Create a Secure App and Great UX with Passwordless Authentication

To developers, passwords are like interruptions: a necessary evil that comes with the territory. They’re seemingly inevitable, they suck up valuable time, and afterward you’re not much better off than you were before you had to deal with them.

But while you can’t avoid interruptions—because let’s face it, those planned interruptions (aka meetings) and workplace exigencies are never going away—you and your application’s end users can escape the friction of passwords. Passwordless authentication holds the promise of limiting or even completely curtailing forgotten passwords, cumbersome policies, time-consuming resets and other password-related issues that plague both users and developers alike. And it does so in a way that both ensures the security of your application and fosters a great user experience.

Before we get into the reasons why developers increasingly are moving toward implementing passwordless login features into their applications, let’s take a look at exactly what we mean by the phrase “passwordless authentication.” Passwordless authentication is just what it sounds like: a way to authenticate when logging into an app or other resource without using a password. 

Consider this simple scenario. In order to create or use an account, you enter a username. But instead of entering a string of characters, you receive a temporary key in the form of a 6-digit code delivered to you via text or email during the login process. You retrieve that code and enter it into the application, and voila! You’re now authenticated.

This temporary code sent to the end user acts as a time-limited password, and is how the account is secured. But it doesn’t have to be a temporary code; it could be:

• A specific link the user has to click on
• A push notification that requires the user to hit a button
• A link to a face, fingerprint or other biometric-recognition app where the user must complete a biometric scan

The important distinction here is that the authentication process doesn’t involve a password at all. The end user has nothing to remember or track via some type of password management system, and nothing needs to be stored with your app, server or service.

In the example above, you’ll notice that the code (or link, notification, etc.) is in essence taking the place of the password step, rather than adding a step to the authentication process. Remember, passwordless authentication is about logging in with an authentication factor other than a password. Passwords are an authentication factor requiring “something you know.” To go passwordless, we could use a different factor type altogether, e.g., “something you own” or “something you are.” One-time passcodes (OTP) via text and push notifications utilize the “something you own” factor, because only the person who owns the phone that receives the OTP or the push notification should be allowed access. 

On a related note, one distinction we make at Ping is that “passwordless” is a goal while “passwordless authentication” is a process. The goal is to use technologies that reduce and/or eliminate the use of passwords, which increases usability while maintaining or improving security.

So do you—and your app users—really benefit from giving up passwords?

Absolutely. Passwords continue to foil users and compromise security, and we’re seeing signs that passwordless authentication is on the rise for a few key reasons.

One, passwordless authentication offers significantly more protection against hackers and other bad actors. Passwords need to meet some minimal requirements to be secure, such as length and character composition, and end users have demonstrated time and again that they have a hard time maintaining strong passwords. 

Even if a user does have a strong password for one account, the odds are good they have shared it with other sites or other users, increasing the risk of getting hacked by opening up more points of attack. 

A temporary code, on the other hand, all but eliminates credential sharing and means less time in which the authentication factor can be stolen, boosting your overall security posture.

Another primary benefit of passwordless authentication is that it allows you to offer your app customer an easier and better user experience. Your end users don’t have to worry about creating, remembering or storing a complicated password; they simply enjoy a smooth experience by swiping a fingerprint or clicking a button. We’re starting to see behavioral research in the market showing that once people try passwordless authentication, they stick with it because of the superior UX.

There’s a third benefit of passwordless authentication that your customers may only vaguely realize but one you likely are acutely aware of: easing the dreaded password reset process. Password reset flows have to be implemented securely in the event passwords are forgotten, and password resets cost large organizations upwards of $1 million annually in staffing and infrastructure alone, according to Forrester. Even if you don’t go completely passwordless in your authentication processes, having a blend of password and passwordless flows will ensure you spend less valuable time on password resets.

Passwordless authentication is easy to implement with a robust multi-factor authentication solution like PingOne for Customers. PingOne for Customers, our cloud identity tool for app developers, includes features such as QR code authentication, which takes passwordless authentication to a new level by removing the need for your users to remember not only their passwords but also their usernames. 

To try out PingOne for Customers, we invite you to sign up for a free trial!