Passwordless Authentication

Traditional authentication mechanisms primarily relied on usernames and passwords to verify users. Even today, many applications rely on usernames and passwords. Despite their simplicity, these systems are prone to breaches, vulnerabilities, and phishing attacks. With modern threats escalating, these methods are proving inadequate, necessitating better alternatives. 

Passwordless authentication addresses these challenges by offering a more secure and user-friendly means of authentication. Technologies like biometric authentication, hardware tokens, and magic links eliminate vulnerabilities associated with traditional password-based systems.

In this section, we’ll review passwordless authentication and various associated techniques.

Overview

Passwordless authentication verifies a user’s identity without using passwords, replacing them with more secure methods like biometric recognition, time-based codes, security tokens, or physical devices. These authentication methods resist common attacks like credential stuffing and brute-force attacks. They rely on cryptographic keys or personal possessions, thus reducing vulnerable points in the authentication process.

The increased security strengthens user trust, leading to higher engagement and satisfaction— thus positioning passwordless authentication as the new industry standard.

It offers several advantages over traditional password-based authentication mechanisms:

  • Enhanced security: Eliminates risks associated with weak or reused passwords, resisting phishing and related attacks.
  • Improved user experience: Users don’t need to remember complex passwords, making the login process faster and consistent across devices.
  • Scalability: Easier to manage across large user bases compared to traditional username-password mechanisms. 

There are different types of passwordless authentication, which we’ll discuss in the following sections.

Launch enterprise SSO in hours
Scalekit is free for non-production environments

Types of Passwordless Authentication

Depending on your requirements, there are various ways to implement passwordless authentication. Each relies on different technologies and security principles, but all aim to verify a user’s identity without traditional passwords. 

Magic Links

Magic links are SMS or email-based authentication methods that allow users to access an application using a time-based, unique URL. Users input a valid email or phone number and receive a unique URL with an authentication token granting access to the application.

How it works

  1. The process begins when users enter their email address into the login interface. This triggers a request to the authentication server.
  2. Upon receiving the request, the server generates a unique secure token and stores it in a database or cache associated with the user's email and a timestamp.
  3. The server constructs a URL that includes the token - for example, https://example.com/auth?token=a1b2c3d4e5f6g7h8i9j0.
  4. The server sends an email containing the magic link to the user's address. 
  5. When the user clicks the link, their browser sends a request to the specified URL, including the token.
  6. The server receives this request, extracts the token from the URL, and validates it. If the token is valid, the server considers the user authenticated. It marks the token as used, creates a session for the user, and generates session cookies.
  7. The server redirects the user to the application.
Diagram showing the Magic Link flow, where a user requests access, receives a link via email and clicks it to log in securely without a password.
Magic link - Passwordless authentication flow

Simply put, magic links work like password resets. However, instead of verifying the user’s email address or phone number to create a new password, they provide direct access to the website or application. Various types of magic links can be implemented, each with unique features.

  • Single-Use Magic Links: These links can only be used once for a specific login session, enhancing security by preventing multiple uses or unauthorized access.
  • Time-Bound Magic Links: These links have an expiration time set by the authentication server, ensuring users authenticate within a specific timeframe for enhanced security.
  • Device-Dependent Magic Links: These links are tied to a specific device, ensuring only authenticated devices can use the magic link for login purposes, adding an extra layer of security.

Key Considerations

Businesses are integrating magic links because they are faster than traditional passwords, resistant to credential attacks and password fatigue, and can quicken onboarding, conversion, and user experience. However, they have some drawbacks, including:

  • Email Deliverability Issues: Deliverability can be affected by network delays and server issues.  Delays in receiving the link can lead to user frustration and impact the seamless authentication process.
  • Risk of Identity Fraud: If attackers intercept the magic link, they could gain unauthorized access to the user accounts, posing a significant security risk and highlighting the importance of secure and timely delivery of magic links.
  • Spam Filters: The link may end up in spam folders, which may cause the user to miss it, leading to delays.
  • Restricted Admin Visibility: Outside of controlled corporate networks, administrators can’t see into email accounts that receive their company's magic links, limiting their control and visibility over the process. 

Biometrics

Biometric authentication leverages physical characteristics like fingerprints, face scans, Iris scans, voice, etc., to verify a user's identity. Unlike passwords or PINs, which are based on something you know, biometrics are based on something you are - physical or behavioral traits that are difficult to replicate or forge. Many users today use fingerprints or facial recognition to unlock their smartphones.

Biometric authentication enhances security and user experience simultaneously, providing a seamless authentication process while offering a high degree of assurance that the person is who they claim to be.

How it works

  1. User Enrollment: The user provides biometric data, which the system processes and stores securely as a template.
  2. Authentication Attempt: The user presents their biometric data, such as fingerprints.
  3. Data Processing: The captured data is processed, and features are extracted to create a new template.
  4. Template Matching: The new template is matched with the stored template to calculate similarity.
  5. Authentication: If the similarity exceeds a specific threshold score, the user is successfully authenticated.
Diagram illustrating the Biometric Passwordless Authentication Flow, where a user verifies their identity using biometrics, such as fingerprint or facial recognition, to gain secure access without entering a password.
Biometric - Passwordless Authentication Flow

Key Considerations

While using biometrics provides a frictionless user experience, organizations must consider several things before implementing them.

  • Security & Privacy: Biometric data is extremely sensitive and requires robust protection and security mechanisms to avoid unauthorized access.
  • Accuracy: Biometric systems must balance false acceptance and rejection rates  as environmental factors and physical changes of the person can affect the accuracy.
  • Fall-back mechanism: Not all users may be able to provide certain biometric information, and hence, a backup authentication mechanism must be in place.

Passkeys

Passkeys are a new approach to passwordless authentication,  offering a secure and user-friendly alternative to traditional methods. Developed by the FIDO alliance and WebAuthn, passkeys use public key cryptography to provide secure authentication. They authenticate users across applications by combining public-key cryptography along with one biometrics, a screen lock PIN/pattern, or other security tokens.

How it works

  1. Passkey Setup: The user initiates passkey setup, and the device generates a public-private key pair. The public key is sent to the service, while the private key is securely stored on the user’s device.
  2. Authentication Attempt: The user attempts to access the service, which sends a challenge to the user’s device. The device prompts the user for local authentication (fingerprint, PIN, etc.).
  3. Response: Upon successful local authentication, the device signs the challenge with the private key and sends it back to the service.
  4. Verification: The service verifies the signature using the stored public key. If the verification is successful, the user is authenticated and granted access.
Diagram showing the Passkeys Passwordless Authentication flow, where a user authenticates securely using passkeys stored on their device, eliminating the need for passwords.
Passkeys - Passwordless Authentication

Key Considerations

Though passkeys provide significant advantages over traditional mechanisms regarding security and user experience, their implementation comes with some important considerations. 

  • Device Security: The security of passkeys depends on the security of the user’s device. Hence, strong local authentication methods are needed.
  • Compatibility & Adoption: Adoption requires support from service providers and device manufacturers and backward compatibility with traditional mechanisms.
  • Account recovery: What if the user loses the device? Well-thought-out account recovery options must be in place for such scenarios.

Push Notifications

Push notifications are another type of passwordless methods that leverage mobile devices to authenticate users. A real-time notification is sent to the user’s registered device, prompting them to approve or deny the authentication request. Upon approval, the user gains access to the application. This method enhances security by ensuring the user has the device during login, reducing phishing attack risks. 

How it works

  1. Device Registration: The user registers their device with the service, which provides a unique device identifier.
  2. Authentication Attempt: The user attempts to log in to the service using a web app.
  3. Notification: The service generates a unique authentication request sent to the device via a push notification.
  4. User Approval: The user receives the notification on their device and taps on approve to approve the request.
  5. Response: The device sends the response to the service, which verifies it.
  6. Access Granted: The user is granted access if the response is valid. Otherwise, access is blocked.
Diagram illustrating the Push Notifications Passwordless Authentication flow, where a user receives a push notification on their mobile device to approve and securely log in without using a password
Push Notifications - Passwordless Authentication

Key Considerations

Due to the involvement of external devices in the authentication flow, some crucial things need to be considered while implementing push notifications. 

  • Device Dependency: Since this method depends on an external device, backup methods should be available if the user can’t access the device.
  • Device Security: The user’s device must also be secured since the authentication process can lead to a threat if the device is compromised.
  • Network Dependency: Push notifications depend on network availability and their delivery can be impacted by delays and failures that affect the user experience. 

One-Time Passcodes (OTP)

Another popular passwordless authentication mechanism is one-time passcodes (OTP), providing users with a single-use code to verify their identity. This secure approach generates a unique code for each login attempt, significantly reducing the risk of credential theft. Some services send you a 6-digit code that is valid for a few minutes. Users can prove their identity and gain access by entering this code, making the process convenient and secure. 

How it works

  1. Device Registration: The user registers/configures their device to receive OTPs.
  2. Authentication Attempt: The user attempts to log in to a service, and the service triggers an OTP using algorithms like HOTP or TOTP.
  3. OTP Delivery: The OTP is delivered to the user via a pre-configured channel (SMS, Email, etc.).
  4. User Entry: The user receives the OTP and enters it into the service.
  5. Validation: The service validates the OTP for correctness and validity. If it is valid, the user is granted access.
Diagram showing the One-time Passcodes Passwordless Authentication flow, where a user receives a one-time code via SMS or email to log in securely without a password.
One-time Passcodes—Passwordless Authentication

Key Considerations

Implementing OTP for your authentication flow requires integrating multiple services and considering the security and delivery methods. As B2B organizations adopt OTP authentication mechanisms, they must carefully balance security, user experience, and operational efficiency. Below are some key points to consider.

  • Delivery Method Security: Delivery of OTP via SMS and Email can be vulnerable to interception. Authenticator apps, such as Google Authenticator, provide a more secure alternative.
  • Time Sensitivity: Due to network connectivity, the user may be frustrated if the OTP is delayed. OTPs generally have a very short lifespan. Balancing security and user experience is critical. 
  • Prevent Brute-force Attacks: Measures must be in place to protect the account from brute-force attacks. Consider locking out the account after multiple failed attempts.

Authenticator Apps (TOTP)

Overcoming the delivery concerns of OTPs, authenticator apps provide a better alternative by generating time-based one-time passcodes (TOTPs) directly on the user’s device. These apps provide an additional layer of security by generating constantly changing codes, making them foolproof. These apps are becoming increasingly popular for both personal and enterprise use across services. 

How it works

  1. App Installation: The user installs an authenticator app on their mobile device. The service provides a secret key or a QR code that the user enters/scans using the authenticator app, which stores the key securely on the user’s device.
  2. TOTP Generation: The authenticator app uses the stored key and the current timestamp to generate a TOTP, typically a 6-digit code that changes every 30 seconds.
  3. Authentication Attempt: The user tries to access the service, which prompts for the current TOTP.
  4. User Entry: The user opens the authenticator app, retrieves the latest TOTP, and shares it with the service.
  5. Validation: The service generates its own TOTP using the stored key and compares it with the user-entered code.
  6. Access Granted: A match within the time window authenticates the user, granting them access to the service.
Diagram illustrating the Time-based One-time Passcodes (TOTP) Passwordless Authentication flow, where a user generates a time-sensitive code on an authentication app to securely log in without using a password.
Time-based One-time Passcodes - Passwordless Authentication

Key Considerations

Authenticator apps make authentication flow smooth and secure. However, several factors can impact the technical implementation and the user experience. This requires careful consideration from B2B service providers and end-users. The following points highlight the areas you must consider.

  • Device Dependency: Authentication relies on the TOTP generated by the authenticator app on the user’s device. Backup methods must be available in case of device loss or failure.
  • Integration Complexity: Adding authenticator app support requires changes to the service’s authentication infrastructure and properly implementing the TOTP algorithm.
  • Time-drift Handling: TOTP relies on time synchronization between the app and the server. Mechanisms must handle minor time discrepancies to prevent authentication failures
Launch enterprise SSO in hours
Scalekit is free for non-production environments

Implementing Passwordless in B2B Applications

Large-scale B2B organizations often have complex hierarchies, stringent regulatory requirements, and legacy systems. Thus, it is vital to adopt new methods of securing applications without compromising security and convenience. This section outlines strategic and practical steps for B2B applications to successfully implement and transition to passwordless authentication. 

  • Requirement gathering: Identify the requirements of your B2B application and choose a passwordless authentication method that matches them. Ensure your chosen method is compatible with your existing infrastructure and client requirements.
  • Choose an authentication provider: Choose an authentication provider that meets your security requirements and integrates well with your chosen passwordless methods. Integrate your B2B application with the provider and obtain the necessary credentials.
  • Implement authentication flows: Modify your application to initiate and handle passwordless authentication processes. Implement different handlers for authentication methods, such as passkeys and magic links.
  • User enrollment management: Develop and implement the process for enrolling B2B clients for all authentication-related flows and devices.
  • Session Management: Implement session handling mechanisms to maintain the user’s authentication state with your application securely.
  • Client-side security: Since most passwordless authentication mechanisms involve external devices, you must implement device health checks and attestation for enhanced security. 
  • APIs & SDK Development: Create APIs and provide SDKs to allow your B2B partners and clients to integrate passwordless methods seamlessly into client applications. 
  • Error Handling and Logging: Robust error handling and logging mechanisms should be implemented for troubleshooting and auditing.

The exact implementation details will vary depending on the passwordless method you choose, the tech stack, the framework, etc., but the core principles remain the same.

Passwordless authentication is a significant leap in security and user experience. These methods, from OTPs and biometric authentication to push notifications and authenticator apps, provide robust alternatives to traditional password-based authentication. 

For B2B organizations, the transition to passwordless authentication may represent opportunities and challenges, and hence, it requires careful planning and implementation. Embracing these approaches will help organizations enhance their security posture and streamline user interaction.

In the next section, we’ll look at OAuth2.0 and learn how it simplifies logging into multiple applications using a single set of credentials.

Launch enterprise SSO in hours
Scalekit is free for non-production environments
Launch enterprise SSO in hours
Scalekit is free for non-production environments
Launch enterprise SSO in hours
Scalekit is free for non-production environments
Launch enterprise SSO in hours