Passwordless Authentication 101: Why It Matters
Passwordless authentication is the collective name given to methods of verifying a user’s identity that do not use passwords. Common passwordless methods include verifying a user’s biometric traits (e.g. fingerprints, facial recognition) or verifying a user’s possession of an account or device (e.g. magic links, one-time passwords).
If implemented thoughtfully, passwordless methods help applications get to market faster, adopt and delight more users, and reduce their risk surface against credential-based attacks.
This article will highlight why passwordless authentication is needed, cover details on common authentication methods in use today, and share tips on how app builders can get started on their passwordless journey.
Why is passwordless authentication needed?
It’s a “shared secret” that passwords are a pain for users, app developers, and security practitioners alike. Let’s take a look at how passwords impact virtually every aspect of online existence today.
Passwords cause user friction
There’s no password fan club. The typical Internet user dislikes passwords and the friction they cause from login to checkout. Whether it’s having to create and remember 100s of unique passwords, going through laborious password reset flows, or having to constantly update passwords for “security” reasons that aren’t really secure – passwords offer no redeeming quality to the average person online.
Around 60% of respondents to a research survey said they would be “thrilled” if they never had to remember their passwords again. And with many applications and websites already using passwordless login, users now have a point of comparison and are not afraid of voting with their feet.
Let’s consider two equivalent applications vying for the same user. One app asks them to create a strong and unique password while the other app authenticates them with a swipe of a fingerprint on their phone. Which app is the user more likely to have a good first experience with? More importantly, which app is the user more likely to keep coming back to?
Passwords are a security headache
Passwords are the “keys to the kingdom” that most attackers seek, and easily find. According to the 2022 Verizon DBIR, 80% of basic web application attacks can be attributed to the use of stolen user credentials. Why is this number so high?
It’s partly because there’s no shortage of leaked passwords at the attackers’ fingertips. Research from 2022 found 24 billion username and password combinations available on the dark web and other cybercriminal forums.
It’s also partly because users are forced into bad behaviors by having to deal with passwords. Since no one can realistically keep track of 100s of unique passwords, users resort to “boilerplate” weak passwords or reuse the same password across multiple online applications. This means a data breach on one application gives attackers the ammunition to try the same password on other applications through credential stuffing.
It’s mostly because passwords are not a reliable indicator of a user’s identity. They are meant for users to “know and remember”, but that means an attacker just needs to “know and remember” a user’s password to take over their identity.
Passwords are expensive
Implementing passwords compels product owners and app developers to spend time and effort on non-core initiatives.
Managing password infrastructure and storage
Creating and updating password reset flows
Adding security controls that protect against password-based attacks
Allotting the help desk’s time to deal with password reset and locked account requests
The list of “password-related labor” is a long one. And if the user friction and security concerns covered above are any indication, it’s not a labor of love either. Every sprint cycle and budget line item dedicated to passwords has an opportunity cost attached.
Drag & drop passwordless authentication with Descope
Going passwordless improves user experience and security for any app. However, setting up these authentication systems can be time-consuming. Descope abstracts away the complexity of authentication with a no-code workflow builder, ensuring that developers can spend more time building their core product.
Sign up for Descope's passwordless authentication solution to start your app's passwordless journey.
Types of passwordless authentication
This section will cover the most common passwordless methods in use today. Before getting into the details, it’s worth noting the three generally accepted authentication factors:
Knowledge: Something only the user knows (e.g. passwords, security questions).
Possession: Something only the user has (e.g. phone, email account, security key).
Inherence: Something only the user is (e.g. fingerprint scans, facial recognition).
Passwordless methods verify users through a combination of possession and inherence factors. These factors are typically harder to spoof and are more reliable indicators of a user’s identity than knowledge factors are.
Since social logins and single sign-on are technically not passwordless (but rather delegate authentication to identity providers where users have already created a password), they are not included here. To learn more about these concepts, check out our articles on OAuth 2.0 and SAML.
Magic links are URLs with embedded tokens that – when clicked – enable users to log in without needing a password. These links are mostly delivered to the user’s email account, but can also be sent via SMS and other messaging services like WhatsApp.
Magic links are an indicator of a user’s identity because they verify “something the user has”. This can be the user's email address (for magic links delivered as an email) or their phone (for magic links delivered via SMS or other phone-based messaging apps).
Did you know? Besides authentication, magic links can be used in many other scenarios to activate users and grow adoption. For example, if users have some items in their cart on a shopping app but do not complete the purchase, a magic link can be sent that takes the user directly to their cart.
One-time passwords (OTP)
One-time passwords / passcodes are dynamically generated sets of numbers or letters meant to grant users one-time access to an application. Unlike passwords, an OTP is not static and changes every time the user attempts login.
OTPs can be delivered via SMS, email, and messaging apps. They can also be delivered via dedicated authenticator apps, which is covered in the upcoming section. Users like one-time codes because they don’t need to be remembered and usually don’t require new hardware. Users are already familiar with common OTP delivery methods and don't need to learn new behaviors to use them.
That said, OTPs can be phished. SMS authentication in particular can be vulnerable to SIM swapping and man-in-the-middle attacks. In 2016, NIST proposed that SMS be deprecated as an out-of-band second authentication factor.
Authenticator apps operate based on time-based one-time passwords (TOTP). A TOTP code is generated with an algorithm that uses a shared secret and the current time as inputs – this means the code changes at set time intervals, usually between 30 to 90 seconds.
TOTP codes can also be generated by hardware tokens like physical fobs or security keys. However, authenticator apps (software tokens) are the more widely adopted implementation since they don’t require users to carry around any extra hardware other than their mobile phone.
Authenticator apps are considered to be more secure and user friendly than SMS authentication. It’s very tough for attackers to intercept TOTP codes and gain fraudulent account access. Authenticator apps don’t depend on Internet connectivity, mobile carriers, and delivery rates, making them usable in a wider range of scenarios than SMS OTP.
Biometrics are physical or behavioral traits that are unique to an individual. Biometric authentication checks these traits to grant users access to applications. Popular biometric authentication techniques in use today include fingerprint scanning and facial recognition.
The adoption of biometrics has soared due to Apple, Google, Microsoft, and Samsung launching devices with built-in fingerprint scanning and facial recognition capabilities. Since biometric authentication is based on “who users are”, they are much tougher to steal and repurpose than passwords, PIN codes, and other forms of knowledge-based authentication.
Did you know? Biometric authentication implemented with the FIDO standard and WebAuthn ensures that the biometric characteristics are securely stored and verified locally on the user’s device. This addresses privacy concerns associated with reading users’ biometric data. Since the data never leaves the device, there is nothing for attackers to compromise.
Benefits of passwordless authentication
Passwordless authentication systems help apps get to market faster, shut down most credential-based attacks at their source, and delight end users. Here are some advantages of going passwordless:
Reduce fraud and account takeover: Eliminating passwords prevents attackers from breaking authentication through credential stuffing, brute force attacks, phishing attacks, and other attacks that aim to cause damage by stealing user passwords.
Onboard and engage more users: Apps that do not impose the cognitive load of creating and remembering passwords on users are likely to onboard them faster, keep them coming back, and generate a positive brand perception.
Focus resources on core initiatives: Going passwordless obviates the need for password management and storage, password reset flows, and security investments to protect app servers against password-based attacks.
Passwordless authentication vs MFA
Passwordless authentication and multi-factor authentication (MFA) are sometimes mentioned in similar contexts, so it’s worth separately defining the two terms and understanding where they differ. While passwordless replaces password authentication with other factors, MFA refers to using any two or more authentication factors to validate user identities.
While common MFA implementation involves augmenting passwords with a second (passwordless) authentication factor, MFA can also be completely passwordless. For example, an app can use a fingerprint scan as the first authentication factor and an email magic link as the second authentication factor.
Tips to start your passwordless journey
Adopting a passwordless approach can seem like a daunting project to take on at first glance. Here are some tips to help app builders prioritize and phase out passwordless initiatives.
Choose the right method(s) for your users
Not all passwordless experiences are created equal. Above all, the success of a particular authentication method depends on user fit. Here are some questions to consider before choosing a preferred authentication method:
Are users likely to be aware of the method? Have they used similar methods on other apps in the same or tangential sectors?
Are users accessing the app mainly through desktop or mobile?
How discerning are users about parting with their personal information (even if it’s just their email ID or phone number)?
How security conscious is the average user? Is security a deciding factor in choosing between two otherwise equivalent apps?
For example, consider a fintech app that users mainly access on their mobile phones. Since the app directly impacts users’ wallets, security is an important consideration. Taking all these points into account, this app might consider using WebAuthn-based fingerprint scans to authenticate users. This option is convenient for users (since they are on their mobile devices anyway) and is one of the most secure authentication methods available.
In fact, the method above is actually MFA! Biometric authentication using WebAuthn uses both a possession factor (the user’s phone) and an inherence factor (the user’s fingerprint), but without the perceived inconvenience that sometimes comes with other MFA implementations.
Pilot, then scale
For apps that already have plenty of users, it’s prudent to choose a subset of users to run a pilot of passwordless technology before rolling it out to the rest of the user base. Lessons learned from the pilot can be applied to the wider rollout. Moreover, if the results of the pilot are encouraging, product owners can even share positive user stories to speed up adoption from subsequent sets of users.
Invest in user education and messaging
While going passwordless improves user experience, implementing it without proper user education and messaging can have the opposite effect – especially for apps that already have password-based authentication that users are familiar with.
Ensure that users receive communication about the upcoming change to their login flow, why the new way is better, and where they can reach out for any clarification. This blog from Medium where they announced their move to email magic links is a great example of user education.