Passwords have ruined the Internet. Think about it. How many online accounts do you have for all the social media, shopping, banking, school, work, and entertainment sites you use? If you have a website or online business, do you require users to create accounts with passwords? We believe that passwordless login systems have the ability to completely change the internet for the better.
There’s no reason why the digital world has to be dominated by a handful of powerful companies. And there’s no reason why it has to be inconvenient for users to engage with new content. Sensitive data doesn’t have to be protected behind extremely thin layers of password security. We already have the tools to move beyond this.
Passwords are vital to your internet security. But with so many services, both online and offline, keeping track of your passwords is difficult. Passwordless login systems are starting to take off, removing the requirement to input a password each time you log in to a service.
But if you’re not using a password, how do you secure your account? What are passwordless logins and are they secure?
Now. let’s dive in:
What Is a Passwordless Login?
Passwordless logins are authentication systems that use alternatives to a password enable access to your account. For instance, instead of a password, you receive an email notification that acts as a login token. Alternatively, you might receive a pop-up on your smartphone allowing you to control access to an account.
In that, passwordless login often uses a pre-existing form of authentication to guarantee your identity.
You might have already encountered passwordless logins using your Gmail account. Instead of having to enter your password each time you log in, Google can send a prompt directly to your phone. The prompt shows the time and location of the login attempt, with the option to approve or deny the login.
How does passwordless login work exactly?
Let’s start with the most basic definition: passwordless login systems are tools that websites can implement so that their users don’t have to log in via a password.
This doesn’t mean that users are simply let into the site without any form of authentication, though. With any type of passwordless login, users still have to verify their identities with one or more forms of authentication but not passwords. Each passwordless login system works a little differently. So let’s walk through each of them:
1. Passwordless Email Authentication
The most promising passwordless authentication method is email-based system. It verify a user’s identity using their email address and a complex encrypted key code.
Here’s how it works: Users click to log in. An email message is generated for them to send, and it contains an encrypted DKIM key code. When the user sends the email, the code is received, processed, and decrypted by the login server and by the website. The user’s identity and email address are matched against the website’s records, then they’re allowed access. The main point here is that email authentication is lightning-fast, ultra-secure, and completely eliminates the need for users to create new passwords.
Passwordless email authentication methods are already becoming popular in certain contexts.Nonprofit donations sit at the intersection between the need for tight security and the need for flawless user experience. After all, making an online donation has to be quick and safe, otherwise many donors would lose their motivation, even when that donation is just a promise to fulfill a pledge.
2. Token-Based Authentication
Token-based and email authentication operate on similar concepts. With email-based systems, your email address is associated with a unique encrypted key as it’s processed through security servers. With token-based authentication, a website’s server sends a unique encrypted token to you.
This token is attached to your login session and then decrypted as you request various actions. This means it verifies your permissions to view content, make posts, etc. each time you begin a new action. By checking the token’s signature against its security algorithm, the site can effectively verify users’ identity for multiple actions and subdomains, greatly reducing login friction along the way.
Token-based authentication is extremely efficient and flexible, but it can be tricky for some sites to implement. Email-based authentication tools work via a similar concept of encrypted keys. So they’re often the fastest way for websites to start with these innovative login techniques.
3. Biometric Authentication
Growing in popularity is the fingerprint, face, or iris authentication (biometrics). You might already use a fingerprint or face scanner on your smartphone. You probably don’t think of them in exactly these terms, but they’re a form of passwordless login.
The concept is simple. For fingerprint authentication, users press their thumbs on their phone’s fingerprint reader camera to authorize payments or gain access to their accounts. While this technique is intuitive and secure, completely streamlining the login process to its core, it does come with some challenges. Namely, accessing technology with a fingerprint reader can be costly for your users. And the technology is less cost-effective for businesses and nonprofits.
Unfortunately, these technologies have also already been proven to be less secure than expected. Tiny fingerprint reader cameras only register parts of your fingerprint, for instance. The odds of another person’s finger matching that part of your own print are surprisingly high.
Biometrics are developing fast, though. A passwordless login system that makes use of encrypted email authentication and a truly secure biometric could completely change the ways in which we engage with the internet.
Are Passwordless Logins Like Two-Factor Authentication?
It can be both Yes and No. Yes, a passwordless login is similar to two-factor authentication (2FA) in that you access your account using an alternative authentication method. 2FA works by securing your account using two separate factors, usually a password and a separate device.
No, it isn’t the same because although you are using a separate device to authenticate your account, it is still only a single factor.
What are the benefits of implementing a passwordless login system?
Now that you know about the security of passwordless logins, you’re probably wondering what other benefits implementing a similar system will have for your company or nonprofit.
Organizations are constantly looking for best practices to make the login process quick and easy. Passwordless login systems not only make the process simple, but they also save users from the hassle of remembering a new password.
While having an account is essential if organizations want to encourage their users to make repeat transactions, users are less likely to give again if they can’t remember their password.
Passwordless login systems give users the best of both worlds: users can keep their payment information on file, saving them time in the future, and they won’t have to remember a long complicated password, which will encourage repeat donations.
Additionally, users won’t have to struggle to create a password that they feel is secure. Which it can be one of the most time-consuming aspects of creating an online account.
Moreover, your users are more likely to make impulse purchases or donations because the process will be much easier.
Think about it this way: Nonprofits that implement an email verification passwordless system can cut down their donation process. And donors won’t have to spend any additional time trying to remember or retrieve their account password.
Is a Passwordless Login More Secure?
Anything that stops users creating terrible passwords is good, isn’t it? Passwordless logins remove another point of failure from the end-user. At the current time, passwordless logins are not widespread. Several major services are using them, such as Gmail (as we have mentioned above) and Slack Magic Links.
The biggest positive for website owners and moderators is the sudden lack of having to deal with user passwords. Unencrypted passwords stored in a cleartext file is the stuff of nightmares; it is the stuff of dreams for a hacker. Users who rarely access a service wouldn’t have to go through the “reset your password” rigmarole, either.
Passwordless logins could also help users sign into the service quickly. Conversely, if you are regularly signed out of the service, having to re-authorize via email or SMS might become irritating. Actually it depends on the length of time.
How Difficult Is it to Implement Passwordless Login?
Since there are several different types of passwordless login, the time and effort it takes to implement will vary. But for the most part, these systems can be easily implemented on your website.
Imagine that your organization wants to offer Swoop’s email authentication to your users:
- First, we’ll assess your existing site’s architecture to determine the best process for implementation.
- Second, our developers will begin the process of incorporating email authentication into your website’s infrastructure. It could take anywhere from 10 to 16 hours.
- Last, your organization can use our tool internally and for users with little set-up on your side.
As you can see, the process doesn’t require a lot of work on your organization’s part.
Alternatively, if your organization wants to use biometrics, the implementation process could take much longer. Not only will you need the software integrated into your website, but you’ll also have to ensure the program works with compatible devices like an iPhone for example.
Use a Password Manager
Passwordless logins will take time to become the mainstream. The ball is rolling, though. Most major browsers (all but Safari) support passwordless login of one kind or another. In February 2019, Google also announced that devices running Android 7 (that’s Android Nougat) or later would also receive passwordless login support.
That means passwordless login support for nearly 50 percent of all Android devices. And passwordless login standards such as FIDO2 and WebAuthn will continue to receive updates, further securing the authentication method.
At the time of writing, you still need a password. You need a strong, single-use password. With that in mind, why not consider using a password manager.