In December 2014, I published Would You Implement Passwordless Login? It expanded on articles such as Justin Balthrop’s Passwords are Obsolete and Ben Brown’s Is it time for passwordless login? The Passwordless project for Node.js has inspired others, including options for PHP and Ruby.
I mentioned considering passwordless authentication for a client project. I’m pleased to say it’s been operating for several months and has been a revelation. More about that shortly — but first, let’s recap …
What is Passwordless Authentication?
We’re using the same authentication methods devised at the dawn of the web. Unfortunately, passwords are increasingly broken:- People rarely create strong passwords. Surveys report one in ten accounts use something from the top twenty most popular passwords. “123456” is used by more than 4% accounts; “password” remains the second most-used.
- People use the same terrible password on multiple sites. If you happen to crack someone’s Facebook login, you can probably access their PayPal account. Your single password is only as good as the security of the weakest system you use.
- Corporation hacks are increasingly common and attract mainstream media interest. It’s an easy route to make a name for yourself, extract revenge or indulge in blackmail. Few companies are prepared for acts of cyber-terrorism and, despite the usual claims of “sustained sophisticated attacks”, many breaches are simple SQL injections caused by poor development techniques.
- From a coding perspective, authentication is tedious and mistakes are made. Checking credentials is the start of your problems: you need to ensure there are no cracks in security, hash strings using strong (and slow) algorithms, allow users to reset forgotten passwords and answer support calls from confused users who are seemingly unable to remember or type a short string correctly.
- Alternative solutions such as biometrics or OAuth depend on hardware or suitable social media accounts. Few sites implement it well, and still need to revert back to email/password methods for some users.
- To log in, the user visits a site and enters an ID such as an email address.
- They are sent a message with a link; they click it and are logged in.
In other words, the application creates a random, one-time password, and whispers it to the user whenever they need to access. It’s a similar process to resetting your password — which many users do every login anyway! Email is an obvious choice, but any other messaging service can be used — such as SMS, Slack, Skype, instant messaging or even Twitter direct messages. Multiple options could be offered if you don’t want to rely on a single system.
It’s a little more complex behind the scenes to ensure only one person can use the login link. The general process is as follows:
- When entered, the server verifies an account exists for the email address.
- The server creates two tokens, such as 24-character hex GUIDs, and associates both with this login attempt. The first token is sent back to the login device — typically as a browser cookie. The second token is encoded in a link sent to the user by email.
- When the link is clicked, the server will receive both tokens and verify them against a single login attempt. Optionally, it can make further checks to ensure the link has been clicked within a few minutes and the IP address and browser user-agent string have not changed.
- If everything verifies, a real session is started and the user is logged in. If anything fails, all associated tokens can be invalidated; it’s impossible to use them again.
- It’s considerably simpler for users. There are no passwords to create or store. You don’t need a social media account or third-party software other than access to your messaging system. It’s impossible to register without valid credentials.
- It’s more secure. No passwords are stored and there’s nothing to hack or guess. Even if someone intercepts a message, they’d only have one of the two tokens and couldn’t log in.
- It’s cost-effective. There’s less code to develop and deploy. Login code is mostly handled by another service with robust security. Your support team is freed from endless password problems.
Where can Passwordless Authentication be Used?
Logging in takes a little longer — but so does using a password manager! Passwordless authentication can be offered on applications which have reasonably long session timeout periods, or where users only need infrequent access. Shopping sites, social networks, forums, ticketing and content management systems are good use cases. It would be strange to use passwordless authentication on a messaging system, since you’d require another to log in! Nor would you want your bank depending solely on AOL for their security, although secondary identification processes could supplement it. Passwordless can be considered if you’re creating a new application. However, updating an existing application with many users who currently have passwords is more problematic. I suggest running passwordless authentication in parallel rather than switching to a new login process overnight. Offer it as a choice — especially to users who reset their password — and assess uptake after a few months to determine whether it’s viable.Real World Test
I implemented passwordless authentication on a new application used by a client for several hundred internal personnel and external customers. Around half the userbase have good IT skills and access daily, so their sessions rarely expire. The other half are mostly managers who log in once or twice per month — many forgetting or mistyping passwords.
The biggest issue: clients must be convinced.
“Passwordless” sounds insecure, and few people will have seen it used elsewhere. I was lucky: the client had a single technically-savvy project manager who understood the concept. Even then, I agreed to add passwords if anything failed.
It was plain sailing from that point onward. For technical reasons, I had to integrate my own implementation rather than rely on a third-party library. It took less than one day, and there was no need for the usual password management, hashing and resetting nonsense which we normally develop and test.
The biggest bonus: users understand passwordless authentication. The process is simple, but it’s best to provide simple instructions at all stages. For example:
- A login link has been emailed to you. Please check your spam folder if it does not arrive.
- Please click this link to log in … You have 10 minutes to open this link in the same browser.
Conclusion
I couldn’t claim passwordless authentication works everywhere, but the experience has been overwhelmingly positive. I’m a convert. All my applications will be passwordless from now on. Some clients may not be happy — but I’ll just pop a dummy password box on their login form and ignore it! Have you implemented passwordless authentication? Was it a good or bad experience?Frequently Asked Questions (FAQs) on Passwordless Authentication
What are the main benefits of passwordless authentication?
Passwordless authentication offers several benefits. Firstly, it enhances security by eliminating the risk of password-related breaches, such as brute force attacks, dictionary attacks, and phishing. Secondly, it improves user experience as users no longer need to remember complex passwords or go through tedious password reset processes. Lastly, it reduces operational costs as businesses spend less time and resources on password management and recovery.
How does passwordless authentication work?
Passwordless authentication works by verifying the user’s identity using factors other than passwords. These factors can be something the user has (like a smartphone or a hardware token), something the user is (biometric data like fingerprints or facial recognition), or something the user does (behavioral biometrics). The system sends a one-time code or link to the user’s device or uses biometric data to authenticate the user.
Is passwordless authentication secure?
Yes, passwordless authentication is generally more secure than traditional password-based authentication. It eliminates the risk of password-related attacks and breaches. However, like any other security measure, it is not entirely foolproof and should be used in conjunction with other security measures like multi-factor authentication and secure protocols.
What are the challenges of implementing passwordless authentication?
Implementing passwordless authentication can pose several challenges. These include user acceptance, as some users may be resistant to change; technical challenges, as it requires significant changes to existing systems; and potential security risks, as it relies on devices or biometric data that can be lost, stolen, or spoofed.
Can passwordless authentication be used for all types of applications?
While passwordless authentication can be used for a wide range of applications, it may not be suitable for all. The suitability depends on the security requirements of the application, the user base, and the resources available for implementation and management. It is best suited for applications where user convenience is a priority and the risk of data breach is high.
How does passwordless authentication improve user experience?
Passwordless authentication improves user experience by eliminating the need for users to remember and enter complex passwords. It also simplifies the login process, making it quicker and more convenient. Users no longer need to go through password reset processes, which can be frustrating and time-consuming.
What is the difference between passwordless authentication and multi-factor authentication?
Passwordless authentication is a method of verifying a user’s identity without the use of passwords. On the other hand, multi-factor authentication is a method of verifying a user’s identity using two or more independent factors. Passwordless authentication can be a part of multi-factor authentication, where one of the factors does not involve a password.
What are some examples of passwordless authentication methods?
Some examples of passwordless authentication methods include biometric authentication (like fingerprint scanning or facial recognition), hardware tokens, software tokens, and mobile push notifications. These methods can be used alone or in combination for added security.
Is passwordless authentication expensive to implement?
The cost of implementing passwordless authentication can vary depending on several factors, including the size of the user base, the complexity of the existing systems, and the chosen passwordless method. While it may require an initial investment, it can lead to cost savings in the long run by reducing the resources spent on password management and recovery.
How can I transition to passwordless authentication?
Transitioning to passwordless authentication involves several steps. Firstly, you need to evaluate your security needs and choose a suitable passwordless method. Then, you need to update your systems and processes to support the chosen method. Lastly, you need to educate your users about the new method and guide them through the transition process. It is recommended to work with a trusted security provider to ensure a smooth transition.
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
