Passwords kind of suck. For them to be at all secure they have to be at least 8 characters long, use 3 different types of characters and not be anything to relevant to you (think birthdays or kids names). That will slow down a brute force attack by a bit.
On top of that, you should not use the same one for all your accounts incase one of them is breached.
Then to combat having to remember 23982 passwords, you use a password manager to log all your different passwords. But that’s a hassle keep it up to date, which you start to get lazy about after a while and that starts to get full of outdated information and become useless.
And that’s only if you actually care about security. Most people don’t. Believe it or not, ‘password’ is the second most used password. I mean, you can probably log into your neighbors router right now with ‘admin’ ‘admin’.
They are just not very user friendly.
Thankfully there is lots of awesome stuff going on at the moment with authentication. Making it easier and safer at the same time! Social sign on, passwordless login, apps like google authenticator/authO and of course biometrics just to name a few. The one I wanted to look at today is passwordless login using email or sms.
On my latest project, we have using passwordless since day one. Building our whole sign on/on-boarding process around the idea of not needing a password.
Basically, the user types in their email address, seconds later they receive an email with a one time, time sensitive password link to click and they are returned to the app and signed in! So simple! All you have to do it remember which email you used.
This obviously has good and bad points and in some cases, this method is simply not a good approach. But for a lot of apps, it can be a fantastic solution and create an awesome sign in experience for your app.
It’s so simple. Out of all the testing I have done with it, people just seem to get it. People are already used to having to verify their email address. This way it just skips the other steps that are not needed. It’s just a better flow.
It relies on the emails security and services. This is especially great if you are a smaller start up with limited resources. It’s just less things to manage and secure. No more lost passwords. The bigger providers have algorithms and services to detect suspicious logins and other security breaches.
This approach relies on common services that most people already use. Biometric scanners or custom authentication apps are not always available to the user so people end up using the password method anyway. Just about everyone has an email address or a phone number. One thing to note is that SMS is not as secure as most email services (read more here: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/).
The less passwords the better. As I mentioned above, people usually don’t take passwords very seriously. Most people have a less than inventive password that is used for all their services. At least in the case of a breach, people would only need to change one password to protect everything again, instead of trying to remember all the services they use and which one have that password, then going through and changing them one by one. People just give up. Many people actually don’t bother remembering and just use the ‘I forgot my password’ link each time, which is essentially passwordless login… with passwords.
It can be a bit of a hassle to have to verify your email each time if the app cannot stay logged in. It’s great for mobile apps and some websites, where you can maintain the logged in status between visits, but having to open your email each time to use the app is probably a bit much.
Custom domain email addresses. This can be a bit tricky. If the user forgets to renew their custom domain and loses their email, they have potentially lost access to your app as well. This can be fixed with recovery addresses etc.
Email accounts hacked/hi-jacked. While this is bad news for passwordless, the fact of the matter is, its bad news for apps with passwords as well. A quick ‘I forgot my password’ reset and off they go with your account.
Sometimes you cannot access your email. Some work environments that block access to personal emails for example, could cause a problem for some users. Although, it’s usually just suggested the user forwards the email to their work account to access the link.
The UX of passwordless logins for apps can be awesome if done right. It still has its vulnerabilities, but so does everything else. My experience with it so far has been awesome and has made the whole login process for our app so much simpler.
As for implementation, there are a number of ways to do it and its best to spend a bit of time looking into all the options and work out what is best for you.