FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    creating security based on passwordless login, not passwords

    Scheduled Pinned Locked Moved
    General Discussion
    2
    3
    372
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      richb201
      last edited by richb201

      I am using passwordless login for an application where employees enter survey data. Seems to be working, so far :). Not a huge security risk.

      On my personal gmail account, I was hit with a "password's leaked" greeting from one of the minor sites I use from Chrome (nothing to do with FAuth). Google informed me that I need to update my password's on 87 sites. These are not very high security sites for me, but it is a royal "pain in the arse". On the application I am developing, adminstrators create an account with their email address and their own "private" password. I don't want to risk my application being hacked and losing my user's passwords the same way this minor site did to my password.

      So I want to know if there are any security implications in not using a password at all. By that I mean using FA's passwordless login ONLY. When an adminstrator signs up, they enter their email address and FA sends them a passwordless login email to that email address that is valid for a few minutes. If the user loses access to that email address, then they lose access to their account. No passwords at all. Whoever has access to those emails has access to the system.

      Will this plan be a security issue?

      1 Reply Last reply Reply Quote 0
      • R
        richb201
        last edited by

        Just found this article on the topic.
        https://auth0.com/blog/is-passwordless-authentication-more-secure-than-passwords/

        Any thoughts?

        1 Reply Last reply Reply Quote 0
        • danD
          dan
          last edited by

          Hi @richb201 ,

          Are you asking what the security implications are for not using passwords at all?

          That's hard to give general guidance on, as that depends on how good users are at keeping their email accounts safe.

          In general it's going to be pretty good because people tend to care more about their email accounts and pay more attention to them than some random account they signed up for 6 months ago and haven't checked since.

          Also in favor of this is the fact that the passwordless codes are time limited (configurable in the tenant).

          But, as I'm sure you can understand, I can't do a thorough security analysis because I don't know the full details of your scenario.

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 1
          • First post
            Last post