Passwordless Authentication 101: Why It Matters

Passwordless Authentication 101: Why It Matters

Share

Passwordless authentication is the collective name given to methods of verifying a user’s identity that do not use passwords. Common passwordless authentication methods include verifying a user’s biometric traits (e.g. fingerprints, facial recognition) or verifying a user’s possession of an account or device (e.g. magic links, one-time passwords). 

If implemented thoughtfully, passwordless authentication helps applications get to market faster, adopt and delight more users, and reduce their risk surface against credential-based attacks.

This article will highlight why passwordless authentication is needed, cover details on common authentication methods in use today, and share tips on how app builders can get started on their passwordless journey.

Why is passwordless authentication needed?

It’s a “shared secret” that passwords are a pain for users, app developers, and security practitioners alike. Let’s take a look at how passwords impact virtually every aspect of online existence today.

Passwords cause user friction

There’s no password fan club. The typical Internet user dislikes passwords and the friction they cause from login to checkout. Whether it’s having to create and remember 100s of unique passwords, going through laborious password reset flows, or having to constantly update passwords for “security” reasons that aren’t really secure – passwords offer no redeeming quality to the average person online.

Around 60% of respondents to a research survey said they would be “thrilled” if they never had to remember their passwords again. And with many applications and websites already using passwordless authentication, users now have a point of comparison and are not afraid of voting with their feet. 

Let’s consider two equivalent applications vying for the same user. One app asks them to create a strong and unique password while the other app authenticates them with a swipe of a fingerprint on their phone. Which app is the user more likely to have a good first experience with? More importantly, which app is the user more likely to keep coming back to?

Passwords are a security headache

Passwords are the “keys to the kingdom” that most attackers seek, and easily find. According to the 2022 Verizon DBIR, 80% of basic web application attacks can be attributed to the use of stolen user credentials. Why is this number so high?

It’s partly because there’s no shortage of leaked passwords at the attackers’ fingertips. Research from 2022 found 24 billion username and password combinations available on the dark web and other cybercriminal forums.

It’s also partly because users are forced into bad behaviors by having to deal with passwords. Since no one can realistically keep track of 100s of unique passwords, users resort to “boilerplate” passwords or reuse the same password across multiple online applications. This means a data breach on one application gives attackers the ammunition to try the same password on other applications through credential stuffing

It’s mostly because passwords are not a reliable indicator of a user’s identity. They are meant for users to “know and remember”, but that means an attacker just needs to “know and remember” a user’s password to take over their identity.

Passwords are expensive 

Implementing passwords compels product owners and app developers to spend time and effort on non-core initiatives. 

  • Managing password infrastructure and storage

  • Creating and updating password reset flows

  • Adding security controls that protect against password-based attacks

  • Allotting the help desk’s time to deal with password reset and locked account requests

  • … 

The list of “password-related labor” is a long one. And if the user friction and security concerns covered above are any indication, it’s not a labor of love either. Every sprint cycle and budget line item dedicated to passwords has an opportunity cost attached.

Types of passwordless authentication

This section will cover the most common methods of passwordless authentication in use today. Before getting into the details, it’s worth noting the three generally accepted authentication factors:

  • Knowledge: Something only the user knows (e.g. passwords, security questions).

  • Possession: Something only the user has (e.g. phone, email account, security key).

  • Inherence: Something only the user is (e.g. fingerprint scans, facial recognition).

 Passwordless authentication methods verify users through a combination of possession and inherence factors. These factors are typically harder to spoof and are more reliable indicators of a user’s identity than knowledge factors are.

Since social logins and single sign-on are technically not passwordless (but rather delegate authentication to identity providers where users have already created a password), they are not included here. To learn more about these concepts, check out our articles on OAuth 2.0 and SAML.

Magic links

Magic links are URLs with embedded tokens that – when clicked – enable users to log in without needing a password. These links are mostly delivered to the user’s email account, but can also be sent via SMS and other messaging services like WhatsApp.

Fig: Example of an email sign-in link from MediumFig: Example of an email sign-in link from Medium

Magic links are an indicator of a user’s identity because they verify “something the user has”. This can be the user's email account (for magic links delivered as an email) or their phone (for magic links delivered via SMS or other phone-based messaging apps).

Did you know? Besides authentication, magic links can be used in many other scenarios to activate users and grow adoption. For example, if users have some items in their cart on a shopping app but do not complete the purchase, a magic link can be sent that takes the user directly to their cart.

One-time passwords (OTP)

One-time passwords / passcodes are dynamically generated sets of numbers or letters meant to grant users one-time access to an application. Unlike passwords, an OTP is not static and changes every time the user attempts login.

OTPs can be delivered via SMS, email, and messaging apps. They can also be delivered via dedicated authenticator apps, which is covered in the upcoming section. Users like one-time codes because they don’t need to be remembered and usually don’t require new hardware. Users are already familiar with common OTP delivery methods and don't need to learn new behaviors to use them.

Fig: An example of email OTP from AcornsFig: An example of email OTP from Acorns

That said, OTPs can be phished. SMS authentication in particular can be vulnerable to SIM swapping and man-in-the-middle attacks. In 2016, NIST proposed that SMS be deprecated as an out-of-band second authentication factor.

Authenticator apps

Authenticator apps operate based on time-based one-time passwords (TOTP). A TOTP code is generated with an algorithm that uses a shared secret and the current time as inputs – this means the code changes at set time intervals, usually between 30 to 90 seconds. 

TOTP codes can also be generated by hardware tokens like physical fobs or security keys. However, authenticator apps (software tokens) are the more widely adopted implementation since they don’t require users to carry around any extra hardware other than their mobile phone.

Fig: Screenshots of Google Authenticator with TOTP codes (source: Vox)Fig: Screenshots of Google Authenticator with TOTP codes (source: Vox)

Authenticator apps are considered to be more secure and user friendly than SMS authentication. It’s very tough for attackers to intercept TOTP codes and gain fraudulent account access. Authenticator apps don’t depend on Internet connectivity, mobile carriers, and delivery rates, making them usable in a wider range of scenarios than SMS OTP.

Biometric authentication

Biometrics are physical or behavioral traits that are unique to an individual. Biometric authentication checks these traits to grant users access to applications. Popular biometric authentication methods in use today include fingerprint scanning and facial recognition.

The adoption of biometrics has soared due to Apple, Google, Microsoft, and Samsung launching devices with built-in fingerprint scanning and facial recognition capabilities. Since biometric authentication is based on “who users are”, they are much tougher to steal and repurpose than passwords, PIN codes, and other forms of knowledge-based authentication.

Did you know? Biometric authentication implemented with the FIDO standard and WebAuthn ensures that the biometric characteristics are securely stored and verified locally on the user’s device. This addresses privacy concerns associated with reading users’ biometric data. Since the data never leaves the device, there is nothing for attackers to compromise.

Benefits of passwordless authentication

Passwordless authentication helps apps get to market faster, shut down most credential-based attacks at their source, and delight end users. Here are some advantages of going passwordless:

  • Reduce fraud and account takeover: Eliminating passwords prevents attackers from breaking authentication through credential stuffing, phishing, and other attacks that aim to cause damage by stealing user passwords.

  • Onboard and engage more users: Apps that do not impose the cognitive load of creating and remembering passwords on users are likely to onboard them faster, keep them coming back, and generate a positive brand perception.   

  • Focus resources on core initiatives: Implementing passwordless authentication obviates the need for password management and storage, password reset flows, and security investments to protect app servers against password-based attacks.

Passwordless authentication vs MFA

Passwordless authentication and multi-factor authentication (MFA) are sometimes mentioned in similar contexts, so it’s worth separately defining the two terms and understanding where they differ. While passwordless authentication replaces passwords with other authentication factors, MFA refers to using any two or more authentication factors to validate user identities. 

While common MFA implementation involves augmenting passwords with a second (passwordless) authentication factor, MFA can also be completely passwordless. For example, an app can use a fingerprint scan as the first authentication factor and an email magic link as the second authentication factor.

Tips to start your passwordless journey

Passwordless authentication can seem like a daunting project to take on at first glance. Here are some tips to help app builders prioritize and phase out passwordless initiatives.

Choose the right method(s) for your users

Not all passwordless methods are created equal. Above all, the success of a particular authentication method depends on user fit. Here are some questions to consider before choosing a preferred authentication method:

  • Are users likely to be aware of the method? Have they used similar methods on other apps in the same or tangential sectors?

  • Are users accessing the app mainly through desktop or mobile?

  • How discerning are users about parting with their personal information (even if it’s just their email ID or phone number)?

  • How security conscious is the average user? Is security a deciding factor in choosing between two otherwise equivalent apps?

For example, consider a fintech app that users mainly access on their mobile phones. Since the app directly impacts users’ wallets, security is an important consideration. Taking all these points into account, this app might consider using WebAuthn-based fingerprint scans to authenticate users. This option is convenient for users (since they are on their mobile devices anyway) and is one of the most secure authentication methods available.

In fact, the method above is actually MFA! Biometric authentication using WebAuthn uses both a possession factor (the user’s phone) and an inherence factor (the user’s fingerprint), but without the perceived inconvenience that sometimes comes with other MFA implementations.

Pilot, then scale

For apps that already have plenty of users, it’s prudent to choose a subset of users to run a pilot of passwordless authentication before rolling it out to the rest of the user base. Lessons learned from the pilot can be applied to the wider rollout. Moreover, if the results of the pilot are encouraging, product owners can even share positive user stories to speed up adoption from subsequent sets of users.

Invest in user education and messaging

While passwordless authentication improves user experience, implementing it without proper user education and messaging can have the opposite effect – especially for apps that already have password-based authentication that users are familiar with. 

Ensure that users receive communication about the upcoming change to their login flow, why the new way is better, and where they can reach out for any clarification. This blog from Medium where they announced their move to email magic links is a great example of user education.