Is Passwordless Login More Secure? Why It’s Safe and Improves Security
We all know the weaknesses of passwords. They're difficult, hard to remember, and ideally you should have a different one for each website. Password managers help but don't solve the problem completely. Moreover, even if you have a long and complicated password, you can only hope that it's properly encrypted on the servers powering the websites you're logging into. Most data breaches these days happen due to weak or cracked passwords.
We assume that passwords are necessary, but are they really? They've been with us for a long time. Maybe it's time for something better? How about authentication with something other than a password? In this post, you'll learn about passwordless authentication and why it's more secure.
By passwordless, we mean authentication with something other than a text-based password initially chosen by a user.
What Do You Mean, Passwordless?
First things first. Let's make it clear what passwordless actually means. We're not talking about authentication with just your email or username. That, of course, wouldn't be authentication at all and would allow anyone to log in to your account. By passwordless, we mean authentication with something other than a text-based password initially chosen by a user. You may have already used, for example, physical or virtual tokens or one-time passcode generators. How about fingerprint or retina scanners that are becoming increasingly popular, especially on mobile devices? Or magic links that are sent to your email address when you want to recover your account? These are usually used as two- or multi-factor authentication mechanisms when you use something on top of a regular password, but you get the idea. You can use something other than a regular old password.
Why Is Passwordless Better?
Now that understand exactly what passwordless means, let's talk about why it's better. And we need to be clear here. Passwordless is not unhackable. There are also methods to hack or bypass passwordless authentication. But it's much more difficult than cracking a password. Especially if we compare passwordless authentication to poor and short passwords that many users use.
There are dozens of easy-to-use tools to crack passwords that anyone can download. Common password lists are also easily accessible on the internet. Therefore, cracking passwords is an easy thing to do these days. Of course, it doesn't mean that all passwords can be easily cracked. Still, the general rule applies: the longer and harder the password, the longer it takes to crack it. But take pretty much any website on the internet, and it's almost certain that a big percentage of users will use easy passwords.
With passwordless, the story is completely different.
No Passwords Means No Bad Passwords
Make no mistake: a good, long password using different characters is difficult to crack. So, passwords are not bad per se. The problem with passwords is that users choose them. And most users, for simplicity, will choose an easy-to-remember password, which means it's also easy to crack. Passwords like "password" or "12345678" can be cracked in a matter of seconds. You can try to fight it by forcing users to choose capital and small characters plus at least one number and extra character. But that doesn't really solve the problem because you may end up with passwords like "Password1234!" which are equally easy to crack.
Therefore, by completely removing the need for a password chosen by a user, you remove the risk of having easy-to-crack passwords in your database. If you have biometric data or a one-time token generated by your system instead of a password selected by a user, it becomes much more difficult to crack. Biometric data is heavily randomized by design, and password cracking is mainly about guessing commonly used passwords. You can't really guess the biometric data. You could try to brute-force it, meaning try any possible combination, but besides the fact that it would take years, you'd also need to know the data format, and that's not easy to find either.
One-time tokens and magic links are even better because they have a very short lifespan. It may take weeks or months to crack a long auto-generated token, and they can only be used once. Both of these methods are far superior to using traditional passwords.
Users' biometric data will differ between websites even though their fingerprints (or retina) are the same.
Passwordless Is Easier for Users
Passwordless authentication methods are also easier for users. As mentioned before, ideally users should use different passwords for different websites. And as we all know, for the majority of users, that's too much trouble, so they reuse the same password on many websites. And that makes it easier for attackers and worse for you. Because your system may be secure and your database well protected, but some other website may not be. And if a user uses the same password on your website as on the other easy-to-hack website, an attacker won't need to hack your website at all. They'll just crack the user's password from the other website and try their luck logging in with the same password on your website.
With passwordless authentication, that won't happen. Users' biometric data will differ between websites even though their fingerprints (or retina) are the same. One-time passcodes or tokens will also be different (and short-lived). Therefore, passwordless authentication makes the whole internet way more secure without you having to convince users to take security seriously.
Passwordless Is Easier for You Too
Surprisingly enough, passwordless authentication is also easier from a company perspective. Sure, the initial setup or migration from existing password-based authentication can be complicated, but once you've done it, you'll have much less to worry about. Your security and infrastructure teams will have much less work regarding passwords. Setting password policies, generating reports, monitoring possibly hacked accounts, manually resetting passwords, and many other tasks to prevent password leaks—most or all of that will be gone.
Therefore, in the long run, it will unburden your IT departments. Also, depending on how your password reset policies are set up, maybe even your customer service will have less work to do when it comes to helping users who lost access to their accounts.
Summary
As you can see, passwordless authentication is far superior to password-based security. Why don't we see passwordless authentication everywhere, you ask? Well, the main reason is that it's a little bit more difficult to implement, and many websites were simply built before passwordless authentication was popular. It requires changes in the system, and that means time and cost. Especially for big platforms with millions of users, such a switch could require a fundamental change to the system. But since it's more secure and easier for users, hopefully, at some point in the future, it will be standard.
Fortunately, passwordless authentication is not something that you need to build from scratch and figure out on your own. You can take a look at a tool like OwnID for an easy, ready-to-implement solution. And if you want to learn more about passwordless, check our post about 7 Passwordless Approaches for B2C Websites.
This post was written by Dawid Ziolkowski. Dawid has 10 years of experience as a Network/System Engineer at the beginning, DevOps in between, Cloud Native Engineer recently. He’s worked for an IT outsourcing company, a research institute, telco, a hosting company, and a consultancy company, so he’s gathered a lot of knowledge from different perspectives. Nowadays he’s helping companies move to cloud and/or redesign their infrastructure for a more Cloud Native approach.