The only people who love passwords are hackers because they are easy for hackers to guess and hard for humans to remember. Passwords are the weakest link. 81% of breaches are due to a weak or stolen password.
Recently I downloaded the Medium mobile app and instead of a password, it sent a link to my email. Clicking on that link logged me into the app. It got me curious and I dived into passwordless authentication.
What is passwordless authentication?
Simply put passwordless systems are tools that websites or apps can use can implement so that their users do not have to log in using a password. For instance, when logging in to Medium mobile app, a link is sent to my email. That link acts as a login token. It can be other things such as fingerprint or a PIN. I personally have been using a PIN on Windows 10 ever since the feature became available.
How does it work?
Passwordless Email Authentication
This is when a link is sent to your email that comprises of a complex encrypted key code and your email address.
Code through email
Instead of a link sent to your email, a one-time code is generated. This one-time code can be valid for one session only or expires in a certain time frame. The session starts when the user retrieves the code and inputs it to the app or website.
Code through SMS
It is the same process as code through email but the one-time code is sent via SMS.
Pairing secondary device (compatible phone or smartwatch)
This is done with a secondary device paired with your account. This allows you to approve or deny login requests. You get a push notification that allows you to log in at the swipe of a finger.
How can I start using it?
For certain accounts such as Medium, it comes as standard but for the majority of accounts, it has to be enabled in the settings menu. Go to your account settings page, under security enable the option for MFA (multi-factor authentication) or 2FA. The specifics differ for every account. Visiting the help of the service of the website can show you how to enable it.
Benefits of using passwordless authentication
1. You do not have to remember long and complicated passwords. Over 50% of users reuse passwords for multiple accounts both work and personal.
2. For the enterprise, it means less time is wasted on resetting passwords for users.
3. Possible quicker sign in depending on the method used.
4. Users know that passwords are probably not stored in plain text by a provider in case the provider is hacked.
Passwordless logins will take time to become mainstream. Google has announced support for devices running Android 7 and later versions would support passwordless login. In the meantime use a password manager to manage and generate your passwords.