What is Passwordless?
Passwordless is an authentication mechanism where a user’s digital identity is verified with something other than a text-based password, i.e. she can log in and access the system/platform without entering a password.
Background 🌐
Typically we’ve implemented authentication systems where either a username-password, social logins (Google, Facebook, Twitter, Apple, etc.), or similar mechanisms are used to enter a password / security_answer / secret_key / etc. to successfully log into the system. This requires a rather tedious function of remembering a password/secret_key all along. We tend to note these passwords someplace, memorize them, or note them down in some secure digital location (eg: LastPass).
A couple of interesting (concerning) stats:
- Over two-thirds of people reuse passwords across sites, resulting in an increasingly insecure digital ecosystems
- Today password vulnerabilities account for more than 80% of all data breaches
Now, if the passwords fail almost most of the time, are tedious to remember, and are unsafe to track in plaintext; then aren’t there better (and easier) ways to solve the authentication issue? Turns out that the solution was always right around the corner all along…enter Passwordless!
Origins of Passwordless 🌿
The first versions of Passwordless authentication were introduced in the 1980s. These were the physical fobs which used to generate OTPs (One Time Passwords) which are used as security tokens.
The 2000s gave rise to the Multi-Factor Auth (MFA) which was a combination of passwordless and password-based authentication methodologies, and organizations like Google began building them into their applications.
Passwordless’ rise to fame 🔈
- At the 2004 IT security conference, Bill Gates publicly advocated for making passwords obsolete. Gates and the Microsoft team went over several of the security threats inherent to knowledge-based passwords, and they advocated for newer authentication technologies, including a tamper-resistant biometric ID card.
- In late 2011, IBM predicted that “multi-factor biometrics” would become the dominant authentication protocol, creating a completely passwordless world.
- In 2013, Google pushed things forward. Eric Grosse, VP of security engineering, stated that “passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe”. Google went ahead to make multi-factor authentication (MFA) protocols standard within the organization, and that same year, Google’s information security manager, Heather Adkins, put it bluntly, “Passwords are done at Google.”
- In 2014, after Russian hackers accessed the login credentials of over 1.2 billion internet users, Avivah Litan, VP Analyst at Gartner, reiterated the need to go passwordless. In her words, “Passwords were dead a few years ago. Now they are more than dead.”
- The rise of mobile has boosted the popularity of passwordless authentication. In 2013, Apple introduced Touch ID (and Face ID has since followed) making passwordless biometric authentication ubiquitous today. Additionally, passwordless strategies (i.e. sending an SMS-based magic link) allowed mobile-first businesses, like Uber and Lyft, to authenticate users and perform account verification in a single easy step.
Types of Passwordless 👥
There are several ways to implement Passwordless authentication. Some of which are:
1. Biometrics: Biometric authentication uses unique physical traits to verify a user’s identity. Fingerprints, retina scans, and facial recognition are used to uniquely identify a person. Biometric authentication is more secure than a password because no one has your exact fingerprint (even if you are an identical twin) or your exact face (the chances of two faces being similar enough to bypass facial recognition is extremely unlikely, even in the case of identical twins). Biometrics rely on inherence factors: something that is inherent to the user, like their facial features, fingerprint, or voice. Even though modern AI has enabled hackers to spoof certain physical traits, behavioral characteristics still remain extremely hard to fake.
2. One-Time Passwords: The idea here is that the user receives a password/code via email or SMS text message, which they can use to instantly access the system. authentication via something that a user owns or carries with them.
3. Magic links: The user enters their email address, and the system sends them an email. The email contains a ‘magic’ link, which the user can click to instantly get access to the system. This process is repeated every time the user has to log in to the platform.
3.1 Knowledge factors: One-time passwords and magic links sent through email are knowledge factors: you need to know the password for the email account to access the magic links.
3.2 Possession factors: One-time passwords and magic links sent via SMS are possession factors: they rely on something the user has, like a secondary device, to validate the identity of the user.
4. Push notifications: Push notifications are a mobile-centric form of passwordless authentication. To access an app on a mobile device, users receive a push notification that allows them to open the app and
verify their identity.
Advantages of Passwordless ⭐️
There are quite a few advantages of going Passwordless, a few of them are:
- A more secure authentication mechanism == Zero password breaches
Passwordless is a more secure authentication mechanism than a username/password due to the factors discussed above - Better and effortless login user experience (UX)
Passwordless authentication delivers a seamless digital experience: Users aren’t stymied by forgotten passwords, and they can access your platform securely in seconds. - Reduction in long-term costs
Password management is expensive, largely because people forget their passwords and need help resetting them. Industry experts generally agree that at scale each password reset costs a company $70. - Higher conversion rates
A superior user experience yields more customer loyalty, higher conversion rates, and ultimately more revenue. For some companies, eliminating passwords has improved conversion rates by more than 50%.
Future of Passwordless 💡
Cyberattacks and data breaches continue to grow with each passing day. This is setting off alarm bells in many companies, with more and more investments being made into biometrics and adaptive authentication. The cost of implementing passwordless is nothing compared to the fines and losses incurred due to a data breach. Finally, passwords are a nuisance for users. Hard to remember and a pain to reset. On the other hand, passwordless techniques are convenient, user-friendly, and contribute to a seamless customer experience.
References 📔
- The Truth about Passwordless Authentication
- Set yourself free from passwords
- Cyberark: Passwordless Authentication
- History and Rise of “Passwordless”
— — — —
What’s next ⚙️
In subsequent stories, we will deep dive into implementing Passwordless on various technology stacks including Flutter, NodeJS, Python, Angular, and React. We will also talk about some frameworks that help with implementing Passwordless in our systems. A few things that we will include in these tutorials will comprise:
- Configuring the setup and installation (Cloud resources, 3rd party tools, libs, etc.)
- Creating magic links, biometric triggers, push notifications, etc.
- Setting up triggers and getting the backend to churn out the magic (API work)
- Watching the magic happen in real-time on the UI (Web & Mobile)
— — — —
We keep sharing our technology and life learnings in our publication (NonStop io)
