Passwordless authentication is quickly gaining traction in the development community. With millions of username/password combinations continuously being hacked and made publicly available, many have started to argue the need for a passwordless world. While advocates use the classic "reset email" process to illustrate the viability of such authentication, it may not be time to give up on passwords just yet. In this article, we examine both the arguments for and against passwordless authentication as well as the future possibility of making the password "obsolete".
Since the dawn of the internet, passwords have posed an increasing risk to web security. Not only have end users been notoriously bad at generating adequately secure passwords, they also tend to use the same passwords for mulitiple accounts. This means when hackers gain access to one username/password combo, they can potentially gain access to all of them.
We hear all the time about how millions of social media accounts are hacked and made publicly available online. While users have traditionally protected themselves by resetting passwords with craftier phrases, the threat is still out there. This has lead to a gradual adoption of "passwordless authentcation" where users authenticate through email or SMS.
The idea of passwordless authentication is very similar to that of a password reset through email. If you've ever had to reset your password for one of your social media accounts, then you've already gotten a taste of passwordless authentication.
More specifically, password authentication works by sending a secure link to your inbox. After securely logging into your email address and clicking the link, you are redirected back to the application. Typically this redirect URL fires off a backend process which saves a secure token to the database and indicates that you are securely logged in. If your session ever expires, you simply request another link to reverify you and you essentially login from your inbox.
This approach completely removes the need for passwords and relies entirely on a secured device or account to authenticate users. By effectively piggy backing off an already secured device (such as with SMS authentication sent to a mobile device) or account (gmail), apps can achieve "passwordless" authentication.
While many advocate for a passwordless world, it may not be time to give up on passwords just yet. Skeptics are quick to point out a few key issues with this strategy which are laid out in more detail below.
Even though the passwordless authentication strategy may work for your app, you may still ultimately rely on the user having a password somewhere else. The email example is a perfect illustration of this. While you may be able to authenticate through your Gmail account, you still need the password to log into your email! Additionally, if a hacker gets access to your email account, it is just as effectively a "one stop shop" as relying on the same username/password combo for multiple accounts. At the end of the day, a password is still needed somewhere to authenticate and this password can still be hacked.
Hackers can execute brute force attacks to ultimately guess user credentials. With traditional username/password authentication, it's recommended that failed authentication messages are kept vague to end users. For example, if a user enters an incorrect password, it's best practice to return "Username/Password incorrect" versus "Incorrect password". This gives attackers less information and makes it harder for them to pinpoint why a brute force attack isn't working.
But what if there are no passwords? If a hacker continuously tries to log in with email accounts, they can quickly figure out which emails are working and which aren't. Additionally, for each valid email they try, an email will be sent to the end user. Not only will this flood inboxes, it also results in fewer pieces to the puzzle as attackers no longer have to worry about guessing passwords AND usernames.
While passwordless authentication leverages the use of email or SMS to safely authenticate users, these mediums have their own vulnerabilities. SMS is a largely outdated protocol from a security standpoint. Likewise, emails have their vulnerabilities and can be hacked almost as easily as regular username/password accounts. In this sense, passwordless authentication doesn't necessarily make things more secure. Rather, it simply shifts the security vulnerability on to the devices/accounts that are being used for authentication.
This is not to say that passwordless authentication is LESS secure than the alternative. There are lots of advantages to using passwordless authentication since it's ultimately doing the same thing as a traditional password reset. While it removes the headaches experienced with poorly set passwords, there may be a reason why tech giants like Facebook and Twitter still require a password today...