Home » Cyber Security » Network Security » how secure are Passwordless Logins?

how secure are Passwordless Logins?

Disclosure: All of our articles are unbased, well researched, and based on a true picture of the story. However we do sometimes get commissions from affiliate sites. Our readers get the best discount from buying from our links. Here is our complete affiliate disclosure.

Imagine a man named Ben. The year is 2009 and Ben has a good life if it weren’t for one thing- passwords.

Like most of us back in the day, Ben faces a similar plight. Keeping track of multiple passwords is proving to be an arduous task, and more often than not, Ben finds himself locked out of his email and social media accounts.

Fortunately, for all the Bens of the world, passwordless logins have come in to save the day.

The term ‘passwordless logins’ strikes many people as odd. After all, perhaps the first thing that comes into our minds when we hear the word ‘login’ is entering a 6-10 character password, so that we may gain access to our accounts.

To clear the air of any doubts that you may or may not be harboring about the topic, here’s everything you need to know about passwordless logins:

What exactly is a Passwordless Login?

To most of us, the term passwordless login is still relatively new, and the implication is still not clear.

In essence, passwordless login is any authentication system that relies on alternatives to passwords for you to gain access to your account. 

These authentication systems include everything from email notifications to pop-ups on your smartphone.

Password logins are usually based on existing information already present on your account. One such example includes the prompt sent directly to your phone by Gmail which grants access to your account.

Why were Passwordless Logins created?

Although passwordless logins aren’t the primary source of accessing accounts, the method is snowballing in popularity.

Such as the case with many pivotal creations, passwordless authentications were created after a series of dire breaches.

Many of these cases such as the Yahoo! data breach, LinkedIn data breach, and the Dropbox breach resulted in the massive loss of sensitive information, including passwords for many users.

Furthermore, new applications are emerging every day, and most users find it exceedingly difficult to keep up with their passwords. As a result of this, users end up creating a single password for all of their accounts, which is the stuff of dreams for hackers all around.

In the same way, a survey report states that the majority of users have weak passwords, with ‘123456’ and ‘password,’ being the most popular choices.

Keeping in mind with the terrible conditions of cybersecurity, and the availability of secure SMS and email accounts for most users, passwordless authentications/ logins were brought forth into the world.

How do Passwordless Logins work?

To understand how passwordless logins work, you must first familiarize yourself with how a normal login process works:

  • Firstly, most websites require you to create a secure and robust password at the beginning. This is where most users fall short and end up creating a genuinely terrible password.
  • Secondly, you need to remember your password and use it each time you log in to your account. Many users click on the ‘remember my password’ option and risk having their data stolen by hackers.

Passwordless logins eradicate the possibility of breaches as they take things out of human hands.

You don’t have to trust any website with safeguarding your data anymore blindly, as passwordless logins utilize a series of various methods to grant you access to your account, such as:

Email based passwordless authentication:

Currently, the most common type of passwordless authentication being used is through email, as most users are most familiar with this medium.

The way that email based logins work is that when you attempt to login into your account, instead of providing a password, you provide an email address.

The service then sends an email containing a ‘magic link,’ which can only be used once to gain access to your account.

The magic link works by including a unique logic token that the service that you’re using verifies, for you to gain access.

For existing users logged out of their accounts, the service sends a single use DKIM key, which matches the code sent against pre-existing data and allows access to users.

SMS based passwordless authentication:

Another method of passwordless login that is increasing in popularity is allowing users access to their accounts via SMS.

In this case, instead of entering their password or email addresses, users enter their valid phone numbers.

The service then sends a single-use code to the users through SMS, which they can use to log into their accounts.

Similarly, many services also offer a ‘robocall’ option, in which a code is delivered to them through a phone call.

Biometrics based passwordless authentication:

Many services have started to include a biometrics-based passwordless login after the popularity of Apple’s face ID.

The idea behind this approach is that whenever you want to access a website through your account, a prompt appears.

The prompt then redirects your smartphone to a biometric system of your choice, and as you unlock your phone, it acts as a verification for the website as well and gives you access.

Physical security keys:

Another option available for passwordless logins is physical security keys.

A physical security key is a specific USB key that you plug into your computer whenever you want to access your account. The online service that you wish to access verifies your code through the USB key, eradicating passwords completely.

Examples of physical security keys include  Yubico’s Yubikey series and Google’s Titan series.

Is there any difference between Two-Factor Authentication and Passwordless Logins?

From what we’ve discussed so far, you might be a bit be thinking that passwordless logins and two-factor authentication (2FA) sound eerily similar.

Well, both these authentication systems share a few things in common, but they are still miles apart from each other.

The similarity between the two is that both of them utilize alternatives to passwords for you to gain access to your account.

However, unlike 2FA, passwordless logins do not require two-factor authentication and are based on a single factor to grant access to your account.

What are the advantages and disadvantages of using Passwordless Logins?

Passwordless logins, much like everything else in the technological realms, could prove to be a godsend, if appropriately utilized.

Some advantages of using passwordless logins, over the standard way of logging include:

  • Boosts security: Once you eradicate the use of passwords from your website, you take a massive leap in the step towards safety. By eliminating millions of unencrypted passwords from your server, you play an essential part in keeping hackers at bay.
  • Elevates users experience: In comparison to the usual process of logins, passwordless logins are fast and efficient, which proves to be user-friendly and garners traffic towards your website, which amps up the reputation of the website.

Some disadvantages of using passwordless logins include:

  • SMS sim hacking: One of the alternatives that passwordless logins utilize, is SMS based verification. However, the sim card is susceptible to hacking attacks which can be carried out to mine for cryptocurrency.
  • Inconsistencies in Biometrics:  Aside from Apple’s Face ID, there have been many inconsistencies in Biometrics, as other manufacturers Face ID can be easily tricked by using a photograph.

So, what do you do from here?

Now that you have an ample amount of information on what passwordless logins are, and what advantages and disadvantages they have to offer, you might be wondering, “What do I do now?”

Well, for starters, you can try to experiment with password alternatives and opt for passwordless logins for some of your accounts.

However, since the use of passwordless authentication isn’t as widespread now, as it will be in the future, you need to be aware of some of the inconsistencies present.

In the meantime, you can use a password manager to manage all your passwords and stay secure at the same time.

Photo of author
Rebecca James is an IT consultant with forward thinking approach toward developing IT infrastructures of SMEs. She writes to engage with individuals and raise awareness of digital security, privacy, and better IT infrastructure.

Leave a Comment