How Can We Manage Passwordless When We Still Haven’t Mastered Passwords?

Many companies are jumping aboard the passwordless authentication bandwagon. However, it’s important for them to weigh the pros and cons of such a system. Matt Davey, Chief Operations Optimist at 1Password dives into whether or not passwordless authentication is good for your business. 

Passwords are far from a perfect authentication mechanism. To be as secure as possible, they need to be long; a mix of lowercase letters, uppercase letters, special characters, and numbers; and wholly unique — meaning you should never reuse a password across multiple sites.

The imperfect nature of juggling and remembering complex, different passwords is why password managers were born: They allow you to memorize one single password to unlock the rest of your passwords. As technology improves, these password managers are becoming easier to use and more seamlessly integrated with business workflows, allowing autofill (even in mobile apps) and saving passwords automatically. But passwords aren’t the only way to log in to sites anymore.

What is passwordless authentication?

As technology evolves, some companies are starting to move away from passwords to a login form called passwordless authentication. There’s no one method of passwordless authentication; it can use alternative factors, such as asking you to click a link in an email or log you in through a service like Facebook or Google.

Many don’t see the password reset feature as passwordless authentication, but it is the most popular form of it. Some people even use it as a regular login mechanism, resetting their password every time they access a site, rather than remembering passwords or saving them in a password manager. True passwordless authentication, though, takes it a step further: There’s no need to reset a password, clicking on the email link will log you in to your account directly — think Slack’s “magic link.”

There are many forms of passwordless authentication, but three are the most popular: email, SMS, and third-party application logins. Each has its benefits but also its drawbacks. It’s important to take note of what these are to evaluate the best form of login for you.

The advantages

It’s clear what the advantages of passwordless authentication are. In theory, a passwordless world means you don’t have to remember any passwords. Apps you trust log you into other apps, and when that fails, email and SMS come to the rescue. No one enjoys juggling passwords, and the many requirements that different sites have for password composition can be frustrating. Passwordless authentication provides an enticing alternative to that.

But you still need passwords and two-factor authentication

Unfortunately, in practice, passwordless authentication isn’t as easy as it seems. First, even with passwordless authentication, you are likely to need passwords. After all, how will you log into your email account to access that login email? And how will you get into a third-party app to log in to the rest of your sites? While passwordless authentication might solve this in the future, for now, passwords (and therefore password managers) are still crucial to the way we live our lives on the internet.

Password managers are also widely encouraged to protect against breaches. If a breach happens, and login details for one site are leaked, multiple sites may be compromised if you reuse passwords. That’s why it’s so important to have complex and unique passwords for every site you use.

The issue with passwordless authentication is the same as reusing passwords; if a malicious third party gains access to your login apps or your email, then they can access all of your accounts. It’s worth noting that with the prevalence of email-based password reset options, this is a risk to your email account, regardless of whether you are using passwordless authentication.

This means that whether you’re using passwords or passwordless authentication, activating a second factor to log into accounts is crucial. Two-factor authentication makes logging in, whether with or without a password, more secure.

We haven’t discussed SMS authentication very much in this article, and for good reason: It’s not hard to hijack a text message. What’s more, SIM swapping is becoming increasingly (and frighteningly) common. That’s why we don’t recommend SMS authentication even as a second factor for two-factor authentication, much less for passwordless authentication.

Is passwordless more secure?

Using a password manager is certainly best-practices security. Your digital life is only as secure as the security of the password manager you put your trust in. And that’s also true of passwordless authentication: Your online activity is only as secure as the method of authentication you use.

With password management companies, it’s very easy to review security; there are industry standards, and any reputable company is subject to regular audits. And with encryption, even if a malicious player did gain access to password manager servers, they would not be able to decrypt the passwords you use. The level of security you’re getting is clear and upfront.

If you don’t use a password manager, things get much more nebulous. One of the worst things you can do for online security is reusing easy, non-complex passwords. If you’re using passwordless authentication with reused, easy passwords for your email account and third-party apps, it’s a perfect storm for a security nightmare.

The bottom line is that while more companies are moving toward passwordless authentication, there is still an important role for complex, unique passwords in securing your internet life. The two go hand-in-hand: To properly secure your passwordless authentication methods, you need strong, unique, complex passwords.