I wrote creating strong passwords and password managers to store those passwords, but what if we could login to our favorite sites without using passwords?

Enter Passwordless Authentication

Well, today we are going to talk about passwordless authentication. You may ask but what is passwordless authentication, well for those of you that don't know passwordless login systems are tools that websites can implement so that their users don’t have to log in via a password.

This doesn’t mean that users are simply let into the site without any form of authentication, though. With any type of passwordless login, users still have to verify their identities with one or more forms of authentication (but not passwords). Each passwordless login system works a little differently, so let’s walk through each of them:

Passwordless Email/SMS/Instant Messaging Authentication

The most promising passwordless authentication method, email-based systems verify a user’s identity using their email address and a complex encrypted key code.

Here’s how it works: Users click to log in. An email message is generated for them to send, and it contains an encrypted DKIM key code. When the user sends the email, the code is received, processed, and decrypted by the login server and by the website. The user’s identity and email address are matched against the website’s records, then they’re allowed access. The main point is that email authentication is lightning-fast, ultra-secure, and completely eliminates the need for users to create new passwords.

Email is an obvious choice, but any other messaging service can be used — such as SMS, Slack, Skype, instant messaging or even Twitter direct messages. Multiple options could be offered if you don’t want to rely on a single system.

Token-Based Authentication

Token-based and email authentication operate on similar concepts. With email-based systems, your email address is associated with a unique encrypted key as it’s processed through secure servers. With token-based authentication, a website’s server sends a unique encrypted token to you.

This token is attached to your login session and then decrypted as you request various actions. This means it verifies your permissions to view content, make posts, etc. each time you begin a new action. By checking the token’s signature against its security algorithm, the site can effectively verify users’ identity for multiple actions and subdomains, greatly reducing login friction along the way.

Token-based authentication is extremely efficient and flexible, but it can be tricky for some sites to implement, so don't expect to see this method so soon. Email-based authentication tools work via a similar concept of encrypted keys, so they’re often the fastest way for websites to get started with these innovative login techniques.

Biometric Authentication

Growing in popularity is the fingerprint, face, or iris authentication (also known as biometrics). You might already use a fingerprint or face scanner on your smartphone. You probably don’t think of them in exactly these terms, but they’re a form of passwordless login.

The concept is simple; for fingerprint authentication, users press their thumbs on their phone’s fingerprint reader camera to authorize payments or gain access to their accounts. While this technique is intuitive and secure, completely streamlining the login process to its core, it does come with some challenges. Namely, accessing technology with a fingerprint reader can be costly for your users, and the technology is less cost-effective for businesses and nonprofits.

Unfortunately, these technologies have also already been proven to be less secure than expected. Tiny fingerprint reader cameras only register parts of your fingerprint, for instance. The odds of another person’s finger matching that part of your own print is surprisingly high.

Biometrics are developing fast, though. A passwordless login system that makes use of encrypted email authentication and a truly secure biometric could completely change the ways in which we engage with the internet.

What is the purpose of passwordless authentication and how does it work?

We’re using the same authentication methods since the inception of the web.

  • People rarely create strong passwords. Surveys report one in ten accounts use something from the top twenty most popular passwords. “123456” is used by more than 4% accounts; “password” remains the second most-used.
  • People use the same terrible password on multiple sites. If you happen to crack someone’s Facebook login, you can probably access their PayPal account. Your single password is only as good as the security of the weakest system you use.
  • Corporations don't learn from past breaches and are increasingly common. Few companies are prepared for acts of cyber-terrorism and, despite the usual claims of “sustained sophisticated attacks”, many breaches are simple SQL injections caused by poor development techniques.
  • From a developers standpoint authentication is tedious and mistakes are made. It needs to ensure there are no cracks in security, hash strings using strong (and slow) algorithms, allow users to reset forgotten passwords.
  • Alternative solutions such as biometrics or OAuth depend on hardware or suitable social media accounts. Few sites implement it well and still need to revert back to email/password methods for some users.

The premise of passwordless authentication is that passwords are unnecessary when the majority of users have secure personal messaging accounts such as email and SMS. In the simplest terms:

  1. To log in, the user visits a site and enters an ID such as an email address.
  2. They are sent a message with a link; they click it and are logged in.

In other words, the application creates a random, one-time password, and whispers it to the user whenever they need to access. It’s a similar process to reset your password — which many users do every login anyway!

It’s a little more complex behind the scenes to ensure only one person can use the login link. The general process is as follows:

  1. When entered, the server verifies an account exists for the email address.
  2. The server creates two tokens, such as 24-character hex GUIDs, and associates both with this login attempt. The first token is sent back to the login device — typically as a browser cookie. The second token is encoded in a link sent to the user by email.
  3. When the link is clicked, the server will receive both tokens and verify them against a single login attempt. Optionally, it can make further checks to ensure the link has been clicked within a few minutes and the IP address and browser user-agent string have not changed.
  4. If everything verifies, a real session is started and the user is logged in. If anything fails, all associated tokens can be invalidated; it’s impossible to use them again.

The benefits of passwordless authentication:

  • It’s considerably simpler for users. There are no passwords to create or store. You don’t need a social media account or third-party software other than access to your messaging system. It’s impossible to register without valid credentials.
  • It’s more secure. No passwords are stored and there’s nothing to hack or guess. Even if someone intercepts a message, they’d only have one of the two tokens and couldn’t log in.
  • It’s cost-effective. There’s less code to develop and deploy. Login code is mostly handled by another service with robust security.

Where can passwordless authentication be used

Passwordless authentication can be offered on applications which have reasonably long session timeout periods, or where users only need infrequent access. Shopping sites, social networks, forums, ticketing, and content management systems are good to use cases.

It would be strange to use passwordless authentication with your bank depending solely on Skype for their security, although secondary identification processes could supplement it such as by entering a PIN (something they know) or run a biometric test (something they are). This would be an example of multi-factor authentication that requires no password exchange between the client and the server.

However, even the best authentication technologies are of no use if they don’t receive industry-wide support and can’t be integrated into applications.

Hopefully, we’re seeing some promising synergies in the authentication landscape. The advent of the FIDO2 standard has helped pave the way for the adoption of passwordless authentication methods across different online applications.

FIDO2 has the backing of Google, Microsoft, Mozilla, and other tech giants, and builds upon the FIDO standard and adds the WebAuthn, a standard web API that enables the integration of secure authentication mechanisms in browser-based web applications.

Integrating easy-to-use, passwordless authentication into applications has become easy and cost-effective, which means more and more online services can finally replace passwords with more secure alternatives.