Why Passwordless Authentication Works

Say goodbye to your password! Advantages and practices of passwordless authentication

Password-free authentication utilizes secure personal communication tools such as email and text messages to provide a safer and more friendly alternative to traditional password-based systems. It saves users from the hassle of creating and remembering passwords, and there is no password storage that can be hacked or guessed.

Advantages of passwordless authentication:

• Security: No need to store passwords, eliminating the risk of passwords being cracked or guessed. Even if the information is intercepted, the attacker only gets one of the tokens and cannot log in.
• Cost-effectiveness: Development and deployment require less code, and support teams do not need to deal with various password-related issues, thereby reducing operational costs. Especially suitable for applications where session timeouts are long or users only need to access occasionally.
• User experience: Users do not need to create or remember their passwords, and the login process is easier and faster.

Principle of password invisible authentication:

We use the same authentication method as the beginning of the Internet. Unfortunately, passwords are becoming increasingly prone to breaking:

• The password strength is generally insufficient. The survey shows that one in 10 accounts use one of the twenty most popular passwords. "123456" is used by more than 4% of accounts; "password" is still one of the most commonly used passwords.
• Users use the same weak password on multiple websites. If a hacker breaks through someone’s Facebook account, he will likely be able to access their PayPal account as well. Your password security depends on the security of the weakest system you use.
• Enterprise data breaches are becoming increasingly frequent and have attracted the attention of mainstream media. It can easily make people famous, retaliate or blackmail. Few companies are prepared for acts of cyber terrorism, and despite often claiming to be "continuously complex attacks", many security breaches are simple SQL injections caused by poor development technology.
• From the coding perspective, authentication is cumbersome and error-prone. Checking credentials is just the beginning of the problem: you need to make sure there are no security vulnerabilities, hash the hash string using a powerful (and slow) algorithm, allowing the user to reset the forgotten password, and answer those that don't seem to remember correctly or type Short strings of confusing users support phone.
• Other solutions, such as biometrics or OAuth, rely on hardware or a suitable social media account. Few websites implement it well and still need to restore to the email/password method for some users.

The password-free authentication is prerequisite that when most users have a secure personal communication account (such as email and text messages), the password is unnecessary. Applications can utilize these systems:

1. The user visits the website and enters an ID (such as an email address) to log in.
2. The system sends a message containing a link to the user; the user can log in by clicking on the link.

In other words, the application creates a random one-time password and quietly informs the user when it needs access. This is similar to the process of resetting your password – many users do this every time they log in anyway! Email is an obvious choice, but any other messaging service can be used – such as SMS, Slack, Skype, Instant Message and even Twitter direct messages. If you don't want to rely on a single system, there are multiple options available. Behind the scenes, it would be a little bit more complicated to make sure that only one person can use the login link. The general process is as follows:

1. The server verifies that the account with the email address exists.
2. The server creates two tokens (such as a 24-character hexadecimal GUID) and associates these two tokens with this login attempt. The first token is sent back to the login device—usually as a browser cookie. The second token is encoded in a link sent to the user via email.
3. When clicking on the link, the server receives two tokens and verifies them based on a single login attempt. There is an option to do further checks to ensure that the link is clicked within minutes and that the IP address and browser user agent string have not changed.
4. If all verification is passed, a real session will be started and the user will log in. If any step fails, all associated tokens will be invalid; they cannot be used again.

Applicable scenarios for passwordless authentication:

Although the login time is a little longer - this is about the same time as using a password manager! Password-free authentication can be applied to applications where session timeouts are long or users only need to visit occasionally, such as shopping websites, social networks, forums, ticketing systems, and content management systems. It would seem strange to use it for a messaging system because you need another system to log in! You also don't want your bank to rely entirely on AOL for its security, although the auxiliary authentication process can complement it. If you are creating a new application, consider using password-free authentication. However, the issue of updating existing applications (many users currently have passwords). I recommend running password-free authentication in parallel instead of switching to the new login process overnight. Offer it as an option—especially for users who reset their passwords—and evaluate adoption after a few months to determine if it is feasible.

Practical case test:

I implement password-free authentication in a new application, which is used by customers for hundreds of internal and external customers. About half of the user base has good IT skills and accesses every day, so their sessions rarely expire. The other half is mainly managers, who log in once or twice a month – many people forget or enter the wrong password. The biggest problem: The customer must be convinced. "No password" sounds unsafe and few people have seen it elsewhere. I'm lucky: the client has a highly skilled project manager who understands this concept. Even so, if there is any failure, I agree to add a password. Since then, everything has been going well. I had to integrate my own implementations for technical reasons, rather than relying on third-party libraries. It takes less than a day and does not require the usual password management, hashing and reset nonsense we usually develop and test. The biggest benefit: users understand password-free authentication. The process is simple, but it is best to provide simple instructions at all stages. For example:

• You have been sent a login link email. If not received, please check your spam folder.
• Please click this link to log in... You have 10 minutes to open this link in the same browser.

No one was confused. No one struggled. No one praised the system, but no one complained; people accepted the process and it didn't get in the way of them. The number of password-related login issues decreased to zero from Wednesday to four per week.

Conclusion:

I can't say that password-free authentication works anywhere, but experience is overwhelmingly positive. I changed my mind. From now on, all my applications will be passwordless. Some customers may not be satisfied – but I will add a virtual password box to their login form and ignore it! Have you implemented password-free authentication? Is this a good or a bad experience?

(The following is the FAQ part, which is basically the same as the original FAQ content, except that the sentences are slightly adjusted to maintain fluency and pseudo-originality)

Frequently Asked Questions about Password Invisible Authentication (FAQ):

• What are the main advantages of password-free authentication? Password-free authentication enhances security, improves user experience, and reduces operating costs. It eliminates password-related security vulnerabilities risks, simplifies the login process, and reduces the time and resources required for password management and recovery.

• How does password-free authentication work? Password-free authentication verifies the user's identity by using factors other than passwords, such as what the user owns (smartphone or hardware token), the user's identity (biological data such as fingerprint or facial recognition), or the user's behavior ( behavioral biometrics). The system will send a one-time code or link to the user's device or use biometric data to verify the user's identity.

• Is password-free authentication safe? Password-free authentication is usually more secure than traditional password-based authentication because it eliminates the risk of password-related attacks and vulnerabilities. However, like any other security measure, it is not completely foolproof and should be used in conjunction with other security measures such as multi-factor authentication and security protocols.

• What are the challenges of implementing password-free authentication? Implementing password-free authentication can face some challenges, including user acceptance, technical challenges and potential security risks.

• Can password-free authentication be used for all types of applications? Passwordless authentication can be used in a variety of applications, but not all applications are applicable. Its applicability depends on the security requirements of the application, user base, and resources available for implementation and management. It is best suited for applications where user convenience is a priority and has a high risk of data breaches.

• How does password-free authentication improve user experience? Password-free authentication improves the user experience by eliminating the need for users to remember and enter complex passwords. It also simplifies the login process, making it faster and more convenient. Users no longer need to go through the password reset process, which can be frustrating and time-consuming.

• What is the difference between password-free authentication and multi-factor authentication? Password-free authentication is a method to verify user identity without using a password. Multifactor authentication, on the other hand, is a method of using two or more independent factors to verify user identity. Password-free authentication can be used as part of multi-factor authentication, one of which does not involve passwords.

• What are some examples of password-free authentication methods? Some examples of password-free authentication methods include biometric authentication (such as fingerprint scanning or facial recognition), hardware tokens, software tokens, and mobile push notifications. These methods can be used alone or in combination to enhance security.

• Is it cost to implement password-free authentication high? The cost of implementing password-free authentication can vary from one factor to another, including user base size, the complexity of existing systems, and the chosen password-free approach. While it may require upfront investment, it can save costs in the long run by reducing the resources used for password management and recovery.

• How to transition to password-free authentication? The transition to password-free authentication involves several steps. First, you need to evaluate your security needs and choose the right approach. You then need to update your system and process to support the selected method. Finally, you need to educate your users about new methods and guide them through the transition process. It is recommended to work with a trusted security provider to ensure a smooth transition.

The above is the detailed content of Why Passwordless Authentication Works. For more information, please follow other related articles on the PHP Chinese website!