What is Passwordless Authentication and How to Implement it

Say goodbye to the age of passwords! Security and convenience of password-free authentication

Core points:

• Passwordless authentication is a user management method that verifies the identity of a user through ownership or inherent factors such as biometrics, rather than using knowledge-based factors such as passwords. Common password-free methods include one-time verification codes, magic links, biometric logins, smart cards, and digital certificates.
• Passwordless authenticationSignificant advantages in security and user experience. It reduces the risks of phishing and password theft, reduces the reuse of credentials, and eliminates multiple memory of users Password troubles and speeds up login. Passwordless authentication is expected to surpass password use by 2027.
• While password-free authentication has many advantages, it also has some limitations, such as unfamiliarity with user experience, the risk of device stolen or SIM card stolen, and the fact that biometric security is not perfect. It is recommended to use multi-factor authentication (MFA) as much as possible for enhanced security.
• Implementing passwordless authentication on a website or application can be achieved through a user management solution or an authentication service provider. This article provides a step-by-step guide on how to integrate a passwordless approach using a provider called Frontegg.

Passwordless authentication is a user management method in which users can log into the system or application without a password or key. It verifies the user's identity through ownership factors such as email accounts or inherent factors such as facial recognition, rather than using knowledge-based factors such as passwords.

This article was created in collaboration with Frontegg. Thank you for supporting the partners who made SitePoint possible.

Many authentication methods are used as alternatives to passwords:

• One-time verification code (OTC)
• Magic link
• Biometric Login (fingerprint, Face ID, voice recognition)
• Smart card or physical token
• Digital Certificate

Popularity of password-free authentication

You may have used "Passwordless Authentication" without knowing it. Many banking applications use fingerprint and voice recognition to verify users. Slack is known for using magic links to verify users.

The use of passwordless authentication has grown steadily over the past few years. Auth0, an authentication provider, predicts that passwordless authentication will surpass password use in 2027. Gartner predicts that by 2022, “60% of large and global businesses and 90% of medium-sized businesses will implement a passwordless approach in more than 50% of use cases – up from 5% in 2018.”

The Internet giants are also doing their best to accelerate the adoption of this technology. On World Password Day 2022, Google, Microsoft and Apple announced plans to expand support for the universal password-free login standard created.

In June 2022, Apple announced their new "password key" feature for logging in to websites and applications. This announcement actually means that Apple will use Touch ID or Face ID to create a digital key for the site. This eliminates the need to create and write passwords.

Advantages of password-free authentication

Passwordless authentication provides security and user experience advantages:

1. Reduce the risk of phishing and password theft: Users are not affected by phishing attacks, where users are taken to fake websites and enter their login credentials. If users don't enter their passwords, they will not be affected by brute force attacks, password data breaches, and other types of credential theft.
2. Reduce credential reuse: Reusing passwords in multiple services and accounts poses greater risks to users and your system, which is unavoidable. It is reported that 64% use the same password exposed in one vulnerability for other accounts.
3. No need to remember passwords: Your users do not need to remember usernames and passwords for numerous accounts. Sometimes, after multiple login failures, they have to reset their passwords again and again.
4. Faster login speed: We are all very busy. It is recommended that a strong password is at least 16 characters long, and it takes a long time to enter a strong password compared to scanning a fingerprint or opening a magic link.

Limitations of Password-free Authentication

Passwordless authentication is not perfect, and it also has some limitations from a security and experience perspective.

• Unfamiliar user experience: Many people are used to entering or automatically filling passwords. Converting to magic links or one-time verification codes can shock users.
• Risk of device stolen or SIM card stolen: Sending a one-time verification code via text message may make your users vulnerable when their phone is stolen or become victims of SIM card stolen scams .
• Biometric security is not perfect: Fingerprint scanners, Touch IDs and Face IDs have been successfully cracked over the years.

Relying on any single factor for authentication (with or without a password) can bring some risk. We recommend using multi-factor authentication (MFA) as much as possible.

Is password-free authentication secure?

Yes, password-free authentication is considered secure, but it is not entirely risk-free. Accounts without passwords don't have to worry about passwords falling into the hands of malicious people. This could happen through data breaches, brute force attacks, loss of devices or misplaced post-it notes.

Many of the risks associated with passwordless authentication apply to other methods as well.

If hackers have access to your email account and you are using magic links for password-free authentication, they will be able to log in easily. However, this risk is the same if you use a regular password. The malicious actor simply needs to click on "Reset Password" and send the reset link to the same email address.

Lastly, like any other system, passwordless authentication systems are vulnerable to direct attacks to undermine or circumvent security measures. No matter how secure you take, the system that stores and verifys your credentials will never be completely secure.

Fingerprint verification and other biometric factors are harder to cheat, but not impossible, and provide a very safe way to authorize yourself.

Passwordless authentication and multi-factor authentication (MFA)

Multifactor authentication is a way to use multiple authentication factors when logging in. A very common example of this situation is when you log in to your account with a username and password, you will then receive a 6-digit one-time verification code (OTC) to confirm ownership of your device.

In this example, the OTC factor is passwordless. Instead, if you are using fingerprint and one-time verification code, you will have a completely passwordless MFA setup.

How to implement passwordless authentication on your website

It is easier than ever to integrate passwordless authentication into your application or website. Depending on your existing infrastructure, you now have many options:

• User Management Solutions: These providers offer fully managed services that not only provide traditional and password-free authentication, but also user management and permission management.

  • When to use: New system builds, startups and teams looking to avoid all low-value and high-risk development efforts.
  • When not to use: If you have a very customized set of authentication or user management requirements, these requirements may not be suitable for their system.
  • Providers: Frontegg, Okta/Auth0, FusionAuth, Trusona, AppWrite

• Authentication Service Providers: These services provide user authentication, access management, and other services such as session management.

  • When to use: You have an existing user management service and want someone to handle passwords and authentication.
  • When not to use: You have limited development experience or resources. If you have a simple identity and access management model, you may want to consider the fully managed solution mentioned above.
  • Providers: AWS Cognito, Google Identity Platform, Microsoft Azure AD

Passwordless Authentication with React – Quick Tutorial

To demonstrate how easy it is to introduce a passwordless approach to your users, we will take you through a 5-minute tutorial using a provider called Frontegg. A self-service end-to-end user management platform, in addition to other user management functions, also provides several password-free login methods.

Building login and authentication services is time-consuming and does not add value to the user process, but if you do something wrong, it can cause damage. As services that provide authentication become better and cheaper, there isn't much reason to build your own password verification system for your application.

1. Create your free Frontegg account

Create your Frontegg account through their website. Be sure to choose a magic code or magic link as your passwordless option when getting started!

2. Start the integration process

After you complete the creation of the login box and select the passwordless method, you will see a "Publish to Development" option.

Frontegg Usage Environments (Development, Quality Assurance, Staging, Production), these environments have unique subdomains, keys, and URLs for your authentication environment.

You will now be taken to a page with some sample code and, more importantly, your baseURL and clientID. Please keep this page open and go to your IDE to proceed to the next step.

3. Create React application (skip this step if you already have your own application)

Type the following command in your terminal to create a new React application and navigate to a new directory.

<code>npx create-react-app app-with-frontegg
cd app-with-frontegg</code>

4. Install and import Frontegg

Run the following command to install the Frontegg React library and react-router. If react-router is already installed in your application, you can skip the installation.

<code>npm install @frontegg/react react-router-dom</code>

5. Configure login settings

In the src/index.js file, add the following code. Then go back to your Frontegg page and find baseUrl and clientID from the code example.

Note: After completing this introductory process, these values ​​can always be found in the Management section of your workspace.

<code class="language-javascript">import React from 'react';
import ReactDOM from 'react-dom'; // For react 17
// For react 18: import ReactDOM from 'react-dom/client';
import App from './App';
import './index.css';

import { FronteggProvider } from '@frontegg/react';

const contextOptions = {
  baseUrl: '## YOUR BASE URL ##',
  clientId: '## YOUR CLIENT ID ##'
};

// For react 18: 
// const root = ReactDOM.createRoot(document.getElementById('root'));
// root.render(
ReactDOM.render(
    <fronteggprovider contextoptions="{contextOptions}" hostedloginbox="{true}">
        <app></app>
    </fronteggprovider>,
    document.getElementById('root')
);</code>

6. Redirect to login page

Using the Frontegg useAuth hook, you can determine if the user has been authenticated. If the user is not authenticated, you can use the useLoginWithRedirect hook to redirect the user to the login page (as shown in the example below).

<code class="language-javascript">import './App.css';
// import { useEffect } from 'react';
import { ContextHolder } from '@frontegg/rest-api';
import {
  useAuth, useLoginWithRedirect
} from "@frontegg/react";

function App() {
  const { user, isAuthenticated } = useAuth();
  const loginWithRedirect = useLoginWithRedirect();
  // Uncomment this to redirect to login automatically
  // useEffect(() => {
  // if (!isAuthenticated) {
  // loginWithRedirect();
  // }
  // }, [isAuthenticated, loginWithRedirect]);
  const logout = () => {
    const baseUrl = ContextHolder.getContext().baseUrl;
    window.location.href = `${baseUrl}/oauth/logout`
                            `?post_logout_redirect_uri=`
                            `${window.location}`;
  };
  Return (
    <div classname="App">
      {isAuthenticated ? (
        <div>
          <div>
            <img src="https://img.php.cn/upload/article/000/000/000/173916230294882.jpg" alt="What is Passwordless Authentication and How to Implement it ">
<p>Click "Register", go to your email and click "Activate My Account". </p>
<p><img src="https://img.php.cn/upload/article/000/000/000/173916230376786.jpg" alt="What is Passwordless Authentication and How to Implement it "></p>
<p>When you want to log in, you just need to enter your email and wait for the six-digit verification code to arrive to log in. No password required, no worries. </p>
<p><strong>Conclusion</strong></p>
<p>I hope this passwordless authentication guide will not only help you understand how easy this technology is, but also how important it will become in the coming years. </p>
<p><strong>Passwordless Authentication FAQ (FAQ)</strong></p>
<h3>What are the main benefits of passwordless authentication? </h3>
<p>Passwordless authentication provides multiple benefits. First, it enhances the user experience because users no longer need to remember complex passwords. Second, it improves security by eliminating password-related vulnerabilities such as brute force attacks, dictionary attacks, and phishing. Finally, it reduces operating costs because businesses no longer need to invest in password recovery and reset programs. </p>
<h3>How does passwordless authentication work? </h3>
<p>Passwordless authentication verifies the user's identity by using factors other than passwords. These factors can be something the user knows (such as a PIN), something the user has (such as a mobile device), or something the user himself (such as a fingerprint). The system will send a one-time code or link to the user's device, and the user enters or clicks the code or link to gain access. </p>
<h3>Is password-free authentication secure? </h3>
<p>Yes, passwordless authentication is usually more secure than traditional password-based authentication. It removes the risk of password-related attacks and vulnerabilities. However, like any other safety measures, it is not completely foolproof and should be used in conjunction with other safety measures for optimal protection. </p>
<h3>Can password-free authentication be used for all types of applications? </h3>
<p>Passwordless authentication can be used in a variety of applications, including web applications, mobile applications, and even IoT devices. However, the applicability of passwordless authentication depends on the specific requirements and security requirements of the application. </p>
<h3>What are the challenges of implementing password-free authentication? </h3>
<p>Implementing password-free authentication can pose some challenges. These include user acceptance, as some users may resist changes; technical challenges, as it requires significant changes to existing authentication infrastructure; and regulatory challenges, as some regulations may require password use. </p>
<h3>How do I implement passwordless authentication in my application? </h3>
<p>Implementing password-free authentication involves several steps. First, you need to select the correct authentication factor (such as biometrics or mobile devices). Second, you need to integrate this factor into your authentication process. Finally, you need to educate your users about new authentication methods and their benefits. </p>
<h3>What are some examples of passwordless authentication? </h3>
<p>Examples of password-free authentication include biometric authentication (such as fingerprint scanning or facial recognition), mobile device authentication (such as SMS codes or push notifications), and hardware tokens (such as security keys). </p>
<h3>Is passwordless authentication a future of online security in the future? </h3>
<p>Many experts believe that password-free authentication is the future of online security in the future. As the limitations and risks associated with passwords become increasingly obvious, more and more businesses are turning to password-free authentication to enhance security and improve user experience. </p>
<h3>Can password-free authentication be used in conjunction with other security measures? </h3>
<p>Yes, passwordless authentication can and should be used in conjunction with other security measures for optimal protection. These may include encryption, secure coding practices, and regular security audits. </p>
<h3>What is the role of users in passwordless authentication? </h3>
<p>Users play a vital role in password-free authentication. They need to protect their authentication factors (such as their mobile devices or biometric data) and understand potential security threats. They also need to be happy with new authentication methods to protect themselves. </p>
</div>
</div>
</div></code>

The above is the detailed content of What is Passwordless Authentication and How to Implement it. For more information, please follow other related articles on the PHP Chinese website!