Share on:

Passwordless Authenticaion Methods

Original article: https://github.com/OpenIdentityPlatform/OpenAM/wiki/Passwordless-Authenticaion-Methods

Intro

Nowadays, people use more and more different online services in everyday life, and each service requires authentication. So, for each service, you need to remember your username and password. And, even the login for each service can be the same (for example, the email), then the password must be unique for each service. It is much better to have a complex password, i.e: have a length of 8 characters and more, contain uppercase and lowercase letters, numbers, and special characters.

Of course, it is impossible to remember the complex password for each service, so users either use simple passwords or use the same password for each service. Some users even write their own passwords on a piece of paper and put it under the keyboard (sic!). Of course, it compromises user accounts.

Passwordless authentication could solve this problem. In the following article, I will try to consider main passwordless authentication methods, as well as their advantages and disadvantages.

There are the following passwordless authentication methods:

Passwordless Authenticaion Methods

During authentication, the user enters his email, the service generates a one-time link and sends it to the specified email. Then the user must open the mail application, receive an email from the service, and follow the link.

Pros:

Cons:

One-time password via SMS or Push

The most widely used passwordless authentication method. During authentication, the user enters his phone number, then he receives an SMS or pushes notification with a one-time confirmation code, which has a limited validity period. The user enters the received one-time code in the service and authenticates.

Pros:

Cons:

HMAC and Time-based one-time password

HMAC-based one-time password (HOTP) is generating a one-time password algorithm based on authentication attempts and a shared secret between user server and client. A time-based one-time password - is an improvement of HOTP and generates passwords based on system time. These algorithms generate passwords on both a server and a client each time user authenticates the system.

Pros:

Cons:

One of the simplest and widely used way to authenticate without a password. After authentication, a special cookie is set in the user’s browser, which is then used to authenticate the user.

Pros:

Cons:

Using third-party Identity Provides (via Social Networks)

During authentication, the user is prompted to authenticate using an existing account of a third-party Identity Provider (Google, Facebook, LinkedIn)

Pros:

Cons:

USB Token Device

Users can be authenticated using a USB token device. There is a cryptographic key, that uniquely identifies the device holder.

Pros:

Cons:

Mobile Phone Biometrics

While authenticating, the user receives notifications on his mobile phone application, asking for confirmation via fingerprint, face recognition, and so on.

Pros:

Cons:

Conclusion

All of the methods above have advantages and disadvantages. But for better user experience, is the usage of a combination of several methods. For example, to provide the ability to authenticate using OAuth or OpenID and a saved cookie. Also, a promising and secure approach is authentication using mobile phone biometrics, such as fingerprint or face recognition authentication.