Passwordless Authenticaion Methods


  • One-time link sent to the e-mail
  • One-time password sent by SMS or Push-notification
  • HOTP and TOTP (HMAC and Time-based one-time password)
  • Persistent Cookie
  • Third-party Identity provider (for example, log in via Facebook or via Google)
  • USB token device
  • Mobile application with biometric authentication.

Passwordless Authenticaion Methods

One-time Authentication Link Sent to the E-mail

  • Low cost — sending e-mail is almost free
  • The need for the user to open an additional email client application
  • If the attacker has access to the user’s e-mail, then authentication can be compromised.
  • There is a risk of receiving an email with a phishing link to enter a malicious resource

One-time password via SMS or Push

  • Relative reliability — to fake a SIM card or steal a phone seems to be a rather non-trivial task for an attacker. In addition, the mobile phone can determine the location of the attacker.
  • Users must manually enter the code from an SMS, every time they authenticate, which can be annoying.
  • For receiving a push notification users should install a mobile application.

HMAC and Time-based one-time password

  • You can use third-party trusted software to implement this algorithm (for example Google authenticator)
  • For TOTP there is a need to synchronize time between server and client
  • The shared secret can be stolen and attackers can generate their own TOTP values to authenticate

Persistent Cookie

  • Further authentications do not require entering any data from the user
  • Works on a single device (browser)
  • If an attacker steals an users cookie, he could gain access to the user’s account
  • The cookie should expire. When the cookie expires, the user should authenticate again.

Using third-party Identity Provides (via Social Networks)

  • Very easy to use, if the user has already authenticated to the identity provider.
  • If the user lost his Identity Provider account, access to the service can also be lost.
  • Users may not have profiles in the Identity Providers list supported by the service.

USB Token Device

  • High security — it is almost not possible to forge the token
  • The user need to carry an extra device
  • Sometimes, there is a need to install special software to authenticate
  • The token device can be lost or stolen

Mobile Phone Biometrics

  • High security, because mobile phone manufacturers are focusing on mobile phone security and protecting them from unauthorized access.
  • Almost everyone has a mobile phone
  • User need to install and setup additional application on his phone




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store