Pros and cons of passwordless authentication
Most people use multiple passwords every day. However, you've probably had the frustrating experience of trying to buy something online and forgetting the password for that e-commerce site. Passwordless authentication is likely to provide a better alternative, but also carries certain risks.
How does passwordless authentication work?
Passwordless authentication verifies a person's identity through more secure options than a password or any other mnemonic. Unnoticed, you may have used some kind of passwordless login technique. These include:
- Biometrics: Prove your identity with a method such as fingerprint or face recognition.
- Magic link: Click the single-use link containing the verification code to access the password-free login site.
- Hardware key: Rely on physical devices, such as USBs, to authenticate users.
- One-time password (OTP): Use a merchant-generated code to sign in instead of a previously selected password.
Some people argue that the OTP option is not part of the passwordless login group, because it still requires a passcode after all. However, the access codes are short-lived, which sets them apart from traditional passwords.
Passwordless authentication is also scalable. A recently released security hardware key from Yubico includes a fingerprint reader for added protection. It also encrypts the data transmitted between the key and the component that stores the fingerprint information.
Where can you try passwordless shopping?
As of January 2021, Statista reports that more than 4.66 billion people worldwide have access to the Internet. Experts believe this has contributed to the recent boom in e-commerce. However, it may be a while before passwordless shopping becomes a mainstream.
If you want to use the Microsoft Store or another Windows service without a password, there are four ways to do that. You can use the Microsoft Authenticator app, Windows Hello, a security key, or an OTP sent to your phone or email.
Shopify also has a number of apps that allow store owners to add different types of password authentication to their stores.
Despite some questions as to whether passwordless authentication is realistic, Google has also signaled its gradual transition to a password-free future. An existing example is the security key built into Android phones running 7.0 or later. It checks the Bluetooth signal transmitted between the security key and the device you use to sign in to Google services.
In addition, passwordless shopping is still a unique service. However, technology exists to support online stores, so you may soon start seeing passwordless login website options.
Pros and cons of using the Internet without a password
Some e-commerce experts suggest that passwordless shopping could be the solution to online purchases. Ultimately, the goal is to give people the smoothest buying experience possible. No need to remember the password will definitely take the hassle out.
Similarly, they also argue that passwordless authentication is more secure than using user-generated passwords, because too many users now set passwords that are easy to guess. Additionally, a 2019 survey found that 65% of people reused passwords across multiple sites. That habit could allow hackers to access more accounts through stolen logins.
However, not using a password also carries risks, such as someone being able to steal the physical security key. The researchers also found that the OTP method could fail in 80% of cases, because the interceptors obtained the code before the legitimate user received it. Bad guys have also forged biometric information with everything from Play-Doh to 3D masks.
Another problem, especially within the enterprise, is that many business leaders and employees feel reluctant to accept new technology. They may have been using passwords for decades and aren't ready to change that habit now. Without entering a password when buying new office supplies, some people may initially complain or wonder about the transition.
Is passwordless shopping right for you?
Let's look at the security methods available. Buying a hardware key and keeping it carefully is a safe bet. However, using the phone for authentication is not as secure a solution. The OTP may not reach you. Someone can hack your biometrics if you lose your phone. Some people suggest combining at least one of the options above with systems that analyze user behavior, such as how fast they type or how they hold their phone.
Passwordless authentication isn't without risk, but so is any other method you use to access the Internet. All have the potential to be hacked by sufficiently skilled bad guys. Weigh the risks and benefits of each before proceeding.
You should read it
- Microsoft: 150 million people are using the password-free login forms each month
- Authenticate what two factors are and why you should use it
- Protect your GitHub account with two-factor authentication
- How to turn on two-factor authentication to protect your Firefox account
- Why shouldn't SMS be used to authenticate two factors and what are alternatives?
- 5 Multi-Factor Authentication Vulnerabilities and how to fix them
- More than 90% of Gmail users still don't use the two-factor authentication feature
- 5 secure password alternatives you should consider
- Already able to perform two-factor authentication on Instagram without SMS
- How to turn on two-factor authentication on Slack
- How to integrate Google authentication in Next.js app using NextAuth
- How to create 2-step authentication code online