Auth & identity
September 16, 2021
Author: Stytch Team
Thanks to new tools and technologies, passwords are finally being replaced with more secure and convenient passwordless authentication flows like email magic links, SMS passcodes, OAuth logins, push notifications, and biometrics. These modern strategies enable developers to choose the most appropriate authentication options for their use case and user base.
One recent survey found that 75% of users feel overwhelmed trying to keep track of their proliferating passwords. A separate survey found that the majority of respondents would prefer authentication methods for their personal and professional accounts that don’t involve a password—users are increasingly interested in going passwordless, but as a developer, it can be hard to know what passwordless authentication flow is right for your application.
The old refrain is that there’s a tradeoff between security and usability, but that no longer applies to authentication — removing passwords can boost both security and the user experience. 81% of all internet breaches involve weak or stolen passwords, which is why the Open Web Application Security Standard (OWASP) now recommends that all passwords should be considered to be “pre-breached”.
As you begin designing your authentication flow, there are a myriad of passwordless options to consider due to recent innovations in authentication technology. In this guide, we examine many of the common passwordless methods to help you choose the right solution for your application. With each option, we’ll consider how the user experience, security, ease of implementation, and accessibility measure up, with the aim of striking the ideal balance between protection and ease of use.
While passwords have historically been the most common way to authenticate users, innovations over the past 15 years have yielded new authentication types that improve security and usability.
Historically, the dominant choice for authenticating users has been to have them demonstrate possession of secret knowledge (think passwords and PINs). This is the something-you-know authentication factor, and it presents many security and UX challenges.
Over the last decade, however, the rise of programmatic SMS/email, hardware keys, biometrics, and other authentication factors has created two new authentication categories:
As a result of these innovations, we’re seeing major shifts in how companies choose to onboard and log in users.
These new factors open up new UX possibilities, but they can also be a challenge for teams as they consider how best to tailor each to users’ individual, situational needs without compromising on protection or usability.
Each factor presents different tradeoffs. Let’s consider the relative advantages of each method of passwordless authentication, starting with those under the something-you-have umbrella.
Designed with mobile phone/device owners in mind, short-messaging service (SMS) passcodes allow users to log in to applications using their phone numbers.
When a user requests access to an application or website, an authentication flow texts a one-time, numeric code to their device, which they can then enter—instead of a password—to log in. Thanks to the prepopulating, “autofill” feature on Android and iOS, users do not even need to enter the string manually.
While SMS passcodes are a great fit for many applications, they do carry their own unique risks. For certain high value accounts such as cryptocurrency wallets, fraudsters will go to extensive lengths to try to convince cellular networks to allow them to steal a legitimate user’s phone number. While this is a real risk, the effort and cost involved for fraudsters to mount this attack is significant, involving careful curation of an individual’s sensitive personal information and sometimes even outright bribery — the difficulty involved in this attack is why it’s primarily been targeted at very high-value accounts like Coinbase wallets.
The response to this small risk should not be to discard SMS passcodes entirely. Instead, you should consider the value of the account you’re protecting and choose your passwordless options and any multi-factor authentication requirements accordingly. Large fintechs like Square Cash and Revolut effectively use SMS passcodes to protect even high value accounts by layering other 2FA methods alongside it such as biometrics or PINs.
Put simply, magic links let users log in to an application or website by entering a registered email address, clicking once on a submit button, and receiving a “magic” URL in their inbox, by clicking on the link they can instantly authenticate and log in. This action establishes that they have access to the email inbox. One click is all it takes to log in.
Email magic links can:
By requiring users to prove they actually have the device they are using to access a website, applications like Google Authenticator provide an extra level of security for critical and highly sensitive services. Differing from SMS passcodes, this type of passwordless authentication asks users to confirm control of their device within a certain time frame rather than requesting a phone number to gain access, which avoids the sim swapping vulnerabilities present with SMS.
Authenticator app passcodes:
Push authentication is a passwordless method that asks users to authenticate through notifications sent to an app on their mobile device. The one-tap feature enables users to quickly approve a notification, thereby gaining instant access to an application or website. They can just as easily reject a notification they do not recognize or one they did not initiate, which prevents unwanted parties from accessing secure content.
Another authentication solution that lets users avoid the traditional password, WhatsApp passcodes enable users of the popular messaging app to log in to secure applications from anywhere, at anytime. By integrating your authentication flow with WhatsApp, you can leverage a network of more than three billion existing users.
OAuth logins—which leverage industry standards like OAuth 2.0 and OpenID—help engineers easily integrate single sign-on options from popular social platforms and other third-party providers (e.g. Apple sign-in).
The something-you-are category of authentication includes biometrics, including voice and facial recognition, and fingerprint scans.
You were likely first introduced to the concept of biometric authentication on your mobile devices when iOS and Android introduced the concept of fingerprint and facial recognition for native applications built on top of their operating systems. This method has become a popular way for banks, brokerages, and other sensitive applications to layer low-friction step-up authentication into user workflows.
In the something-you-are category of authentication are biometrics, including voice and facial recognition, fingerprint impressions, and iris scans. WebAuthn (aka “Web Authentication”) falls partially under this umbrella, though it also supports something-you-have authentication methods like hardware keys as well. This passwordless authentication solution allows desktop and mobile browsers to verify users with built-in device biometrics as well as distinct, specialized hardware keys like YubiKey.
The above authentication methods detail how you can prove who a user is — however, once a user has been successfully authenticated, you’ll likely want do a few things:
Most of the above boils down to session management and how you manage your user’s logged-in experience. Session management regulates interactions between web-based applications and individual users. Stytch Sessions allow your users to easily implement sessions in a way that provides fine-grained control.
Designing an authentication flow can seem overwhelming given the UX and security issues involved. When we help developers think through what’s right for their authentication flow, there are three main questions we ask (you can always join our Slack community for more guidance):
There’s a big difference in the level of authentication you need if you’re a fintech/healthtech app, for instance, versus a news digest app.
For more sensitive applications like fintech + healthtech, we frequently recommend multi-factor passwordless authentication, which allows you to both balance UX and security. Square Cash, Monzo Bank, and Revolut are great examples of companies that weave together multiple passwordless options in order to protect their users.
Conversion rates vary across these channels. For instance, SMS one-time passcodes perform extremely well on mobile due to their autofill capabilities but create slightly more friction on desktop than email verification. Companies that Square Cash and Hippo Insurance provide users with the option to choose what’s most convenient for them.
Some teams are hesitant about moving to passwordless authentication until we ask this question. Then they realize that they already allow users to log in without a password. The majority of reset password flows only require a user to demonstrate ownership of an email address or phone number—making them essentially passwordless. If you require a user to supply additional information during a password reset (e.g. some banks require the last 4 of your SSN), this can help in determining what level of user authentication you deem sufficient in allowing users to access your application.
At Stytch, we worry about authentication so that you don’t have to. If you want to discuss your specific authentication needs, sign up for a free account and chat with our team.
If you’d like to dive deeper into the topic of authentication, you can join the Stytch Slack community here.