Passkeys are better with Passage! Check out our demo.

Intro to Passwordless

Anna Pobletts
June 15, 2022

Passwords are like cockroaches. Everyone hates them, but they seem impossible to get rid of. The last few years have led many to hope for a “passwordless” future, yet most of our online experiences still require those pesky secrets. Passwordless takes many forms, but not all passwordless is created equal. Passwordless login options provide solutions for many of the security problems with passwords, but they often come with their own risks and with a less-than-stellar experience for end users. Let’s take a look at some common forms of passwordless.

Magic Links

Magic links work by generating long, random, one-time passwords on the server and sending them to the user, usually via email or text message. These message will contain a link that looks something like this:

https://example.com/authenticate?token=<one-time-password>

When this link is clicked, the server verifies the token and the user is granted access to the application.

Pros:

  • No long term secrets stored on server, which reduces the risk of server-side credential dumps.
  • One time passwords can’t be replayed.

Cons:

  • Slow logins due to switching context between browser and email or phone.
  • Reliant on the security of a user’s email (which is often a password).

One-time Codes

One-time codes are very similar to magic links, but instead of the user receiving a link to click in their email, they receive a code - usually between 4 and 8 characters long. To complete the login, the user types the code into the website, which is then verified on the server.

Pros:

  • No long term secrets stored on server, which reduces the risk of server-side credential dumps.
  • One time codes can’t be replayed.

Cons:

  • Slow logins due to switching context between browser and email or phone.
  • Reliant on the security of a user’s email (which is often a password).
  • Shorter than a magic link, which makes it easier to brute-force.

Biometrics

There are several different flavors of biometrics and this term is often overloaded. We will discuss a few different ones here.

First, there is behavioral biometrics, which verifies a user based on behavioral traits like typing or mouse dynamics . There are lots of different traits that can be used here depending on the device

Behavior biometrics are passive, because they do not require the user to interact with system in a specific way to authenticate (e.g. click a button). At the current time, there are still some reliability issues, since people may behave different under different circumstances, but it is a promising technology. It is often used in conjunction with other forms of login to assist with fraud detection and request additional factors when necessary (read more on adaptive MFA).

Next, there is physical biometrics, which verifies a user based on physical traits like their face shape, fingerprint, or retina. This is the type of biometrics that most people think of and the type you see in movies. There is a scanner that collects your biometrics information and sends it to the web server for verification.

Physical biometrics is a very strong method of authentication, very difficult to fake, and can tie a person’s physical identity to their digital identity. The main downside is that these types of biometrics typically require specific hardware or sensors that are not accessible to regular people on a laptop or smartphone. It is also seen as a privacy concern because of the biometrics data that would need to be stored by websites.

Lastly, there is device-native biometrics, which encompasses technologies like Face ID, Touch ID, Windows Hello, and the Android fingerprint reader. When uses these types of biometrics to log in to a website, the user must do the biometrics (or device PIN) to prove they own the device. Then the device handles the authentication to the server using public key cryptography.

There are a few advantages to this type of biometrics. First, it is much more accessible to regular people. All new smartphone and most new laptops come with this technology built in, which makes it conducive to a fast and simple login flow. Additionally, the biometric step occurs on the device, not the server, so there is not chance of your face or fingerprint data being stolen from a web server.

Passwordless at Passage

At Passage, we believe the future is in device-native biometrics. While there are pros and cons to all of these options, the streamlined and familiar login flow for users coupled with great security properties is the best case scenario for many consumer web applications.

Learn more about how Passage is making device-native biometrics at our website or reach out to chat at hello@passage.id.