Does password authentication really work anymore?
Descope Co-Founder and CEO, Slavik Markovich, has been watching the unravelling problem with traditional password authentication, such as user difficulties and security vulnerabilities, for years.
As a solution, Descope is developing sound passwordless methods, such as magic links, one-time passwords, social login, authenticator apps, and biometric authentication, that are gaining traction due to the rise of open standards and support from major companies like Google, Apple, Microsoft, and Shopify.
In this conversation, Slavik get’s straight into the user experience and the solutions we are seeing that work.
M.R. Rangaswami: Why is passwordless authentication picking up steam?
Passwords also cause friction throughout the user journey, leading to churn and a negative user experience. No one wants the cognitive load of remembering unique 16-character passwords for every site or app they access, so they reuse passwords across sites which is a recipe for disaster when passwords get leaked.
Passwordless methods such as magic links, social login, and authenticator apps have been around for a while. Notable apps like Medium and Slack already use passwordless login, while authenticator apps are used as a common second factor in MFA.
- Passkeys are based on biometrics, which users are familiar with since they already use fingerprint scanning and facial recognition to unlock their phone or other computing devices.
- Passkeys are being adopted by Internet heavyweights such as Google, Apple, Microsoft, and Shopify, who are also taking steps to educate users about the benefits of these methods.
M.R.: What are some examples of passwordless authentication techniques?
Slavik: Passwordless methods verify users through a combination of possession (what they have) and inherence (who they are) factors. These factors are typically harder to spoof and are more reliable indicators of a user’s identity than knowledge factors are.
These examples include:
- Magic links, which are URLs with embedded tokens that – when clicked – enable users to log in without needing a password. These links are mostly delivered to the user’s email account, but can also be sent via SMS and other messaging services like WhatsApp.
- One-time passwords / passcodes, which are dynamically generated sets of numbers or letters meant to grant users one-time access to an application. Unlike passwords, an OTP is not static and changes every time the user attempts login.
- Social login, which authenticates users based on pre-established trust with an identity provider such as Google, Facebook, or GitHub. Using social login precludes users from creating another set of credentials – they can instead focus on strengthening the passwords they already have on their identity provider account.
- Authenticator apps, which operate based on time-based one-time passwords (TOTP). A TOTP code is generated with an algorithm that uses a shared secret and the current time as inputs – this means the code changes at set time intervals, usually between 30 to 90 seconds.
- Biometric authentication, which are physical or behavioral traits that are unique to an individual. Biometric authentication checks these traits to grant users access to applications. Popular biometric authentication techniques in use today include fingerprint scanning and facial recognition. Biometrics are used in passkeys authentication, which I covered in the previous answer.
M.R.: How do you see this technology evolving over the next several years?
Slavik: I see the evolution of passwordless technologies mostly focusing on education and compatibility in the years to come. The key pillars will be:
- User education: Companies and the industry at large need to continue educating end users about the benefits of passwordless methods and the pitfalls of passwords. There are still myths about passwordless methods like biometrics that are common (e.g. what if someone steals my biometrics?) that need to be addressed (e.g. your biometrics never leave your device).
- Developer education: Standards and protocols such as OAuth, SAML, WebAuthn, and others that form the basis of authentication mechanisms are complex. It takes developers time to pore over these protocols and implement authentication in their apps. Developers need to be provided with tools and enablement that abstract away the complexity of these protocols and let them add passwordless methods to their apps without lots of added work.
- Compatibility: Passkeys compatibility is a work in progress. Over the coming months and years, more apps, browsers, and operating systems need to support passkeys if a passwordless future is to become reality.
All three points above are interrelated. If user education and developer enablement continues improving, more entities will be incentivized to add passwordless support, and vice versa.
M.R. Rangaswami is the Co-Founder of Sandhill.com