23
Passwordless: a note on Authentication
Well passwords have been here for a while now, and, as when it was a trend, or the basic go-to option for authentication, it was already questioned about, but not how it is nowadays. Password today can be ~easily~ hacked, or hijacked, or just brute-forced guessed.
As you may think, the main reason why they still here is because they're one of the easiest solutions on authentication of someone or something.
But if you want to be more secure (and more user-frindly, perhaps), passwordless starts coming into play.
Since I started using asciinema, I have been always thinking on how they solved so well the problem on authentication, something like:
Site: "Well, you want to create an account?"
User: "Yes, I do."
Site: "So give me your e-mail, please."
User: "[email protected], there you go."
Site: "Okay, get your access there."
User: "That's it?"
Site: "Yeah, why not?"
This was sufficient to blow my mind.
'Cause it is REALLY simple, as it could (shouldn't maybe, in some cases) be.
And that's basically it, every time you come back into the site, and put your e-mail on login, the system will recognize that you're already registered, and say again: "Ok, get your access into your e-mail".
Maybe, we should go trough some password issues right now, just so we can get to know some things we're avoiding doing these kind of things:
- Users often create weak passwords that are vulnerable to phishing attacks.
- Vulnerable to brute-force attacks.
- Users often reuse the same authentication credentials on different accounts, leading to Domino-effect.
and that is just three of the first things that comes into mind when we start talking about passwords, I'm not talking about possible issues on the implementations itself, it can occur in cryptography process, or in safe storaging, or any other part of the whole process.
Now, think about just changing the whoooooole work of doing all these steps, into the work of generating a token, and sending it through E-mail, to your user. It can serve as an always-confirm-user-account pass as well!!
I'm not saying passwordless authentication is always based on contacting user by e-mail, it can be made in infinite ways, I have already seen Hardware-related authentication, like really, literally keys, to a system.
I'm just starting the conversation here, what do you think? Did you like the idea? Let me know! đ
23