What is passwordless authentication? Is it safe to use?

Anton P. | June 28, 2022

Passwordless authentication refers to identity verification or login processes that do not rely on passwords. Instead, they turn to magic links or biometrics like facial recognition. So, login processes can transform from knowledge-based procedures to something you inherently have.

Passwordless logins resolve issues like forgetting passwords or having them leaked online. Such authentication treats an email address as one of the main authentication factors. However, it is susceptible to other threats, like someone targeting your email account.

What is passwordless authentication?

Passwordless authentication means you do not need to enter a password to log in to an account or device. Its main impact works on multiple levels:

  • Improves user experience and supports fast logins. A Dashlane study in 2017 revealed that an average user has 150 accounts. For security reasons, difficult passwords contain over 12 characters, including letters, special symbols, and numbers. Remembering 150 unique combinations by heart is a hassle, if not impossible. While password managers help, they do not have to be the only solution.
  • Protects against account takeover attempts. Phishing, credential stuffing, dictionary, or brute-force attacks aim to crack or expose passwords. If there are no combinations to reveal, such attacks render fruitless.
  • Much more secure than weak passwords. If users opt for convenience and reuse combinations or set weak ones, passwordless authentication is much more secure.

How does passwordless authentication work?

Passwordless authentication gradually pushes towards a password-free future. It introduces the application of other, likely more secure, alternatives. For instance, biometrics support possession-based logins when services recognize your fingerprints or face.

There are several main issues with password-based authentication most people use today:

  • Easy to forget and misplace.
  • Vulnerable to hacking, phishing scams, and other password-targeting attacks.
  • Data breaches expose passwords that companies have not encrypted or hashed.
  • Password resets can take a long time or might require contacting IT support teams.

Types of passwordless logins

Eliminating passwords from the login opens up modern ways for users to reach their accounts. However, the question is, what piece of data or technique should replace security passwords? So far, companies have experimented with and integrated three possible means for passwordless authentication.

  • Magic links. This passwordless authentication method means that your email address is the primary identifier. You use it to sign up and log in. However, you do not pair it with a password. Instead, you provide your email in the login form. Then, a message containing a link arrives in your inbox. After clicking the link, you will magically log into the services.
  • Biometric data. The chances are you already use face or fingerprint scans to unlock your smartphone. However, the same physical attribute can replace passwords in other scenarios. For instance, Android and iOS already use fingerprint scanners. The use of biometric authentication lags behind on desktops, but Microsoft has introduced Windows Hello. This authenticator lets people use facial recognition for fingerprints to unlock their devices. macOS also has a Touch ID feature.
  • Possession factors. This passwordless authentication means that you prove your identity with an external device. It could be a one-time code delivered to smartphones. It can also be a hardware token, giving you login codes instead of passwords.

Passwords are not only vulnerable but expensive

Organizations must back password-based authentication up with other security procedures. Credentials are the biggest attack vector, a target for many hackers. Thus, companies have the responsibility to integrate specific security-related mechanisms:

  • Password complexity policies.
  • Password reset processes.
  • Password hashing and secure storing.
  • Detection of compromised passwords.

Sadly, many unfortunate stories prove that companies fail to implement these requirements. Therefore, data breaches frequently consist of passwords stored in plain text. DailyQuiz, one of the latest hacking victims, exposed over 8 million plaintext passwords, which were later put for sale. Passwordless authentication is suitable for avoiding such data breach incidents.

How can you go for passwordless logins?

Whether you can escape passwords and go for passwordless authentication relies on the services. While the preference for password-free environments has been brewing for a while, passwords prevail.

However, more and more providers choose to integrate FIDO2, the project for more secure web logins. Many popular browsers already support it.

Password managers also remove the need for master passwords by switching to passwordless logins.

However, a joint effort by Apple, Google, and Microsoft could be a game-changer for users’ login routines. The companies hope to let users choose their phones as the primary authentication method. Essentially, users will be able to use PIN codes, patterns, or fingerprint unlocks to sign in to web services.

As Google explains, such passwordless authentication becomes possible if unique cryptographic tokens known as passkeys get shared between phones and websites.

Can passwordless logins work with multi-factor authentication (MFA)?

Multi-factor authentication means users must complete two or more steps before logging into their accounts. However, it is not necessarily passwordless, meaning that one of the steps could contain passwords. The usual combination is a password and verification via authenticator apps, messages, or push notifications.

So, MFA simply describes the number of factors required to confirm users’ identities. For instance, you can use fingerprints to unlock your phone. It is passwordless but only a single-factor process.

Atlas VPN goes for the future: our passwordless authentication

Atlas VPN supports the future of passwordless authentication by eliminating passwords from its login process. Users create accounts using their email addresses only. So, this identifier becomes the only detail you need to reveal when logging into your account.

  1. You will need to enter your email address whenever you wish to link your account to a device.
  2. Then, a magic link reaches your inbox.
  3. As soon as you open the link, you are automatically logged in.
  4. For the best results, users should use the same device during login. If you wish to link your account on Android, use the same smartphone to open your link.

Why passwordless authentication is worth it

Passwordless authentication works in favor of fast and convenient logins. It can deliver one-time login codes and magic links via SMS or email. Biometrics such as fingerprints or face scans are also possible.

Opt for codes or magic links if you are unsure about sharing biometric data. They are likely to be less intrusive and healthiest privacy-wise. However, remember that phishing evolves continuously.

Thus, it is a matter of time until scammers initiate campaigns mimicking passwordless login letters. So, be prepared for such fraudulent messages. Only click on magic links if you have requested to log into your account.

Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.

Tags:

credential stuffingbrute forcebiometrics2fa

© 2022 Atlas VPN. All rights reserved.