Back to posts

The new passwordless game

October 29, 2024

Alright, so here we are in end of 2024, and passwordless is becoming the new norm — those frustrating strings of letters, numbers, and weird symbols — are finally on their way out (Kinda). Anyone else tired of having to remember if they capitalized the second letter of their first pet’s name? Or worse, the anxiety of whether that familiar password will work on yet another new website? Yep, me too. And here’s the good news: passwordless tech is making these struggles a thing of the past.

I mean, think about it: how many times have you used “forgot my password” links this year? I can’t even count anymore. That’s why it’s such a relief that we’re moving towards a world without traditional passwords. So let’s break down what passwordless actually means, why it’s replacing both old passwords and systems like OAuth and SSO, and why this shift is so crucial for all of us.

Passwords: Why We’ve Had Enough

Let’s start with a fact: the idea of passwords was fine back in the early internet days, but it just doesn’t hold up now. Years ago, having a password was a quick, simple way to keep things secure. But then, suddenly, every site wanted you to make a “unique” password. Then add a special character. Then don’t use the last one you just created… It's exhausting, right?

And as much as we might try, most of us just end up reusing the same password variations. Because who has the time to remember a hundred different random combinations? The sad irony here is that the harder we try to make passwords strong, the easier they actually become for hackers to crack — especially when they can use stolen databases to guess common patterns. Password managers were supposed to help, but to be honest, they’re just another app you have to remember to open!

🤔

Isn’t it wild that for years, the tech industry kept adding more hoops for us to jump through to “secure” passwords, yet they kept getting easier to hack? Turns out, this entire “make it stronger” trend wasn’t as foolproof as we thought.

So, What’s Passwordless All About?

Passwordless basically means saying “goodbye” to remembering passwords and instead relying on something more reliable to prove that it’s you. This could be a face scan, a fingerprint, or even a device you already trust, like your phone or a security key. These are things that are a lot harder to steal or guess, making them much more secure than any password you or I could dream up.

Imagine this: instead of trying to remember whether your current password is “Fluffy@123” or “Fluffy123!,” you can just use your fingerprint or face to log in. Done. No fuss, no mess. And here’s the best part — this approach is usually faster and way more secure.

How Passwordless Actually Works

It all boils down to three kinds of “proofs” to show that you’re really you:

  1. Something you have - like your phone or a security key.
  2. Something you are - like a face scan or fingerprint.
  3. Something you know - like a simple PIN.

So instead of just one method (your password), you’re using two or more of these things together, which is what we call multi-factor authentication (MFA). It’s like the security guard at the door asking for a couple of IDs instead of just one — it’s a lot harder for anyone else to fake being you.

The Extra Layer of 2-Factor Authentication (2FA)

Now, if you’ve ever enabled 2FA (two-factor authentication) for an account, then you’re already familiar with the principle. It’s all about having that second proof of identity — so even if someone did manage to guess your password, they’d still need another piece of info to log in. In traditional systems, 2FA adds an extra layer of security, often in the form of a one-time code sent to your phone, an email, or a separate authentication app.

Passwordless authentication can actually work with 2FA too. Many passwordless logins will still ask for a second authentication factor like a PIN or a quick tap on your phone. Here’s where it differs, though: instead of relying on your password as one of the factors, you’re using something more secure, like your biometrics. This combination — usually called multi-factor authentication — means you have two proofs of identity that are much harder for hackers to break through.

So, in a way, passwordless is the next evolution of 2FA. It keeps the idea of “two layers of security” but gets rid of the weakest link: passwords.

What About Single Sign-On (SSO)?

SSO, or Single Sign-On, has been a lifesaver for those of us who just want to click “Sign in with Google” or “Sign in with Facebook” and get into our accounts without typing in new credentials. The principle of SSO is simple: you authenticate once with a trusted provider (like Google or Microsoft), and then you can access other sites without needing to log in each time.

But here’s the catch: even with SSO, passwords are still in the background. When you use Google or Facebook to log into another service, you’re relying on the security of that original password on Google or Facebook’s system. So, if someone gets hold of your Google or Facebook password, they have access to everything else you’ve signed into with SSO.

Passwordless tech could potentially enhance SSO by removing the need for a password altogether. Imagine an SSO system that’s linked to your biometrics or a security key instead of a password. This means you’d authenticate once, say with a fingerprint or face ID on your trusted device, and that trusted login would carry over across services, without relying on a traditional password behind the scenes.

This approach could make SSO even more secure. By combining SSO with passwordless methods, we can create a world where we log in once with a truly secure method and then stay logged in across all our connected services without fear of password theft.

🔍

SSO made things easier, but passwordless tech can make it safer. By moving away from passwords in SSO systems, we’re adding a layer of trust and security without adding complexity for users.

Here’s Why Passwordless is Becoming the New Normal

As more and more people are adopting passwordless tech, we’re learning a few things about the pros and cons.

Improved security over traditional passwords.
Seamless and faster login experience.
Reduced customer support costs for password resets.
Fits modern expectations for simplicity and speed.
Reduces reliance on risky single-password models.
Relies on biometrics, which are still not foolproof.
Increased privacy concerns with biometric data.
Device dependency (e.g., losing a trusted device).
Setup may require some learning curve.
Backup options need to be strong and secure.

Why Passwordless is Here to Stay (and Keep Growing)

  1. Security: We’re constantly hearing about data breaches, and many of them stem from weak or reused passwords. Passwordless systems are safer because if someone wants access to your account, they need you (your face, fingerprint, or personal device). No amount of guessing can replicate that.

  2. Convenience: With passwordless, we’re saying goodbye to “forgot my password” links and constant resets. Instead, it’s a smooth, one-step login that feels like a breath of fresh air. And in a world where we’re juggling dozens of apps and accounts, that simplicity goes a long way.

  3. Cost Savings for Companies: This may not seem like a big deal for users, but companies spend a lot of money on password recovery and support. Going passwordless not only cuts down on these costs but also improves user experience. It’s a win-win — no more forgotten passwords, and companies save on backend costs.

  4. It Fits Modern Tech Expectations: We’re all used to tapping a phone or scanning our faces to do things quickly. Passwordless logins fit into this fast-paced, intuitive tech world, giving users exactly what they want: less friction.

Why Passwordless Beats OAuth (You Know, Those “Login with Facebook/Google” Buttons)

Now, if you’re like, “Wait, I can already log in with my Google or Facebook account?” — you’re right. Those login buttons use a method called OAuth, which basically allows you to use an existing account to access a new one without creating a new password. It’s convenient, but here’s the thing: OAuth still uses passwords in the background. Sure, you’re not typing it in every time, but that password is still sitting out there, which means it can still be stolen.

Passwordless, on the other hand, doesn’t rely on any passwords at all. No password on your end, no password on their end. It’s simpler, more secure, and doesn’t have that hidden weakness.

What You Need to Know About Going Passwordless

  1. Biometrics Are Getting Safer: Yes, there have been stories of “hacked” fingerprints, but technology is catching up fast. Today’s biometrics are a lot more secure than they were a few years ago. Are they perfect? Not quite, but it’s a whole lot harder for someone to

replicate a fingerprint than to guess a password.

  1. Keep Your Device Locked: Since passwordless methods often rely on devices (like your phone), keeping that device secure is super important. Make sure it’s locked with a PIN, password, or biometric lock so that if you lose it, your accounts are still protected.

  2. Backup Options Are Essential: Some days, the face scan just doesn’t want to work, or your phone might be on the other side of the house. Thankfully, most passwordless setups have backup methods, like a one-time code or a PIN, so don’t skip setting those up!

  3. Understand the Privacy Side: Passwordless methods often mean sharing more personal data (like biometrics) with companies. It’s always a good idea to know how much data is being collected and decide if you’re comfortable with it.

Why I’m Totally Onboard with Passwordless (and Why You Should Be, Too!)

To be honest, I never thought I’d be this excited about logging in. Passwords have been a necessary evil, but they’re just not keeping up with how we live our digital lives today. With passwordless, we’re finally stepping into a future that’s not only safer but also way more convenient. It’s freeing to think we can just be us without the stress of remembering what combination of symbols we used.

And sure, there’s a learning curve. But if it means saying goodbye to password fatigue, then I’m all in. The world is evolving, and so is our need for security — passwordless is just the next step.

So, here’s to a life where logging in is as easy as showing up. I, for one, can’t wait to fully say goodbye to the days of password resets. 😊

Peace out,Somrit Dasgupta