SECURITY

Passwordless Login

Passwordless login is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret.

This doesn’t mean that users are simply let into the site without any form of identity verification! With any type of passwordless login, users still have to prove that they are who they say they are with one or more forms of authentication, just not a password.

How does it work?

There are many types of passwordless login systems, each working a little differently. Essentially, any login process — including passwords — will rely on one of the following characteristics to verify a user’s identity:

Knowledge factors: A knowledge factor is, understandably, something that the user knows. Ideally, it’s something that only the user knows — meaning that unintended users are denied access when they don’t have the right credential. All password-based login systems utilize this method of authentication, although it’s the least secure of the three.
Possession factors: A possession factor allows users to verify their identities based on something they have — whether that’s a physical item like a key card or a digital asset like an email account. Using a possession factor as a password alternative works based on the idea that the intended user would be the only person with access to the predetermined asset, thus verifying the user’s identity in the process.
Inheritance factors: An inheritance factor, when used for authentication purposes, is a physical characteristic of a user that is unique to the individual. For example, each person has a one-of-a-kind fingerprint or iris that can be scanned to verify the user’s identity.

Passwordless login works by utilizing one or more of these factors to verify a user’s identity without a password. Every authentication method boils down to the user being able to prove that they are who they say they are to a digitized system that then decides whether to grant or deny access. In a perfect world, only the intended user would be able to get in. However, each one of these methods comes with its own set of drawbacks, meaning that no authentication factor is fool-proof. So how can we make sure to choose the right system for our website? Let’s take a look at some of the top-rated and highly secure options for passwordless login.

The main types of passwordless login

Passwordless Email Authentication

As the most promising passwordless authentication method, email-based systems verify a user’s identity using their email address and a complex encrypted key code. Let’s walk through the process:

The user is redirected to a protocol for authentication.
From a browser window, the user pushes the “Send Message” button: The button activates a mailto link, which generates a pre-written email for the user to send.
The user sends the email. Once the email is sent, the outgoing email server generates and embeds a 1024/2048 bit, fully encrypted digital key into the header of the email. The authentication server follows the public key cryptographic procedure to decrypt this key. Each email sent receives a unique key for that message. The level of security for these encrypted keys is beyond comparison to traditional passwords.
The user is logged into their account: When the key decrypts and passes all layers of verification, the authentication server directs the website to open the user’s account and begin a session.

Passwordless email authentication methods are already becoming popular in certain contexts. One great example: nonprofit pledge giving tools. Nonprofit donations sit at the intersection between the need for tight security and the need for flawless user experience. These tools are quickly expanding to reach other contexts as well, including businesses and organizations of all shapes and sizes. Email-based authentication tools work via a concept of encrypted keys, so they’re often the fastest way for websites to get started with these innovative login techniques. Plus, almost everyone already has an email account to use!

Social Sign-In Authentication

Social sign-in and email authentication operate on similar concepts. With email-based systems, a user’s personal email address is associated with a unique encrypted key as it’s processed through layers of security. With social sign-in, a comparable process occurs through the user’s social media account. This means it verifies your permissions to view content, make posts, etc. each time you begin a new action. By checking the token’s signature against its security algorithm, the site can effectively verify users’ identity for multiple actions and subdomains, greatly reducing login friction along the way.

Social sign-in authentication is extremely efficient and flexible, but it can be tricky for some sites to implement. Not all users will come to your site ready with a social media profile in hand. Many users will be worry about sharing their sensitive data with a tech giant.

Biometric Authentication

Growing in popularity is the fingerprint, face, and iris-scanning authentication (biometrics). You might already use a fingerprint or face scanner on your smartphone and probably don’t think of them in exactly these terms, but they’re a form of passwordless login that the general public is quite familiar with. The concept is simple; for fingerprint authentication, users press their thumbs on their phone’s fingerprint reader to authorize payments or gain access to their accounts. While this technique is intuitive and can completely streamline the login process to its core, it does come with some challenges. Namely, accessing technology with a fingerprint reader can be costly for your users, and the technology is less cost-effective for businesses and nonprofits.

Additionally, these technologies have also already been proven to be less secure than expected. For instance, the tiny fingerprint readers in a smartphone can only register parts of a user’s fingerprint. The odds of another person’s finger matching that part of your own print are surprisingly high. Some hackers have created a “master fingerprint” that can bypass nearly any fingerprint scanner. Biometrics are developing fast, though. A passwordless login system that makes use of encrypted email authentication and a truly secure biometric could completely change the ways in which we engage with the internet via multi-factor authentication.