What is Passwordless Authentication?
Passwordless is a modern authentication method that cybersecurity professionals implement in their systems to help users authenticate more easily. By leveraging the Passwordless authentication strategy, a system lets end users gain access to sensitive resources without having to type passwords. (Hence the name of the authentication solution.) Instead, this system will ask users to use a different authentication factor to verify their identity. Popular types of authentication factors used by Passwordless implementations involve inheritance factors and possession factors.
Authentication with inheritance factors generally occurs through biometric verification of the user, for example retina or fingerprint scanning.
In the case of possession factors, identity verification commonly happens by sending single-use login codes, either to the user’s email address, or mobile phone in an SMS text. Alternatively, an email may be sent containing a “magic link” through which the user may login. A magic link is a unique, single use URL, built by the application as part of the Passwordless authentication flow. This magic link URL, when opened in a browser, will log the user into the desired service and then vanish.
In the case where the system provides a Passwordless flow based on magic links, users will receive these links in their email and may login with a single click. If the system leverages single use codes sent via SMS or email, users will, instead, have to type these codes, received on their mobile devices or in their email, into the browser.
No matter which approach application developers decide to use, when compared to the password-based authentication process, one characteristic that is improved when implementing Passwordless is security. This aspect of the access management is enhanced because, instead of reusing the same password for different sites and services (unfortunately, human beings do have this bad habit), the system will rely on an artifact that is unique each time they login.
Traditional password authentication is susceptible to a number of attack vectors, such as data breaches exposing user account credentials, password stuffing, credential theft by malware, phishing, etc.
However, using single-use codes or magic links, with the option of limiting the lifetime of these with expiry times, makes Passwordless authentication largely immune to the threats noted above. In this way, the attack surface of the applications implementing this solution becomes smaller.
In addition, Passwordless authentication removes the requirement for supporting password reset, a significant advantage, as password reset schemes are often the weakest link in the security of a system. Neither application developers need to care about implementing password reset, nor will users have to worry about forgetting passwords. (Forgetting passwords is prevalent when users only infrequently enter a password to a site, e.g. when users utilize a browser to autofill login passwords, but then have to use a different browser or device.) In avoiding help desk calls concerning lost passwords, your help desk and the IT staff will be less busy and will be able to focus on other important matters instead of having to deal with password reset activities.
Another benefit introduced by the Passwordless authentication strategy is that it provides an improved user experience. This benefit is more evident when users are on their mobile devices rather than on their computers. Since these devices are usually already signed in to their email accounts (and are also capable of receiving SMS codes), users rely on the notification feature of these devices to sign in instantly. Even if they mute these notifications, the mobile app needed to get access to these one-time artifacts (their email client apps or the app that shows SMS messages) is just a couple of taps away, promoting ease of use.
One caveat to Passwordless authentication is the use of magic links: because the emails involved look similar to phishing emails, users may be reluctant to click on the link or the email may even be filtered out by an email client as being suspicious.
Passwordless vs. Multi-factor Authentication
If you are familiar with multi-factor authentication (MFA) or two-factor authentication (2FA), you may have noticed that the authentication strategy that Passwordless implements is very similar to some of these; specifically, the multi-factor authentication schemes that deliver single-use codes, used as the authentication factor, via email or SMS text.
Multi-factor authentication uses multiple, different, factors, such as something you know (e.g. a password), something you possess (a mobile phone that receives a one-time authentication code) or something you are (e.g. your fingerprint). Passwordless involves a single factor – something you possess.
The security of these strategies is somewhat similar because they typically depend on non-traditional factors like proof of possession or inheritance. Because passwords are no longer relied on in both strategies, the range of attack vectors available to cybercriminals is reduced. Even so, it can be argued that multi-factor authentication has the edge in security, because a wider range of strong authentication methods may be used, outside of those relying on SMS and email delivery.
Implementing Passwordless with Auth0
Just like many other authorization and authentication systems out there, Auth0 ships the Passwordless authentication strategy in its core. That is, if you are using Auth0 to secure your applications and APIs, implementing Passwordless becomes a breeze. To implement it, you will need to do three things.
First, you will have to set up the Passwordless connection. This step consists of either configuring the email server and address that you want to use, or entering the credentials for the SMS gateway that will send the one-time code to your users.
After that, you will have to configure the login page to work with Passwordless. There are two alternatives for this step. Either you will use Auth0's Universal Login Page, or you will use the embedded option. The former alternative (i.e., the Universal Login Page) is more secure than the embedded one.
Lastly, you will have to integrate your application with Auth0 (if you haven't done so yet). The details on how to do this integration depend mainly on what type of application you are developing and what technologies you are using. To learn how to secure your apps with Auth0, the QuickStarts resources are the best references.