Is Passwordless Authentication Actually Secure?
Passwords are frustrating. We know they should be unique, but then they’re hard to remember. We know they should be complex, but then they’re even harder to remember and painful to create. Password managers mostly solve the problem for those savvy enough to use them and determined enough to set them up, but for the majority of the population, it’s an endless dance between compromises.
So what’s the solution? There is no magic bullet here, but passwordless authentication is gaining mainstream adoption and promises to make life at least somewhat easier.
Passwordless authentication describes a range of approaches that seek to authenticate users by other means. Often this either involves using an alternative authentication factor or else cleverly piggy-backing on a service that can be assumed to have already authenticated the user. For example, if we were to send a secret code to a specific email address or telephone number, we can assume that whoever can produce that secret code must be the owner of the email account or telephone number.
Email-based passwordless authentication
Email-based passwordless authentication has probably become the most common, so it’s the one we’ll focus on. This method is at its core a password reset flow; a secret link is sent to the user that allows them to bypass their password and set a new one. It’s familiar to most users because they’ve utilized it dozens or hundreds of times. Some users have come to rely on this functionality so much that they don’t even bother remembering the password they set. When the app eventually asks them for it again, they need only go through the password reset procedure again. It’s maybe not very convenient, but compared to having another complex password to remember — it’s not so bad. You could say email-based passwordless auth was accidentally invented by disinterested users.
These days, true passwordless authentication takes the password reset flow a step further. App designers remove the password (and its associated resetting ceremonies) and simply send a secret, time-limited, single-use link to the user’s email address. Clicking that link authenticates the user and sets a cookie with a long lifetime to keep them logged in. The user never needs to set, save, or type any passwords at all, which is a very appealing feature, particularly on mobile devices.
So is email-based passwordless authentication secure?
It is no less secure than the password reset flow has ever been. Both outsource authentication to a user’s email account, and thus inherit the benefits and weaknesses of the user’s email account security. Consumer email providers take security seriously, as do corporate email administrators, but when an email account gets compromised it cascades catastrophically, allowing an attacker to take control of every other service associated with it. This allows password resets (read: all of them). Even the least savvy attacker can search users’ inbox archives to discover other services they’re logging into.
Let’s talk about tokens for a second. Email is not widely encrypted, especially between mail servers. This provides an opportunity for tokens to be intercepted not only from a mail server, but also sniffed from an insecure network. Email clients then can download and store the unencrypted email indefinitely on the device. Secure passwordless authentication systems and password reset systems should expire tokens after some amount of time, to avoid scattering valid auth tokens indefinitely.
Email-based passwordless authentication shares some attack vectors with traditional password authentication reset mechanisms, but it gains points by eschewing an entire class of password attack vectors. Where many users were choosing weak passwords, and likely reusing them on multiple sites, removing passwords altogether means these users can’t help but be more secure. No longer is there a password that can be guessed or brute-forced or cracked at all. There is no more risk of a user writing their password on a sticky note under their keyboard. Eliminating this attack surface is a huge win for the overall security of email-based passwordless authentication.
SMS-based passwordless authentication
If a user’s email address can be used to authenticate them, then so to can their mobile phone number. By sending a one-time code to them via SMS, they can copy and paste that into an app and that then considers them authenticated. A slight variation of this method could be to call their phone and have a robo-voice read the code aloud.
These approaches have many of the same benefits as email, and also their own unique set of risks. The security of SMS is not as well understood. While it might seem like mobile networks are less susceptible to interception and eavesdropping, that perception is likely due to the relative obscurity of the infrastructure. Phones can be tricked into connecting to an attacker’s fake cell tower, or a phone number can simply be ported to an attacker-controlled phone by socially engineering a customer service representative. The fact is that attacks have been demonstrated and we’re likely to see more of them in the coming years.
Passwordless authentication for logged-in users
Both email-based and SMS-based passwordless auth leverage an existing communication channel to pass a one-time token to the user that they can then use to log in to an app. But what if the user is already logged in, and they merely want to log in on a second device? This approach uses the existing session as the communication channel. Instead of sending the user a code, they might log in to their second session with a push confirmation in their existing session to the effect of “You are logging in from an iPhone in Seattle, WA. Allow?”.
This may not be acceptable in all cases, but it can be a streamlined way to leverage one device (e.g.: a computer) to securely authenticate another device (e.g.: a phone), creating flexibility to find the right balance of convenience and security. The challenge is the need to need to establish their identity in the first session — this method can’t stand alone.
Alternate factors for passwordless
In multi-factor authentication, the three factor types are something you know, something you have, and something you are. A password is the canonical something you know, but the other two are each potential methods of performing passwordless authentication.
There is a reason that, of the three factors, passwords are the most commonly used as a sole authentication method. The others have drawbacks that require careful consideration before employing them as the sole defense against impersonation. Fingerprints, face scans, and other “things that you are” have the fundamental limitation that if and when they are attacked, a compromised user can’t simply change their face or fingerprints. Likewise, “things that you have” can be lost or stolen. While authenticating with these methods is typically quite secure, these practical limitations limit the overall long-term security of the system.
Despite well-touted drawbacks, fingerprints and face scans are both gaining popularity on mobile devices. There are already plenty of reports of fooling them (FaceID). But as biometric capture devices become more and more sophisticated, biometrics will become more difficult to impersonate and thus more viable as a secure standalone authentication mechanism.
So is passwordless authentication really secure?
The answer to whether something is actually secure is usually “it depends on your threat model.” This time is no different.
For many applications, the typical threat is perhaps a nosy coworker or a professional mass skimmer trying to gain access to a bunch of accounts at once. Neither attacker has many resources to deploy to compromise any user account in particular. The coworker might try to guess a password, or look around for a clue on a sticky note, but isn’t likely to hack an email account or dust for fingerprints. A professional criminal might gain access to a compromised database of passwords, but may not spend much time attacking any single user in particular. In both of these cases, passwordless auth is more secure than the alternatives because it removes the password as an attack vector.
Some applications need to worry about threats from well-motivated and well-funded attackers who are pursuing a particular individual account. These attackers may well take the time to gain access to the user’s phone or email account. Passwordless auth alone is not the route to take against these types of determined attackers. But neither is a password. The best defense is to practice security in depth, combining multi-factor authentication, adaptive security, and anomaly detection with a product like Okta’s Adapative MFA.
There are many options and variations available for performing user authentication, and passwordless auth is just one more tool available. For the right job, though, it can be the right tool indeed.
Interested in learning more about Okta and the future of authentication? Check out these great resources: