one-time code with an SMS.
Authentication using Fingerprint. This form of authentication uses biometric sensors on mobile devices. For example, by using the fingerprint scanner or your face, a unique key pair is generated that is used for logging in.