Logo / Articles

Authentication

How Passwordless Authentication Works - A Deep Dive

By James Walker

How Passwordless Authentication Works - A Deep Dive

Passwordless authentication refers to identity verification methods that don’t require users to enter a password. Going passwordless improves security and increases authentication convenience by removing the challenges associated with passwords.

This article will explain what passwordless is, how it works, and the benefits it provides to your users. We’ll then take a detailed dive into some of the main ways of implementing passwordless authentication and how they compare. Let’s get started.

How Passwordless Authentication Works

Passwordless authentication replaces passwords with newer mechanisms that are both easier to use and more secure. It enhances the user experience, protects users and your data, and provides more consistency in the level of protection applied to each account.

Passwords are ubiquitous, but they’re far from an ideal security solution. Many users find strong passwords inconvenient, so they select simple, easily guessable values instead. This creates a vulnerability as attackers can compromise accounts by speculatively trying simple phrases.

Cutting out passwords eliminates this threat. Whereas passwords are something you know, passwordless authentication is typically tied to something you have---such as access to your email inbox, a hardware device, or a biometric scan. These tangible assets are more convenient for legitimate users to present while being difficult for attackers to obtain.

MFA vs. Passwordless

Passwordless is an important part of multifactor authentication (MFA). The two topics are closely related but have slightly different remits.

MFA requires users to verify themselves using multiple authentication methods (factors) before they’re granted access to a system. Factors can comprise both password-based and passwordless methods. Contemporary systems commonly combine a password with a one-time code sent in an SMS or displayed in a smartphone app.

The best authentication strategy is to use both MFA and passwordless. It prevents attackers from gaining access even if one of the factors (such as a password or email inbox) is successfully compromised.

Passwordless Adoption

Passwordless authentication is being embraced by major technology and software providers. Companies like Apple, Google, and Microsoft have publicly committed to developing interoperable passwordless technologies that let you sign in to your devices and accounts without ever needing a password. Modern standards, such as FIDO, that are being developed by industry working groups aim to support the widespread adoption of passwordless auth, including for existing sites and services that currently rely on passwords.

The shift towards passwordless is also influenced by regulatory requirements, particularly in enterprise and government software. The White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity specifically encourages the use of fully passwordless authentication when systems are modernized, acknowledging that the risks in using passwords still exist even where MFA is used.

How Does Passwordless Benefit UX?

Passwordless provides significant user experience (UX) benefits by helping users sign in quickly with minimal effort. Instead of having to remember and type out complex passwords, users can simply click a link, scan their fingerprint, or acknowledge a prompt sent to one of their devices.

Many people struggle to manage their passwords or are concerned that they may forget or misplace them. The widening understanding of password issues also means some users will have a peripheral awareness that passwords can be insecure, which could induce hesitance to sign up for new services that use them. Passwordless removes these doubts from the experience, helping users feel comfortable when interacting with your platform.

Furthermore, passwordless factors are constantly accessible to the user, as opposed to passwords, which may need to be referenced from a password manager every time they’re used. Constantly looking up passwords creates friction that can lead to session abandonment when the user tries to authenticate from a different device and can’t access their saved passwords.

Passwordless UX Challenges

Not that passwordless is a panacea for all authentication issues. Although it can remove login roadblocks, it also has the potential to create them or frustrate users who dislike particular methods.

For example, passkeys might satisfy some people while deterring others who don’t have a compatible device or don’t want to use them. Similarly, users may find it distracting if they have to repeatedly switch to their email inbox to complete authentication attempts, so several different options should ideally be offered.

Another pitfall is that poorly implemented passwordless is often slower than using passwords under ideal conditions. When a password is saved in a browser, users can normally authenticate themselves almost instantly. With passwordless, you can expect a small delay---whether while waiting for an email to arrive or using your device’s hardware to complete a biometric scan.

It’s therefore important to consider ways of mitigating these problems, such as by clearly communicating how to complete the process and allowing a quick switch to a different authentication method if the first one gets stuck or times out.

Methods of Passwordless Authentication

There’s no single way to implement passwordless authentication. The only criterion is that no passwords are used. However, most services have gravitated towards offering one or more of the following methods:

  • Passkey authentication: via biometrics like a fingerprint or face scan

  • Magic links: a unique sign-in link sent to your email inbox

  • Hardware tokens/keys: using a dedicated security device

Each option comes with benefits, drawbacks, and ideal use cases, so you should carefully consider the pros and cons of different methods before choosing which you’ll support.

Passkey Authentication

Passkey authentication relies on cryptographic keys stored on the user’s device, usually by biometrics like fingerprint or facial recognition for secure access. The WebAuthn standard provides a unified API for developers to enable passkey authentication across platforms.

With passkeys, there is no need to handle biometric enrollment or scanning directly. The operating system manages those platform details, while WebAuthn provides a high-level interface for creating and using passkeys. Users register a new passkey credential during an initial enrollment ceremony, which may involve setting up biometrics. Once enrolled, they can authenticate by approving a passkey request, typically via a biometric prompt.

Passkey authentication offers numerous benefits:

  • Phishing Resistant: Passkeys are cryptographically bound to the website they were created for, preventing phishing attacks.
  • No Shared Secrets: User credentials never leave the device, eliminating risks of server-side database breaches.
  • Highly Secure: Passkeys leverage modern cryptography and secure hardware to protect user data.
  • Frictionless Experience: Biometric gestures provide a smooth authentication experience for users.
  • Cross-Platform: With WebAuthn, passkeys work across all major operating systems and browsers.
  • Works Offline: No server verification is required, so passkeys function without an internet connection.

However, there are some potential downsides:

  • Reliance on Devices: Users must have a compatible device to use passkeys.
  • Account Recovery: Recovering access after losing all registered devices can be challenging.
  • Adoption Challenges: While promising, passkeys require updates across client and server infrastructure.

Overall, passkey authentication via WebAuthn represents a significant security improvement over traditional passwords and OTPs. As biometrics become more widespread on consumer devices, passkeys provide a secure and frictionless authentication experience for users.

Magic links verify users by sending a unique link via email, SMS, or chat. The user is authenticated once they click the link. Links are given short expiration times and can only be used once, minimizing the potential threat of exposure.

Authentication with a magic link begins with the user commencing their sign-in attempt as usual. After entering their email address or username, the service generates and sends a magic link, then redirects to a holding page while the user navigates to their email or chat app. Once the user clicks the link, their identity is confirmed and they’re redirected back to the target app or website.

Magic links have several advantages:

  • Easy and convenient: Users can authenticate themselves by just clicking a link. There are no passwords to remember, and the links can be used from any device as long as the user can access their email or messages.

  • No extra hardware required: The only dependency is the user’s existing email service. Not having to purchase or configure dedicated hardware makes magic links one of the most accessible forms of passwordless auth.

  • Short-lived links prevent persistent compromises: Short-lived unique links guarantee that magic links are safe, even if an attacker later gains access to the user’s inbox. As long as the user fully secures their email account, they should obtain increased security compared to reusing unsafe passwords across multiple sites.

But they also have disadvantages:

  • Doesn’t work offline: Magic links are an inherently online flow, so they don’t work in situations where the user must authenticate themselves while offline, such as to approve a sensitive action that’ll be synced to a server later on.

  • Requires an external account: The ability to send a link depends on the user having access to an existing email or messaging account they can use to receive it. The method isn’t feasible where this requirement can’t be enforced or the user must authenticate from devices without email access.

  • Poses a risk of interception: Emails could be intercepted or compromised by a malicious actor. Defense against this threat requires implementing anomaly detection controls, such as recognizing that a link was clicked in a different geographic location than where the user began the authentication attempt.

Hardware Tokens and Keys

Hardware tokens are smart cards and key fobs that you physically connect to your computer. YubiKey is the most popular security key, but a wide variety of devices are available. All options work similarly---you connect the key to your device, link it to your online accounts, and then authenticate yourself at sign-in time by pressing a button.

Once an access attempt has been approved by the button press, the key will generate a unique one-time code (OTP) that’s presented to the service to complete authentication. This happens automatically---keys use standardized protocols such as WebAuthn and FIDO to communicate auth information. As a result, this method is one of the fastest and easiest for users who are prepared to invest in the required hardware.

The major advantages of hardware tokens and keys are twofold:

  • Easy and convenient: Hardware keys simplify authentication and provide a consistent cross-device experience. They’re particularly convenient for desktop users, who can leave their key plugged into a USB port, then tap the button each time they authenticate.

  • Can be used offline: Keys generate security tokens independently of the apps, services, and devices they’re connected to. You can successfully authenticate even when you’re offline, such as by logging in to your operating system user accounts on your devices.

But they also have their disadvantages:

  • Requires extra hardware: Physical keys have to be purchased at a cost, and users can’t be expected to have them. Alternative authentication options should always be offered unless you’re in an enterprise scenario where you can mandate that keys are to be used.

  • Keys can be stolen or lost: Their tiny size means keys can easily be lost. Users need to have spare keys and be provided with recovery options after loss or theft.

Other Methods

Passwordless authentication is also supported by other technologies and standards.

OTPs (one-time passwords) and TOTPs (time-based one-time passwords), for example, are commonly used to implement all forms of passwordless auth, including as standalone factors (such as entering a code from an authenticator app to confirm a sign-in) and internally within mechanisms like hardware keys. These terms refer to unique tokens that can be consumed once to prove a user’s identity. In the case of a TOTP, the token is valid within a specific window of time---typically from thirty to sixty seconds.

The WebAuthn and FIDO2 mechanisms mentioned earlier are also increasing the adoption of passwordless systems. FIDO2 (Fast Identity Online) is a standard designed to support the use of passwordless authentication protocols on the web. WebAuthn is the part of FIDO2 that provides a browser API for interacting with stored user credentials and requesting authentication.

Sites can use passkeys to reliably authenticate users via the passwordless methods they’ve registered on their devices. The user will be automatically prompted to authenticate themselves using one of the available mechanisms, such as scanning their fingerprint or using a hardware key.

Implementing passkey compatibility means sites don’t need to concern themselves with exactly how the user authenticates. The site simply receives a signed result from the WebAuthn API that indicates whether authentication was successful or not. Generally, this makes WebAuthn-based approaches the easiest and most reliable way to add passwordless auth that supports physical factors like biometrics.

Conclusion

Supporting passwordless auth for your services improves security by letting you and your users avoid the problems associated with passwords, such as insecure phrases, reuse, and loss. Passwordless can also reduce UX friction by giving users quicker ways to sign in, such as using the biometric controls available on their devices---although care must be taken to offer multiple options as not all will be suitable for every user.

FusionAuth is a developer-oriented authentication solution that simplifies integrating authentication workflows without having to build them yourself. FusionAuth gives you instant access to passwordless authentication options that let users log in with a magic link or one of the WebAuthn-compatible mechanisms available on their device, such as a biometric scan or hardware key. FusionAuth is customizable, scalable, and available in both cloud-hosted and self-hosted packages.

Get started for free or talk to an expert to start your passwordless auth journey with FusionAuth.