Passwordless Authenticaion Methods

Original Article: https://www.openidentityplatform.org/blog/passwordless-authentication-methods

Intro

Of course, it is impossible to remember the complex password for each service, so users either use simple passwords or use the same password for each service. Some users even write their own passwords on a piece of paper and put it under the keyboard (sic!). Of course, it compromises user accounts.

Passwordless authentication could solve this problem. In the following article, I will try to consider main passwordless authentication methods, as well as their advantages and disadvantages.

There are the following passwordless authentication methods:

  • One-time link sent to the e-mail
  • One-time password sent by SMS or Push-notification
  • HOTP and TOTP (HMAC and Time-based one-time password)
  • Persistent Cookie
  • Third-party Identity provider (for example, log in via Facebook or via Google)
  • USB token device
  • Mobile application with biometric authentication.

Passwordless Authenticaion Methods

One-time Authentication Link Sent to the E-mail

Pros:

  • Low cost — sending e-mail is almost free

Cons:

  • The need for the user to open an additional email client application
  • If the attacker has access to the user’s e-mail, then authentication can be compromised.
  • There is a risk of receiving an email with a phishing link to enter a malicious resource

One-time password via SMS or Push

Pros:

  • Relative reliability — to fake a SIM card or steal a phone seems to be a rather non-trivial task for an attacker. In addition, the mobile phone can determine the location of the attacker.

Cons:

  • Users must manually enter the code from an SMS, every time they authenticate, which can be annoying.
  • For receiving a push notification users should install a mobile application.

HMAC and Time-based one-time password

Pros:

  • You can use third-party trusted software to implement this algorithm (for example Google authenticator)

Cons:

  • For TOTP there is a need to synchronize time between server and client
  • The shared secret can be stolen and attackers can generate their own TOTP values to authenticate

Persistent Cookie

Pros:

  • Further authentications do not require entering any data from the user

Cons:

  • Works on a single device (browser)
  • If an attacker steals an users cookie, he could gain access to the user’s account
  • The cookie should expire. When the cookie expires, the user should authenticate again.

Using third-party Identity Provides (via Social Networks)

Pros:

  • Very easy to use, if the user has already authenticated to the identity provider.

Cons:

  • If the user lost his Identity Provider account, access to the service can also be lost.
  • Users may not have profiles in the Identity Providers list supported by the service.

USB Token Device

Pros:

  • High security — it is almost not possible to forge the token

Cons:

  • The user need to carry an extra device
  • Sometimes, there is a need to install special software to authenticate
  • The token device can be lost or stolen

Mobile Phone Biometrics

Pros:

  • High security, because mobile phone manufacturers are focusing on mobile phone security and protecting them from unauthorized access.
  • Almost everyone has a mobile phone

Cons:

  • User need to install and setup additional application on his phone

Conclusion

Open Identity Community member, OSS Enthusiast