Passwords are insecure. Even as password awareness has increased and password practices have shifted towards creating stronger passwords and using password managers such as 1Password, a password is only as good as its complexity, uniqueness and security of the application or website.
You can enforce stronger passwords, but you can’t enforce uniqueness. Password rules just make people change their passwords from: password123 to password123! — I’ve educated my dad on passwords, but he was notorious for creating basic passwords as most of our parents are.
And even if you’re a good conscious internet citizen and you generate a new lengthy password for each account you create, if the site gets hacked, it doesn’t matter how strong the password is if it is stored in plaintext.
Two-factor authentication has started to become the new normal, with many companies and products now enforcing two-factor authentication as well as companies requiring their employees to use two-factor authentication for their email and other services.
How does passwordless authentication work?
Chances are you have already used a web service or app that used passwordless authentication. The most popular form of passwordless authentication is email, specifically, magic links.
A magic link is emailed to you and the URL contains a special token which expires after a few minutes. Clicking this one-time link will log you straight into the service you’re using.
Another implementation of passwordless authentication is done via SMS where you’re sent a code (akin to a one-time password), and you enter that as the password.
Popular authentication provider Auth0 actually offers passwordless authentication, but you have to pay for it. There are other providers, but I haven’t used them before.
Is passwordless authentication secure?
Really, passwordless authentication is nothing more than an extension of the password reset model. The approach is the same, instead of resetting your password, the password is removed and instead of a password reset link, it’s a login link.
Traditional password or not, you could argue even though the attack vector for magic-link based passwordless authentication is the user’s email address, if someone got their email hacked, someone could reset their password anyway (amongst other things).
There is always the chance that the email server could be compromised on the application side because email is rarely encrypted and is sent as plaintext which can easily be sniffed if someone got in the middle. But, you could argue the same for password reset links and confirmation signup emails.
Time and time again, as we hear about a new data breach every other week, a future in which passwords are taken out of the equation could mean hackers focus their efforts elsewhere instead of attempting to compromise databases looking for plaintext passwords or weak password hashing techniques.
Going 100% password-free will obviously never be a viable option, your email account, for example, will always need a password. But, only having to remember one single strong password for your email is better than reusing one strong password for everything or weak passwords that are easy to hack and guess.
Admittedly, I still haven’t committed to passwordless authentication in my personal projects yet because of the time and cost required to do so. But, eventually, it’s a priority for me to make the transition and move over to passwordless wherever possible.