If we all trusted each other, passwords wouldn’t exist. But some people claim to be a person they’re not and that’s a threat. Passwords have been used for centuries to help us prove that we are who we claim to be.
But passwords are problematic. They are hard to remember, and they don’t work well. Passwords can be guessed or leaked. B2C websites and apps realize this security threat and try to overcome it by requiring users to create complicated passwords and then replace them often. As a result, people reuse passwords across multiple websites and write them down, leaving themselves and the business vulnerable.
But today’s technology allows for better authentication, without passwords. It’s time to move on and join the cutting edge.
I’ve listed below the different types of passwordless authentication methods that exist in the market. These methods can stand alone or be part of a multi-factor authentication process (2FA or MFA).
Authentication based on real-time communication
This is a common password alternative. Since a username is typically the user’s email address or phone number, the website can authenticate by sending a communication to the user and asking them to respond. This is done in one of two ways:
● OTP (one-time password) – the system sends a code to the user’s email address or phone number asking them to type the code into a verification prompt on the website.
● Magic link – the website emails or texts a link through which the user can authenticate.
Pros and cons: While magic link takes the user to a new browser tab, OTP keeps the user on the same tab, which is less confusing in terms of the user journey. However, the biggest downside of both techniques relates to latency, or perceived latency. Many times communications arrive late, and therefore such services are associated with slowness. Moreover, when delays occur, users ask to send another email/SMS, sometimes multiple times. When the first message finally reaches the user, they click it and it fails to authenticate them since the code or link expired when they requested to resend.
Today, most people carry smartphones with them all the time, everywhere they go. Therefore, smartphones can be used as authentication tools. Authentication by smartphone can be done in three ways:
● Authenticator apps – this method requires the user to install a dedicated authentication app (most common are Google’s Authenticator and Microsoft’s Authenticator). The app generates a temporary code and the user is required to enter it on the device they’re trying to log in with.
● App offered by the same service – services that offer users their own native app can embed within the app authentication that will apply to other devices too and over the web. For example, Google enables users to log in to their Gmail account on their desktop browser by opening their Gmail app on their phone and tapping “Yes” when prompted to approve the desktop login attempt.
● Web-based phone authentication – this innovative approach utilizes the phone’s native lock mechanism (FaceID/TouchID/fingerprint). When users wish to sign in to a service on their phone, the phone’s lock mechanism initializes, validates the user, and signs them in. When the user browses their laptop or any other device, they can still use their phone to authenticate by scanning with their phone a QR code presented on the browsed device.
Pros and cons: In a way, phones have become extensions of our bodies. They’re convenient and almost always available and therefore can be used as authentication tools. Smartphone authentication is secure because it involves two factors: something the user has (the phone) and something the user is (biometric unlock). Often, the downside of this approach is the requirement to download an app and enroll in the service. Most B2C services aim to reduce friction and make the authentication process as quick and easy as possible. This problem is excluded in the 3rd option above where authentication is web-based and doesn’t require the user to download any app.
Biometric authentication technologies have been unsatisfactory for a very long time. In recent years this has been resolved. Most smartphones, and a growing number of laptops, include a biometric authentication mechanism that can be utilized to unlock not only the device but also the services that run on it. Until 2021, Apple enabled only native apps to utilize the biometric system. We’ve seen it in many banking apps for a few years already. However, only since last year, authentication mechanisms including Fido2 and WebAuthn were included on Apple and Android devices, enabling the browser to access the native biometric authentication mechanism. This presents a great opportunity for services that are web-based to easily let users authenticate with a quick biometric scan. Most Android phones also support Fido2 and WebAuthn. These technologies can be used in two ways:
● Device-specific Fido2/WebAuthn authentication – the typical implementation of this protocol is to enable users that created an account on a service (with a standard username and password) to go to the website’s “My account” page and register the device they are using as a biometric authentication alternative to their password.
● Cross-device biometric authentication – this method also uses the Fido2/WebAuthn protocol, but it always utilizes the user’s phone’s biometric authentication no matter which device they browse on. This is actually the same method described in bullet #3 under “Phone-based authentication” above.
Pros and cons: In general, a good biometric mechanism offers the best of both worlds – UX and security. In terms of UX, it’s easy and fast. In terms of security, it’s more secure than any of the other methods described in this article. The shortcoming of the device-specific method is that users cannot sign in biometrically on a device that doesn’t have biometric capabilities. In addition, the user needs to go through a process to register each device they use (else they’ll need to remember their password when they use a different device). That’s why cross-device biometric authentication is advantageous – it is based only on the phone’s biometric mechanism. The user can create an account without ever creating a password, only by identifying with their phone biometrics, and, later on, sign in to their account on any device using their phone’s biometrics (by scanning a QR code).
I present above 7 passwordless authentication methods that could be relevant for B2C websites. Such websites seek, first, to provide a state-of-the-art user experience since their business depends on that. Second, they aim to improve security, since cyber-attacks and identity theft are on the rise. I believe that passwords are soon going to be a thing of the past; they are a security threat and create friction for the user. The password was a great invention for its time (centuries ago), but with the technology we have today it’s time to go passwordless.