Passwordless logins are the most secure login method if you don’t like creating complex passwords and changing them every few months. And you’d only need to set it up once. No more forgetting passwords or writing them down on paper.
But how do passwordless logins work? And are they secure and private?
What Are Passwordless Logins and How Do They Work?
Passwordless logins are an identity authentication method that allows you to access online platforms, accounts, and computer systems without needing a password.
A passwordless login can be something you have on you, like a USB key. It can also be your biometrics; for example, your fingerprint or face. Some passwordless logins operate on the basis of a code or link you receive in real-time, such as an SMS or email.
With traditional passwords, the website or device you’re trying to log into has a copy of your password. When you enter your login credentials, they’re compared to what’s stored on the company servers and it only let you in if there’s a match. But that’s where the issue with traditional passwords arises.
You’re always told to keep your passwords secure by not writing them anywhere and by using a password manager with end-to-end encryption. But websites you log into using your password also store it, meaning a data breach or leak could expose your most secure passwords, especially if they’re not encrypted.
Passwordless authentication is different. When it comes to authentication codes or links, the website only knows your email address or phone number. They send you a temporary, one-use link or code to sign into your account. If there’s ever a data breach, only your email address or number gets leaked, but nothing else.
Passwordless Logins vs Two-Factor Authentication (2FA)
The two concepts have some similarities but shouldn’t be confused with one another. 2FA still relies on a password. If the password is weak or compromised, half of the hacker’s work is already done for them.
That leaves the security of your account dependent on the second method of authentication. This ranges from SMS messages 2FA—which hackers can easily bypass—and one-time passwords (OTP) generators to biometrics and physical keys.
Passwordless logins remove the weak half of the 2FA process by forgoing passwords altogether. They rely completely on the second method of login, offering various levels of security.
What About Facial Recognition?
You might be thinking, what about facial recognition? Is it secure? And am I sacrificing my privacy by using it?
Face ID works differently from passwords.
Face ID logins, such as the ones iPhones use, don’t just take a picture of your face. Your iPhone camera captures your face as data, analyzing over 30,000 invisible dots the software projects on your face to create a pattern that is unique to you.
Every time you show your face to the front-facing camera, your phone analyzes the pattern it’s perceiving and determines whether it’s similar enough to the face of its owner.
Now, this sounds awfully similar to how traditional passwords work. The only exception is that your face and other biometrics are stored on your device. Otherwise, you won’t be able to access your phone without an internet connection. However, that doesn’t automatically mean using Face ID to log in is private.
Different companies have different privacy policies. If you’re concerned about your privacy, treat it as if you were giving away your phone number or credit card information. Read through the company’s privacy policies and make sure they don’t use your data in any way you don’t approve of.
Are Passwordless Logins Secure?
Privacy and security aren’t synonymous. For example, using a weak password but not writing it down or telling it to anyone is a private password, but it’s not a secure one. The same applies to passwordless logins.
Passwordless logins can sometimes offer more security than passwords, but other times, less, depending on the circumstances. For example, if you lose your phone or laptop, and someone manages to bypass the device’s lock, they can now log into any website or account that uses passwordless authentication because they have access to your email and text messages.
Alternatively, if you use passwordless authentication to secure your accounts, hackers can’t guess your password because there isn’t one.
They also won’t be able to perform brute-force attacks or find your logins in a leaked database. In order to avoid the first scenario, it’s critical that the device or account that you use in passwordless authentication is as secure as possible.
What About Biometrics?
With passwords, you can make them secure and store them somewhere safe. But what about biometrics? Are you revealing your “password” every time you post a high-definition selfie online or touch things without wearing gloves?
Whether Face ID can be fooled or not depends primarily on how good the facial recognition software is. In 2018, a 3D-printed face was used to try and trick the iPhone’s Face ID lock but it failed while its Android counterpart didn’t.
Additionally, Apple’s Face ID is attention-aware. Your phone can recognize whether your eyes are open and if you’re looking at the camera or not. That ensures no one unlocks your iPhone without your permission, even in your sleep.
The same applies to voice recognition and fingerprints. No technology is 100 percent secure. However, some are more secure than others, depending on how much work the company puts towards security.
If your device, regardless of brand, supports biometric passwordless logins, do a quick Google search of incidents where people were able to bypass the lock. That way, you can evaluate its levels of security before trusting it to your phone or laptop.
The Future of Passwordless Logins
Passwordless logins are the future, but they’re not the present.
While a lot of companies are pioneers in the field, offering fairly secure passwordless authentication options for their users, it’s still not widely used. Until all the websites you use regularly switch to passwordless logins, you should stick to password managers and strong 2FA.
Many services point out the benefits of passwordless logins, but are they really more secure? Are they even realistic?
About The Author