In December 2014, I published Would You Implement Passwordless Login? It expanded on articles such as Justin Balthrop's Passwords are Obsolete and Ben Brown's Is it time for passwordless login? The Passwordless project for Node.js has inspired others, including options for PHP and Ruby.
I mentioned considering passwordless authentication for a client project. I'm pleased to say it's been operating for several months and has been a revelation. More about that shortly -- but first, let's recap …
What is Passwordless Authentication?
We're using the same authentication methods devised at the dawn of the web. Unfortunately, passwords are increasingly broken:
- People rarely create strong passwords. Surveys report one in ten accounts use something from the top twenty most popular passwords. "123456" is used by more than 4% accounts; "password" remains the second most-used.
- People use the same terrible password on multiple sites. If you happen to crack someone's Facebook login, you can probably access their PayPal account. Your single password is only as good as the security of the weakest system you use.
- Corporation hacks are increasingly common and attract mainstream media interest. It's an easy route to make a name for yourself, extract revenge or indulge in blackmail. Few companies are prepared for acts of cyber-terrorism and, despite the usual claims of "sustained sophisticated attacks", many breaches are simple SQL injections caused by poor development techniques.
- From a coding perspective, authentication is tedious and mistakes are made. Checking credentials is the start of your problems: you need to ensure there are no cracks in security, hash strings using strong (and slow) algorithms, allow users to reset forgotten passwords and answer support calls from confused users who are seemingly unable to remember or type a short string correctly.
- Alternative solutions such as biometrics or OAuth depend on hardware or suitable social media accounts. Few sites implement it well, and still need to revert back to email/password methods for some users.
Continue reading %Why Passwordless Authentication Works%
by Craig Buckler via SitePoint
No comments:
Post a Comment