Passwordless login is touted as the future of authentication. Advocates point to greater security and an improved user experience as reasons why you should adopt it today.
This article will introduce you to passwordless authentication and explain the workings of the most common passwordless login methods. You'll also learn some of the shortcomings and challenges of passwordless authentication.
What Is Passwordless Authentication?
The term *passwordless authentication* describes verifying user identity without asking for a password. Most legacy systems require an input of a username and password before they can be accessed. This common approach is insecure and inconvenient when compared with modern alternatives.
Passwords are a common cause of cybersecurity issues because too few people take the time to create and store strong ones. Weak password phrases such as "123456", "qwerty," and "password" continue to dominate annual lists of the most common passwords. Passwords are an administrative burden, too: administrators need to handle reset requests, enforce strength constraints, and educate users on best practices.
Passwordless authentication has emerged against this backdrop. With passwords presenting so many problems, perhaps replacing them with a different solution is the best route forward.
The first thing to know is that "passwordless" doesn't mean "not secure"; although this method cuts out passwords, it installs a more secure mechanism. There are several ways to implement a passwordless system, from magic links sent via email to using a companion app on the user's phone. Major companies are committing to passwordless workflows, with Apple, Google, and Microsoft collaborating to improve cross-platform passwordless auth on the web.
Passwordless vs. Multi Factor Authentication
Multi-Factor authentication (MFA) and two-factor authentication (2FA) are adjacent topics that often feature in discussions about passwordless. Passwordless auth on its own neither implements nor replaces MFA. An MFA system requires users to verify themselves using multiple factors before they can log in.
Most password-based systems use the password as their first factor and a unique code generated by a TOTP app as their second.
Confusion can occur because the second factor—the TOTP code—is a form of passwordless auth. However, this MFA implementation is not passwordless because a password was requested as the first factor.
Passwordless and multi-factor auth can be combined for the greatest possible security. You could use the following login flow to implement such a system:
- Send a magic link to the user's email address.
- Clicking the link in the email acts as the first authentication factor.
- The link directs the user to a TOTP code input.
- Providing the correct code generated by a TOTP authentication app verifies the second factor.
The user now requires access to two independent verification sources, neither of which relies on a password. This is a passwordless MFA.
Implementing Passwordless Authentication
Implementing passwordless authentication is more involved than traditional password-based login flows. Verifying a password is usually a straightforward comparison of values. The whole flow can be completed in one exchange between the client application and your server.
By contrast, passwordless auth breaks the login procedure down into more steps. Take the common magic link method, where a unique URL is sent to your user's inbox: you'll need to generate the link, store it somewhere so you can retrieve it later, and then send the email. When the user arrives at the link's location, you must extract the token from the URL, check its validity, and start the user's authenticated session.
Because passwordless auth flows have more moving parts, you need to thoroughly test your implementation to prevent oversights from slipping in. Many teams avoid the hassle by integrating a third-party identity and authorization platform, such as Auth0/Okta, Microsoft's Azure AD, or Amazon's AWS Cognito. These solutions let you offload identity management and user login functions, so your service can seamlessly support multiple authentication methods.
Whichever approach you choose, you'll still need to decide on the passwordless login methods to offer to your users. Here are some of the most common options supported across major identity platforms:
One-Time Passwords (OTP)
Don't worry—a one-time password is a valid passwordless authentication method! This strategy describes using passwords that are generated automatically when the user logs in. You could create a new secure password sent via SMS or email or rely on a TOTP code from an authenticator app. Each value should only be valid for either a limited time or a single login attempt.
The idea here is to prevent passwords from being stored, eliminating the risk of users creating insecure passwords, and there's no need for password reset flows. The "password" becomes a simple implementation detail instead of an attribute against each user.
Magic Links
Magic links are one of the most popular passwordless auth methods. Major services such as Slack use magic links to protect their login systems. After you've entered your username, the service sends you an email that contains a unique link. Clicking the link will complete the login without asking for a password.
Magic links use your access to your email inbox as verification that you're the account holder. They provide a simple but not flawless user experience. Magic links require navigating between apps to complete your login, causing a context switch. Any delay in receiving the email can cause frustration because you'll be prevented from logging in while you wait.
Another drawback of magic links is their susceptibility to bot attacks. Attackers could try to guess valid URL tokens using a brute-force attack against your login endpoint. Fingerprint's automated bot detection system can protect against this threat.
Biometrics
Biometric authentication using fingerprints or face detection is one of the most convenient login methods, especially on mobile devices. Users have shown themselves keen to use their device's biometric capabilities.
Biometric auth is often the preferred approach when compatible hardware is available because it's popular, easy to use, and extremely hard to spoof. However, this technique can be less appropriate when you want users to sign in with the same technique across all their devices. This is because the biometric used and the appearance of its prompts will be hardware- and platform-dependent.
Push Notifications
Some systems verify login attempts by sending push notifications to a dedicated companion mobile app. Tapping the notification logs you in to the client you were using. Two examples are signing in to a Microsoft account using the Microsoft Authenticator app and confirming Google logins by tapping a prompt on an Android phone. This method allows you to verify that the user is logging in from known hardware.
Implementing push-based login can be more complex than other passwordless mechanisms. You'll need to integrate push support into your mobile app, establish a way for users to connect the app to their account, and then send push notifications to the device when a login attempt begins.
Users might be hesitant to install new apps, which could hinder the adoption of this approach. Push notifications are best when you already have a heavily used mobile app or can control which technologies people use, such as when an organization administrator manages devices.
Passwordless Authentication Challenges
Passwordless authentication isn't guaranteed to solve all your security issues. Effective implementation has a net positive impact on login protection but still carries trade-offs for security and user experience.
End User Pushback
Pushback can occur when users are unfamiliar with the technologies being used. The problems with passwords aren't widely recognized, so education about their limitations is important. Users are also likely to resist new alternatives that seem to be less convenient, so you must make passwordless flows as frictionless as possible.
Security Issues
Security issues remain a concern, and you'll need to devise procedures to address them. Take magic links as an example: if an attacker gains access to a user's email inbox, they could authenticate to your service. You'll need a way for your support staff to verify the actual user's identity when they try to reclaim access to their account.
Deployment Complexity and Cost
Both complexity and cost of deployment are usually higher than with a conventional password-based system. There are more steps to implement, test, and maintain. A third-party platform can help, but this will add costs and a new learning curve.
What about the Benefits of Passwordless Authentication?
Implementing passwordless auth brings new benefits for your users and system operators. From stronger security to enhanced ease of use, below are some reasons passwordless is gaining momentum.
Stronger Security Posture
The main objective of passwordless is to increase security. Removing passwords protects your service and its users from the dangers of weak and reused passwords. You're less susceptible to phishing attacks and don't need users to protect themselves, allowing you to analyze your security posture accurately.
Improved End User Experience
Strong passwordless implementation makes login flows smoother by letting users select the method that works best for them. Many users struggle with remembering passwords, so a link or code sent to their email could be a welcome change. Remember that everyone's needs are different, though—fast-moving users might be frustrated by context switching to an inbox, so offering an alternative such as biometrics is important.
Less Work for Admins (after Initial Deployment)
Passwordless flows present fewer day-to-day operational challenges. Users won't be requesting password resets, and you don't need to manage complexity requirements or regular rotations, freeing up administrators to focus on other aspects of the service.
No Centralized Password Store
The absence of a central database of passwords can make your service a less appealing target for attackers. Passwordless auth requires the attacker to access something that belongs to a target user—such as their email inbox or device—before they can log in to an account.
Conclusion
Passwordless authentication verifies user identities without relying on traditional password inputs. You could generate a one-time password, send a magic link, or rely on biometrics such as fingerprints and facial recognition. Requiring several of these factors for each login results in a passwordless MFA.
Passwordless methods increase security by preventing users from compromising themselves with weak passwords. Passwordless auth also reduces administration overheads by automating the entire login process. The higher initial development cost is offset by enhanced security and a reduced margin of user error. These characteristics mean passwordless isn't just the future of authentication but the emerging present, with [the adoption of the passwordless approach being heavily promoted by big tech.
Passwordless auth should be considered in the same context as user-protection measures like account takeover safeguards and anti-fraud detection. Accurately identifying malicious logins using a highly accurate device fingerprinting solution like Fingerprint is another way to keep users safe when an attacker bypasses your initial lines of defense.
For an identity solution that supports passwordless authentication, take a look at Zitadel.