What Are Passwordless Logins? Are They Actually Secure?
Passwords are vital to your internet security. But with so many services, both online and offline, keeping track of your passwords is difficult. Passwordless login systems are starting to take off, removing the requirement to input a password each time you log in to a service.
But if you’re not using a password, how do you secure your account? What are passwordless logins and are they secure?
What Is a Passwordless Login?
Passwordless logins are authentication systems that use alternatives to a password enable access to your account. For instance, instead of a password, you receive an email notification that acts as a login token. Alternatively, you might receive a pop-up on your smartphone allowing you to control access to an account.
In that, passwordless login often uses a pre-existing form of authentication to guarantee your identity.
You might have already encountered passwordless logins using your Gmail account. Instead of having to enter your password each time you log in, Google can send a prompt directly to your phone. The prompt shows the time and location of the login attempt, with the option to approve or deny the login.
How Does a Passwordless Login Work?
When you log into a website, you must provide a password to unlock your account. The password is known only to you and the site, keeping your account secure. You trust the site will keep your password safe, store it securely, and that the site itself is not vulnerable.
Also, you definitely already use strong, unique passwords for each site and service, because that is the most secure practice.
However, it is the latter that has become difficult. Creating a strong single-use password for each site has seen users create easily memorable but terrible passwords. And even if you do create a secure password, a glance at the number of data breaches each month might undermine your efforts.
With passwordless authentication, you don’t have to trust the website with a password. Instead of inputting a password each time, passwordless logins use a few different authentication methods.
Email-Based Passwordless Authentication
The most common passwordless login system is currently via email. Many users will find email-based passwordless login the most familiar system, working similarly to a password reset.
When you attempt to login, you provide an email address. The service sends a secure email to the address associated with the account, and the email contains a secure, single-use magic link to enter your service account. The magic link includes a unique login token that the service verifies, swapping it for a long-time validation token.
There are other variants on the email system. For instance, in the case of an existing account, the service may send the user a single-use DKIM key code tied to their account details. The user receives the DKIM code and enters it in the site. The site verifies the code against the existing user details and completes the login process.
SMS-Based Passwordless Login
In this instance, the user enters a valid phone number. The service sends a single-use code to the phone number. The user can then log in to the service. Alternatively, some services offer to “robo-call” the user, where a text-to-speech service will read the code directly.
SMS security is under scrutiny, however. The vast majority of us have little to worry about. But several high-worth individuals (especially those with large volumes of cryptocurrencies) suffered SMS sim-hacking attacks. Check out precisely what a sim-swapping attack is and how you protect against it .
Biometric-Based Passwordless Login
Some passwordless login methods use biometric scanning services to authenticate your identity. Biometric authentication services are featuring on more devices than ever. (Should you switch to a biometric service for your smartphone?)
The idea is that when you want to access a site, a prompt appears on your smartphone. You unlock the smartphone using your preferred biometric system, and the unlock acts as verification for your identity.
However, aside from Apple’s Face ID (for devices including and manufactured after the iPhone X, iPad Pro third generation, and iPod Touch seventh generation), mobile device biometric scanning isn’t entirely secure.
Other manufacturers face scanning hardware isn’t as advanced and is tricked using a photograph, whereas it takes a full 3D printed and painted head to trick Apple’s Face ID. In other cases, fingerprint scanners allow partial recognition to unlock a device.
At the current time, a biometric passwordless login system probably isn’t the best option. In the future, however, it could become the best option.
Physical Key Passwordless Login
Physical security keys offer another passwordless login authentication option. A physical security key is a special USB security key. When you want to access your account, you plug your security key into your computer. The online service validates your account via the security key, removing the need for a password.
Prime examples of a physical security key include Google’s Titan series and Yubico’s Yubikey series.
Are Passwordless Logins Like Two-Factor Authentication?
Yes and no.
Yes, a passwordless login is similar to two-factor authentication (2FA) in that you access your account using an alternative authentication method. 2FA works by securing your account using two separate factors, usually a password and a separate device.
No, it isn’t the same because although you are using a separate device to authenticate your account, it is still only a single factor.
Is a Passwordless Login More Secure?
Anything that stops users creating terrible passwords is good, right? Passwordless logins remove another point of failure from the end-user. At the current time, passwordless logins are not widespread. Several major services are using them, such as Gmail (as mentioned above) and Slack Magic Links.
The biggest positive for website owners and moderators is the sudden lack of having to deal with user passwords. Unencrypted passwords stored in a cleartext file is the stuff of nightmares; it is the stuff of dreams for a hacker. Users who rarely access a service wouldn’t have to go through the “reset your password” rigmarole, either.
Passwordless logins could also help users sign into the service quickly. Conversely, if you are regularly signed out of the service, having to re-authorize via email or SMS might become irritating, depending on the length of time.
For Now, Use a Password Manager
Passwordless logins will take time to become the mainstream. The ball is rolling, though. Most major browsers (all but Safari) support passwordless login of one kind or another. In February 2019, Google also announced that devices running Android 7 (that’s Android Nougat) or later would also receive passwordless login support.
That means passwordless login support for nearly 50 percent of all Android devices. And passwordless login standards such as FIDO2 and WebAuthn will continue to receive updates, further securing the authentication method.
At the time of writing, you still need a password. You need a strong, single-use password. With that in mind, why not consider using a password manager ?