Lagos, Nigeria
info@ezefidelity.com

Is Passwordless Sign-in Safe? – Ask Leo!


You don’t have to use a password to be safe

Sign in with email message

Signing in without a password seems almost nonsensical, yet it can be more secure than traditional sign-ins. More convenient? That depends.

I was reading about passwordless logins and how great they are. Better and more convenient than long complicated passwords that we might use with a password manager like LastPass. I enter my username and click Continue and then press another button to have a link emailed to me. I then go to my email and click the link in my email and voila! I am automatically logged in.

Well that certainly is easier than remembering a password, but I don’t get how it’s more convenient given the number of clicks to get logged in compared to allowing LastPass to fill in the user name and password so that I only have to click one button.

But what I really don’t understand is how this is a more secure way of logging in. Are passwordless sign ins safe? Should I be worried about companies wanting to move to passwordless?

Worried? Nope. Not at all.

It can be a convenience, for sure. As to whether or not it’s more secure, my take is is yes — but we need to understand the scenario it protects you from to be confident about that.




Signing in with only an email address is almost a backhanded approach to two-factor authentication. By proving you have access to that email account — by clicking a link emailed to you — you’ve authenticated securely and need nothing else. The site using this technique is relying on your maintaining the security of your email account appropriately.

An example: medium.com

Let’s start with an example.

Medium.com is a popular site that offers several different approaches to signing in.

Medium.com sign in choices
Medium.com sign-in choices.

You can, of course, use the other services listed — Google, Facebook, Apple, and Twitter — to sign in using your credentials with them. I prefer to keep all my accounts separate, so I set my Medium account to “Sign in with email”.

When I first set this up, I expected to be greeted with the opportunity to set a password. Nope. When I sign in, it asks for my email address and nothing more.

Medium.com sign in with email
Medium.com sign-in with email.

My account has no password.

Instead, when I enter my email address and click Continue, Medium tells me to check for a message in my email account.

Medium.com - check your inbox for that magic link
Medium.com – check your inbox for that magic link.

Sure enough, an email arrives.

Medium.com emailed sign in message
Medium.com emailed sign-in message.

Click the link, and I’m in. It’s that simple.








Passwordless sign in: convenient … maybe

It is simple, but is it more convenient?

Maybe.

The biggest issue I have with it is that it assumes email is relatively fast — but email is not guaranteed to be fast at all.

In my case, because of the way my email is routed, it can actually take two to three minutes before the email message with the sign-in link appears. I have to wait.

A more traditional email-and-password approach allows me to sign in without the wait at all. If the site is important, I’d prefer to be allowed to add two-factor authentication of some sort.

It also makes the assumption that the device you get your email on is the same device on which you want to sign in to Medium. If they’re different, it can be quite cumbersome to sign in — to the point of just avoiding doing so.

But it is more secure.

Passwordless sign-in: safe, almost certainly

This feels a lot like two-factor authentication. It’s not, but it is similar.

Maybe I’ll call it a factor-and-a-half authentication.

“Something you know” is reduced to only your email address. I’ll think of that as half a factor since it’s so easy for anyone to discover your email address.

“Something you have”, however, is your ability to click a link sent to your email account. That proves you are who you say you are, as identified by that email address.

In order to sign in, you must prove you have access to the associated email account. That’s all.

And as long as you keep that account secure, it’s enough. The only way someone could hack into your passwordless authentication is if they first hack your email account.

Perhaps most importantly, there’s no password to fall into the hands of hackers. Even if there were some kind of data breach at a company using passwordless authentication, there’s nothing there to steal.

It’s pretty cool, actually.








Security’s still on you

Now, to be clear, this doesn’t absolve you of responsibility for your security. In a sense, it just moves the target to something else you’re hopefully already keeping secure: your email account.

Therefore, my medium.com account is as secure as my email account. My email account (via Gmail) has a strong password, two-factor authentication, and so on — you know, the usual litany of advice we hand out about keeping your account secure.

But I do still wish I had the option of a quicker sign-in with a more traditional password approach.

Other forms of passwordless sign-in

The examples above all talk about using email as your authentication mechanism: prove you can access email sent to that account, and you must be who you claim to be.

The same can be done with other authentication methods. The most common might be fingerprint scanners and facial recognition. In addition to being used with a password for two-factor authentication, it’s not uncommon for them to be the only factor used to confirm you are who you claim. It’s also quite convenient, and probably faster than waiting for email.

Similarly, sign-in with PIN is another form of passwordless sign-in, though I consider it to be closer to single factor rather than the factor-and-a-half I made up above. A PIN is nothing more than another “something you know”.

I tend to agree with the material you were reading: passwordless sign-in has interesting potential to make our lives easier by needing to remember fewer passwords.

But I’d still prefer it to be optional.

If you found this article helpful, I’m sure you’ll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I’ll see you there soon,

Leo

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here’s the direct download. (Just right-click and “Save As…”.)






This post was written by Leo Notenboom and was first posted to AskLeo.com



Do you find this article helpful? Your Friend might too. So, please Share it with them using the Share button above.
Will you like to get notified when I post new updates? Then Follow me on any of my social media handles: Google News, Telegram, WhatsApp, Twitter, Facebook, Pinterest.
You can also drop your email address below if you wish to be notified by mail.


%d bloggers like this: