Passwordless authentication: your options explained

Passwords have always been a necessary evil. We want our data to be safe, but remembering random strings of alphanumerical and special characters is not exactly a piece of cake. Nowadays, with all of us using a bunch of different online services, remembering a strong password for every single one is impossible unless you have an eidetic memory.

Social logins and SSO solve part of the problem, but although they are widespread, many services still don't use them (or implement them safely). Password managers are another great option. Their adoption keeps increasing, but many companies see them as a single point of failure (if someone gets your master password, they get all of your passwords) and hesitate to adopt them.

There is another solution that, instead of managing passwords, gets rid of them altogether: passwordless authentication. Passwordless authentication offers a seamless and secure alternative by replacing passwords with technologies like biometrics, single-use codes, and cryptographic keys.

The simplest example of how passwordless can make our lives easier is Touch ID. You can log in to your computer with a simple tap of your finger instead of having to remember a long password, type it in, be careful that no one is watching, that the caps lock is not on, and so on and so forth. This improves user experience and security.

There are many ways to use passwordless authentication, and you might be confused about which method is best for you. In this article, we will review the top passwordless authentication methods, their pros and cons, and see which options suit your requirements.

Biometrics

What's the first thing that comes to mind when you hear biometrics? Retina scans to enter a classified lab? Maybe that was true decades ago, but nowadays, scanning our fingers or faces to unlock our phones or sign into services is more commonplace and less James Bond material. Biometrics are widely used and recognized as a more secure alternative to traditional authentication methods like passwords and PINs. Enterprises and startups that take security seriously use biometrics alongside SSO to continuously verify the identities of users in a seamless way.

Facial recognition uses a person's unique facial features to identify them. It's commonly used in smartphones, but sadly, the technology still leaves a lot to be desired. Fingerprint scans, on the other hand, work great most of the time. They're used to secure everything from mobile devices to automobiles and even buildings, making them the most widespread biometric authentication technology.

Key features:

• High level of security: One of the most significant advantages of biometric systems is that they rely on things that cannot be stolen or replicated. Unlike passwords or PINs, which can be shared or stolen, biometric traits are tied directly to an individual. Passing a face biometric check requires the physical presence of the actual person, making it incredibly difficult for unauthorized users to gain access. Sure, someone can lift your fingerprint off a glass and recreate it, but this kind of sophistication is on another level and does not concern the vast majority of the population (no elaborate spy will go into all this trouble to read my emails).
• Ease of use: While the technology behind biometrics is complicated, from a user's point of view, it's quick and easy. Instead of typing a long password (and being exposed to all the threats passwords come with), a user just needs to look at their device or place their finger on the scanner. Most importantly, there is nothing to remember, so there is nothing to forget either. No more password resets, managers, or post-its.
• Non-transferable: If credential sharing is a problem in your business, biometrics can be the solution you've been looking for. You cannot share a fingerprint; you have to physically be there. Biometrics can be the solution you've been looking for to ensure that credentials are not shared, knowingly or not.

Limitations:

• Costs: Implementing a biometrics authentication system from scratch can be expensive. However, many devices already come with built-in biometrics mechanisms that you can use. Many authentication providers also offer SDKs that you can use to add biometrics passwordless authentication to your app.
• False negatives: False positives are not a problem for biometrics (according to NIST, false match rates for facial recognition are as low as 0.0001%—while the chances of being hit by lightning are 0.00014%). False negatives, however, are a problem, especially when we talk about facial recognition, where factors like poor lighting or facial obstructions can significantly increase the chances of your face not being recognized. As a result, businesses cannot rely solely on that but must implement secondary authentication methods, like a password or PIN (which means extra cost).
• Bias: Many biometric systems have been trained primarily using white male photos. This adds in them an inherent bias that results in difficulty recognizing women, people of color, and non-cisgender people. Poor implementation or deliberate misuse can result in discrimination and exclusion. Some certifications ensure this is not the case, and you should look for a technology that has them.
• Hackers are still a threat: Biometric data can still be hacked. Biometrics are stored in databases, and a data breach can provide hackers with all the data they need to impersonate others.

Biometrics are commonly used on smartphones (to unlock devices and authorize payments), airports (for identity verification and security checks), and corporate security to secure access to facilities and systems.

One-Time Passwords (OTPs)

As the name suggests, a one-time password is a numeric or alphanumeric string that can be used only once. These passwords are provided to you by a small device like a key fob or an application (like Google Authenticator or an IM/SMS/email sent to your phone).

An OTP is considered more secure than a traditional password, which can be weak, reused across apps, or stolen. Unlike passwords that change every 30 to 60 days (best-case scenario) or stay static forever, OTPs are used for a single transaction or login and then discarded.

OTPs are generated using algorithms and time-sensitive variables. Once the OTP is created and sent to the user, the code is associated with the authentication window or form. When the user enters the code, the server verifies it.

Some variations of OTPs are:

• TOTP (Time-Based One-Time Password): TOTPs are generated using time as a moving factor and typically expire within 30-240 seconds.
• HMAC-based One-Time Password (HOTP): HOTPs use an increasing counter value (hash) and a static symmetric key (seed) that only the token and the validation service know. They are valid until the authentication server actively requests and validates another one. The HOTP algorithm is a freely available open standard.

Usually, OTPs are not used as a standalone authentication method but as a secure and convenient way to implement MFA in situations where sensitive data is accessed and exchanged. An example is banking apps: they may allow you to log in using biometrics or a password, but if you want to transfer a significant amount of money, they might send a code via SMS or email before letting the payment pass through.

Key features:

• Difficult to guess: Even automated password-cracking tools have a hard time guessing OTPs, and things get even more complicated if you use TOTP or HOTP. This makes them safe from hackers.
• Limits user friction: The user experience for OTPs is pretty good—especially when they are sent via SMS and the app requesting the code automatically reads it, so you don't have to copy and paste.
• Easy implementation: Implementing OTPs is relatively easy.

Limitations:

• Network-dependent: Sometimes, codes take a long time to arrive, especially when you are in an area with poor coverage. Most of us have experienced trying to log in to an app that sends a code, which by the time it arrives has expired, and then we have to try again, and so on and so forth.
• Device-dependent: If you use a hardware token, losing it (or simply forgetting it somewhere) can lock you out of your account. This reliance on a single device can be a significant drawback, especially if users do not have backup authentication methods.
• SMS are susceptible to attacks: Hackers can intercept OTPs during transmission, especially in unencrypted channels like SMS. They can also hijack a user's mobile number by convincing the telecom provider to transfer it to a new SIM card, gaining access to SMS-based OTPs (SIM swapping). The National Institute of Standards and Technology (NIST) has deprecated the use of SMS for 2FA since 2016 due to security concerns, and the European Union Agency for Cybersecurity (ENISA) is also against using SMS-based OTPs.
• Scalability: Depending on the size of your user base, managing OTP generation, delivery, and verification for millions of users can strain human resources and infrastructure.

OTPs are commonly used in online banking for account access and secure transactions, as well as other online services such as 2FA (Amazon sends an OTP via SMS as 2FA).

Magic links

Magic links, as the name suggests, log you in via links sent to you (typically via email, but SMS or IM are also options). When you want to log in, you enter your email, you get an email with a link, you click the link, and—magic—you are in.

The link contains a unique token and can be used only once. It doesn't last long, either; it has a built-in expiration. Magic links simplify the login process while avoiding common password-related problems, such as weak passwords, forgotten credentials, or password reuse.

If a user is not found in the system, the app won't authenticate them, and nothing further will happen. Returning an error message is not recommended since you don't want to give away clues to malicious actors about which email addresses are valid.

Key features:

• Low cost: There's no extra hardware to purchase and barely any new code to write if you already have a "Forgot Password" workflow. If you send them over SMS, the fees will be higher, but emails are cheaper and scale better.
• Fast and seamless login experience: The login experience can be smooth, provided you send the emails promptly, and they don't end up in the spam folder.

Limitations:

• Only as secure as the user’s email: With magic links, the main burden of ensuring security falls on the user and their email provider, so the user must take extra steps to protect themselves, like enabling MFA, using a trusted email provider, and avoid using networks without encryption. Magic links come with certain risks, and you, as a provider, cannot enforce security; you have to trust the user (and their email provider). This is not an option for certain businesses that have strict security requirements to adhere to for compliance reasons.
• Can be shared: Similar to passwords, magic links may be shared with others, often unknowingly, increasing security risks. Enforcing link-sharing restrictions is difficult, leaving the account vulnerable if the link falls into the wrong hands. One mitigation strategy is to ensure that only the browser or device that initiated the flow can open the link.
• Spam filtering issues: Sometimes, email providers mark magic link emails from new senders as spam, funneling an essential email into the rarely-visited spam folder. Your user might request link after link, not realizing they're being sent to spam. Use a reputable email provider with an IP address that common spam filters recognize as trustworthy (such as one without many complaints). Check our guide on email deliverability for more on the topic.

Besides authentication, magic links are commonly used for account recovery, easy signup by e-commerce and online services, and double opt-in to lists.

Passkeys

‍The Fast Identity Online (FIDO) Alliance answer to the password problem is passkeys. From an end-user's perspective, a passkey is a way to log into their account using biometrics—fingerprint, facial recognition, or a PIN or pattern as a fallback. The user enters their username, uses their fingerprint, face scan, or passcode, and is logged in.

From a technical perspective, passkeys use public-private cryptographic key pairs to authenticate users. When a user creates an account using a passkey, their device generates two cryptographic keys, one public and one private. The public key stays on the service provider's server, and the private one is saved on the user's device.

Key features:

• Not vulnerable to server breaches: The public key stored on the server is not sensitive information and cannot be used alone to access the account. Thus, passkeys are not vulnerable to server breaches. Even if someone gets your public key, they cannot do anything with it. The private key is securely stored on the user's device within dedicated components designed to keep sensitive data. These components are isolated and function as a vault, guaranteeing data safety even in the event of a malware attack.
• Counts as 2FA: Since you use biometrics to log in to an app, a passkey counts as a second factor, replacing both a password and 2FA in one step.
• Phishing resistant: The private key saved on your device is never shared with anyone, making it resistant to phishing attacks.
• Local authentication: Authentication is performed on the user's device, significantly reducing the risk of credential interception during transmission.

Limitations:

• Not commonly used yet: Although all the tech giants, like Google, Apple, Samsung, Amazon, and Microsoft, are supporting passkeys, currently, they are available only on select websites, apps, and services.
• Working across devices: Since the private key is securely stored on the user's device, it only works from one device. Work is being done towards syncing passkeys across devices, but things can still be tricky. For example, using Google Password Manager, you can share passkeys across Apple devices using iCloud Keychain, Android, Chrome OS, macOS, Linux, and Windows devices. However, there is not yet a seamless and easy way to share passkeys across iPhone and Android devices or natively across Windows devices. Things get even trickier if you want to log into your account for a device that isn't yours.
• User experience: Although passkeys offer a seamless user experience in theory, due to the limitations stated above, users often have bad experiences trying to migrate or add passkeys to devices. Many times, apps ask you if you want to use a passkey to log in, only to say yes, scan your fingerprint, and then get a message that there is no passkey. The technology is good, but the adoption has not yet been widespread, so the experience can be disheartening.

Common use cases for passkeys include secure access to online apps, corporate resources, and personal devices.

Which method is right for you?

Sadly, as with many things in life, the answer to the question which method is right for you is "it depends". Some technologies are a no-go, depending on your use case.

• Biometrics offers a high level of security, ease of use, and eliminates the credentials-sharing issue. On the downside, they're costly, and the technology is not perfect yet (false positives, bias).
• OTPs are easy to implement, difficult to guess, and user-friendly. However, your users will be unable to log in if the network fails to deliver the codes or they forget their hardware token. SMS is also not a good option since it is susceptible to attacks and doesn't scale well.
• Magic links are easy to implement and use, but they are only as secure as the user's email, which is a no-go if your business has strict security requirements.
• Passkeys are very secure, count as 2FA, are easy to use, and render server breaches useless. The only problem is that integration and adoption are not there yet. Users might have issues using the same passkey across their devices.

What is obvious, though, is that there is no perfect passwordless solution yet to the password problem. OTPs are close, and passkeys look very promising, provided that the integration keeps improving. But at the moment, for the best security and user experience, you will probably have to combine different technologies. For example, SSO can be used with a combination of biometrics.

WorkOS supports OTPs with Magic Auth, Passkeys, and SSO—everything you need to log in users securely without the constant hustle of passwords.