“Remember Myspace? A hacker just put the login information for 360 million Myspace accounts (emails and their passwords) up for sale. These are the accounts of real life human beings who are in many cases are still using these email-password combinations on other websites. And this is the same week that we heard about hackers putting 117 million email-password combinations from LinkedIn up for sale. And 65 million email-password combinations from Tumblr,” wrote Quincy Larson for medium.freecodecamp.org.
After you’ve gone and changed all your passwords, imagine never having to reset a password again, and being more secure — not less secure — because of it.
Here’s how passwordless authentication works in more detail, according to Justin Balthrop from Medium:
- Instead of asking users for a password when they try to log in to your app or website, just ask them for their username (or email or mobile phone number).
- Create a temporary authorization code on the backend server and store it in your database.
- Send the user an email or SMS with a link that contains the code.
- The user clicks the link which opens your app or website and sends the authorization code to your server.
- On your backend server, verify that the code is valid and exchange it for a long-lived token, which is stored in your database and sent back to be stored on the client device as well.
- The user is now logged in, and doesn’t have to repeat this process again until their token expires or they want to authenticate on a new device.
In April, Microsoft announced that it will soon offer new ways to log into cloud services like Microsoft 365 without relying on passwords. “Our analysis indicates that cloud-based user account attacks are up more than 300% over the past year,” says Rob Lefferts, director of enterprise and security for Windows. “Passwords are the weakest link, and they are a source of frustration for users.”
According to TechRadar, the next Microsoft 365 update will support the FIDO 2.0 web authentication standard, the heart of which is Web Authentication (WebAuthn). “WebAuthn lets account holders use something other than a password to verify their identity – whether it’s an app on their phone, a USB hardware key, or biometric data. This could serve as a kind of two-factor authentication, or replace passwords completely. WebAuthn is also coming to Microsoft Edge in the coming months, as well as Chrome and Firefox, making it possible to log into online services without passwords. Apple hasn’t announced when Safari will join in, but has committed to doing so,” added Cat Ellis for TechRadar.
Even Google is taking steps into giving up the password system. At the end of 2015, it confirmed it has invited a small group of users to help test a new password-free way to sign into their accounts. “‘Pizza’, ‘password’, and ‘123456’ — your days are numbered,” a Google spokesperson said in a statement, referring to some of the most common passwords and secret question answers people use.
The new system lets you verify your identity via your smartphone, according to Reddit user Rohit Paul, who first reported the experimental feature. “It works like this: You go to log in to your Google account like normal, but instead of entering your email address and password, you provide just your email. Next, Google will provide a secret code — in Paul’s case, the number 21 — and tell you to look at your phone. The Web giant will then send a message to your phone asking if you’re trying to sign in. If you answer “yes,” you’ll then need to provide the secret code on your phone, and voila, you’re in,” wrote PCMag.
The test works on iOS and Android, and you can still log in with your regular typed password if you prefer, Google said. Aside from being way more user friendly than passwords, the new system can help protect against phishing schemes designed to trick users into unknowingly handing their personal details to hackers.
Still in 2015, Yahoo in October updated iOS and Android apps with a new authentication system that uses push notifications to verify you. The blogging site Medium launched a similar system in June that lets you sign in using just an email address.