Password less authentication

This is a general discussion about a modern way to authenticate a user with his/her data.

In these times we all talk about more than one factor to authenticate a user with a dataset. We usually use a username or the email address to have a unique id for a record.

The first factor to authenticate is mostly a password. Hopefully a strong password which uses special chars, numbers, capitals and so on. Most of the users are already lost. Anyhow, we the sec-devs are going to add more factors to make it safer. The next is the mobile number. The member receives a sms with a temporary pin number to make really sure that you are you. Another popular way is to promote a second factor app where you get a push notification with a pin or a where pops a button to confirm that you are you. Sec-Ops go even further and have so-called Yubikeys (real hardware) to use another factor which can’t be hacked digitally. No matter what and how, everything is awkward and complicated in my opinion. It makes it safer but the ux is terrible and slow.

I guess we have to think about the use case. There are a lot of critical services like banking and so on where we definitely have to be as safe as possible. But there are a lot of small services without special need for protection. Do not get me wrong. I’m not saying that they don’t need security. I’m just saying that it doesn’t have to be cumbersome.

What do you think about email authentication? An email address is unique. It is possible for men-in-the-middle to read them out. But first of all, you can say that the recipient of an email is unique and authorized to receive a message. That’s the reason we use emails as usernames for accounts almost everywhere. The first mail you receive is often combined with a confirm-link to make sure the user exists and spammers are excluded.

So why not use a so-called magic link every time you’re going to login to your personal data?

I have used Slack a lot. There is always the option to get the magic link to automatically login in to the mobile or desktop app. And it works. It uses JWT (as far as I know) and the most important and the discussion in this thread, it is user friendly!

What do you think about this method?

I have builded a very small social service which is working totally without passwords. Every time you need to login to your account to change your configuration, you simply enter your email address and the service fires another email with a new magic link to let you in. it works. And I think it’s still a secure and ux friendly solution!

More on Reddit:

https://www.reddit.com/r/security/comments/aa136r/will_the_new_year_continue_a_trend_of/

https://www.reddit.com/r/webdev/comments/m7o0ew/password_less_authentication/

Meine Freunde rufen mich Mitch - ich bin passionierter Softwareentwickler und Vater. https://palmomedia.de