What Is Passwordless Login?

How many different passwords do you have? Ten? Thirty? Two? Can you remember exactly which accounts they all belong to? How often do you recycle the same password because you simply can’t have a unique, strong, easily-remembered password for each of your accounts?

Passwords are difficult and frustrating. For each new account we create, we either recycle an old password, making it less secure, or come up with a new one, only to forget it later. But of course, we need passwords in our lives. For us to use our accounts, Facebook, Gmail, and Reddit have to know that we are who we say we are. Passwords are a necessary evil.

Or are they?

Some people decided they’d had enough of needing unique, strong passwords for the dozens upon dozens of accounts they had. They wanted to modernize authentication, taking frustration out of the equation to create a better user experience.

Enter passwordless login.

Passwordless login uses alternative ways for users to authenticate themselves. Though it is relatively new, it’s gaining popularity, with websites and apps such as Slack, Craigslist, and Wordpress supporting passwordless login in addition to being able to set up a password. In fact, if you’re logged in to Medium, you’ve already experienced this, as it longer supports passwords at all.

So how does it work?

Let’s start with how logging in works traditionally. When Facebook asks you to log in, you provide your username and password. If your password matches what you previously set it as, Facebook authenticates you and creates a temporary session id, stored in a Facebook server. At the same time, it sends you a small piece of data called a cookie which contains the same session id and lives in your browser. The next time you visit a Facebook page, your browser sends this cookie’s information and Facebook matches it with the id on the server, authenticating you. It’s a lot like paying for a concert ticket, then getting a wristband to show that you paid. Then whenever an employee wants to know if you’re allowed in, they just have to see if you have a wristband or not; you don’t have to show them your ticket every time. Otherwise, you’d have to log in every time you want to comment on that meme your friend just posted.

When Medium asks you to log in, it sends you an email that contains a temporary code. Because you need access to your email to view this code, Medium knows you are who you say you are, assuming you are the only one with access to your email. In this way, they are able to authenticate you and provide you with a cookie that allows you access to your account.

Slack’s passwordless login page.

You may have come across something like this already, even if you don’t have a Medium account. When you sign into your Google account on a new device, it may ask you on your phone if that’s you trying to log in. It uses this multi-factor authentication to add security on top of your password. A different kind of passwordless login may use your phone as the primary means of authentication, since you are its sole owner.

Other ways passwordless accounts verify users are through other common multi-factor authentication methods such as facial recognition and fingerprint scans.

Is passwordless authentication safe?

The idea of a password and a secure account being codependent is so ingrained in our minds that it can be surprising to hear passwordless accounts can be secure. But think about it this way. Let’s say you forget your password to an account you haven’t logged into in months. What’s the first thing you do to recover your password after you incorrectly guess it a handful of times? You send a reset link to your email. Your account is authenticating you through the use of your email, which only you should be able to log into. Passwordless login is just cutting the extra step of you fumbling over your forgotten password by going through your email in the first place.

In this way, passwordless login is no less safe than a typical password protected account. On the contrary, a password may make your account less secure since anyone in the world with your password can log in to your account, but only you have your phone, your fingerprint, etc. At least in theory. Some security experts advise against using fingerprint recognition as a way to sign in because once someone has your fingerprint data, that’s it. You can’t change your fingerprint like you can a password.

A common tactic hackers use to gain access to a user account is Cross-Site Request Forgery. In this type of attack, an attacker intercepts a cookie that an authenticated user’s browser sends to a website. Then, the attacker sends malicious HTTP requests using the user’s cookie-blessed browser which the website trusts and executes the HTTP request. This can lead to things such as the website being manipulated or a leak of user data. Because most passwordless login methods still use cookies, they are not exempt from this type of attack.

In the end, it’s up to you to stay on top of your account security. Utilize multi-factor authentication, protect sensitive information, detect and avoid scam/phishing attempts, and rotate your passwords regularly. Be wary of any potential risks to your account’s security, and know that passwordless accounts are just one tool in your belt that you can arm yourself with.

Generally speaking, passwordless login is just as safe as password-protected login. In some ways it is better, in some ways it is worse. Several bigshot companies are turning to passwordless login as their standard in user authentication, and they don’t seem to mind. Many users have enjoyed the seamlessness of logging into their accounts without having the hassle of using a hard to remember or non-secure password, and it looks like it’s here to stay.

Coding blogs. Maybe other things.