Something wonderful has been happening in the world of software development for quite some time now: we are seeing an incredibly strong trend among the developers of Software as a Service (SaaS) products who are questioning the need for passwords for Web applications. Gartner anticipates that 60% of large, global enterprises will implement some kind of passwordless authentication method by 2022. The percentage of mid-size businesses making this prediction is even higher: 90%, making this an essential consideration when you’re rethinking your application’s log-in and sign-up flows.
The elimination of passwords challenges cybersecurity’s status quo, reduces bad friction, and enables businesses to enhance their products’ user experience. What is wrong with passwords? What are the pros and cons of passwordless authentication. How can apply this approach to your next product? Let’s find out.
The Problem with Passwords
In the early 1960s—with the help of Fernando Corbató, who was working on The Compatible Time-Sharing System (CTSS)—we saw the introduction of passwords for software systems. Previously, that CTSS system had given a private set of files to each user. But the absence of a log-in system requiring a password had a flaw: it allowed users to access other people’s files. Dr. Corbató came up with the computer-password concept that we still use to this day to solve this problem.
At that time, passwords were quite simple. People used them to unlock, or log in to, a computer, hard drive, or other storage device, and coming up with or recalling a password didn’t require much brain capacity.
But today, things have gotten much worse. Almost every Web site that people use on a daily basis requires them to create an account with a unique password. On top of that, most software systems have their own unique, difficult-to-pass requirements for passwords, meaning people have to memorize or write down all their passwords somewhere. Even though people are trying their best, a study that Google conducted shows the following:
75% of Americans say they’ve become frustrated with trying to keep track of all their passwords.
24% of Americans have used extremely easy-to-guess passwords such as password, Qwerty, or 123456.
66% of Americans still use the same password across multiple online accounts.
And this list of issues goes on. However, apparently, it’s not only users who are having issues with passwords. Companies are having issues dealing with personal and corporate data as well:
IT companies must store passwords and handle password resets.
IT departments must make huge investments in their security infrastructure.
Whenever a data breach occurs, a company’s Support department gets bombarded with calls for support, and such issues negatively impact the company’s image.
Development efforts for new microservices get wasted on building the same old stuff: authentication systems, password checks, validators, and password-reset forms.
These are just some of the reasons why companies want to dump passwords, which are causing headaches, and move to passwordless authentication.
The Pros and Cons of Passwordless Authentication
Wouldn’t it be great to eliminate reliance on passwords completely and deliver a better user experience, benefiting both the business and users? Some companies are already using passwordless authentication systems, which have replaced traditional user passwords or other knowledge-based secrets with more secure authentication factors. Typically, these are magic links, fingerprints, PINs, or secret tokens that users receive via email or SMS messages.
In general, from the user’s point of view, passwordless authentication systems are more practical because the authentication mechanism has shifted from what the user knows, a password, to what the user has—access to a device or an SMS or email client. Because using this type of authentication doesn’t require multifactor authentication, this sounds too good to be true. This is still single-factor authentication unless a service adds an additional layer of security on top. However, there is also a downside to this approach: the security of the system depends completely on two other systems that the user cannot control—the system’s delivery mechanism and the way the user accesses his or her inbox. Figure 1 shows the relative limitations and merits of different types of authentication systems.
Should your SaaS Web application or product go passwordless? Well, it depends—really on your current system’s level of security. If your current system is more secure than going passwordless would be, it would probably be better to skip making this change for now. However, if your product’s security is far from the greatest and you’re already having some issues, passwordless authentication could be the right choice.
Benefits of Going Passwordless
Although going passwordless would not be suitable for every type of business organization—especially not for those in fintech or banking—many businesses are successfully going passwordless for a variety of reasons, because it provides numerous benefits, as follows:
Going passwordless improves the user experience. Eliminating password and secrets fatigue and providing unified access to all applications and services lets people access SaaS applications more quickly and effortlessly rather than spending hours each year recovering or resetting forgotten user names and passwords.
Passwordless authentication strengthens security. Companies can provide more secure authentication methods such as possession factor or inherent factor and thereby eliminate risky password-management techniques and reduce credential theft and impersonation.
Switching to a passwordless approach simplifies IT operations. By eliminating the need to issue, secure, rotate, reset, and manage passwords, companies can concentrate on solving other persistent security issues. How much would your company benefit if your Support team received no more “I forgot my password” or “How can I reset my password?” tickets?
The adoption of passwordless authentication is on the rise. In 2020, Microsoft alone saw more than 150 million people signing in to its services using passwordless methods each month, as Figure 2 shows. This trend is not going to slow down because of COVID-19 and the resulting dramatic adaptations of services’ going online. As Microsoft CEO Satya Nadella has put it, “We’ve seen two years’ worth of digital transformation in two months.”
How to Apply Passwordless Authentication to Your Product
To implement passwordless authentication for regular Web applications, you must do two things. First, you need to capture the user identifier in your application—for example, the user’s email address or phone number. Second, you must invoke the passwordless / start endpoint to initiate the passwordless workflow. In this way, the user gets a one-time-use code or magic link or receives an SMS message.
To understand this better, let’s look at an example: the passwordless workflow of Notion’s Web application, which, from the user’s perspective, uses magic links. This workflow uses logic that is similar to the way password-reset functionality works. Here are the steps that the user must take to log in:
The user types his email address into the Notion app, then clicks the Continue with email button.
If the service recognizes the email address, it sends an email message to the user with a magic-link URL that generates a one-time password.
The user opens the email client, clicks the link, initiating a new user session, and redirects to the application.
Given what we know, are magic links safe? Certain things make this authentication method even more secure in comparison to a typical password login. Only the person who receives the email messages that the system sends to the email address can access the magic link. The magic link that the user receives can be used only once and expires after one hour. Other SaaS products provide examples of similar workflows and logic.
The simple idea of eliminating our reliance on centrally managed passwords offers multiple benefits. However, there is no single passwordless solution that would fit most businesses. Nevertheless, we know that the adoption of passwordless methods is on the rise because of the range of business benefits it offers, including an enhanced user experience, fewer data breaches, lower support and development costs, and overall better product security.
As a UX designer and product strategist, over the last few years, Armantas has been designing Software as a Service (SaaS) products for multiple technology industries. His greatest interests lie in all things relating to technology, design, and human behavior. Thus, his goal is to improve people’s lives and experiences through creative solutions and meaningful design. Read More