Passwordless Login Vs. Password Login - Good & Bad
We use passwords every day for logging into our favorite sites. We also hate to use it because most websites force users to create strong passwords that are difficult to remember.
In this article, I will not just talk about how beneficial a passwordless login system is or how it can boost your sales overnight by providing a hassle-free login system. I will also discuss how password still plays an important role, advantages, and disadvantages in securing an application.
A little History of Passwords
If you think today is the worst day you have to read the ‘History of Passwords’, believe me, it is yet to come because 2020 is still here. We do not know!
We started authenticating users with simple phrases. Back in the days, users used to have simple passwords like ‘password’ and not worry. Later, when hackers countless times managed to download the entire databases, with plain-text passwords stored in the database, hackers could easily get access to all users’ accounts.
Developers improved their systems by not storing plain-text passwords in the database. They started encrypting passwords using different hashing algorithms, and even the encryption was not full proof. Fast forward to today, we have a pretty strong one-way encryption system that allows devs to hash a password.
With PHP’s functions like password_hash()
and password_verify()
, developers can easily hash a password. To authenticate a user, password_verify()
function can compare the plain-text password provided by the user against the hashed password stored in the database. The function returns true if both passwords match; else returns false. Developers do not have to do much work when implementing a secure login system.
But, as we all know, not a single system is completely immune to hacking. Even after a secure login system, hackers can still perform brute-force attacks to guess users’ passwords. We then countered it by implementing an anti-brute-force system where servers can block IPs trying to guess passwords.
Even after all these security enhancements, we can never get rid of completely is the users’ errors. For example, many times, users set the same password on multiple websites. Whenever a less secure website is compromised, all the accounts at risk are using the same password to authenticate the user are exposed.
The emergence of 2FA aka. Two-factor Authentication
Two-factor authentication emerged as the final solution to fix all issues related to login security. In 2FA, a unique code (usually 4 or 6 digit number code) is sent on the user’s email id after providing the correct username and password. This step makes sure that the user who has provided the correct password is actually the account owner.
In starting, 2FA code used to be a 4 or 6 digit number, and it used to be sent on the user’s email id. Now for the hacker to log in to an account, he needs to provide the correct username and password and a 4 digit code sent to the user’s email address. To gain the authentication code, the hacker has to compromise the user’s email id.
But, there is a loophole in this system as well. If you see, not only login but the password-reset system works in the same way. To reset a password, a user has to provide the email id and verify their identity by entering the correct code or OTP sent on the email.
In 2019, an independent security researcher named Laxman Muthiyah discovered a weakness in the password recovery process of Instagram.
For recovering the password of an Instagram account, a user receives a 6 digit code. The user has to provide the correct code to verify his identity. The 6 digit code sent on the email is valid for 10 minutes. First of all, there are 1 million possible combinations of digits making up 6 digit codes.
Theoretically, an attacker can brute force the endpoint that verifies the code. Eventually, hackers can guess the correct code and reset the password successfully with a medium-range brute force attack. What makes this attack a little more complicated was the validity of the code. The user has to enter the code within 10 minutes; otherwise, the code would expire, and the hacker would have to restart the process.
To work around it, Laxman Muthiyah tested the Instagram system further and found that Instagram does not block an IP address indefinitely that sends incorrect OTP. It temporarily blocks the IP. That means an attacker can use multiple computers, to be exact 5000 computers, to send 1 million OTPs within 10 minutes. Laxman also said it might look difficult, but with cloud services like AWS or Google, anyone can perform this attack by spending merely $150.
In $150, an attacker can reset the password of any Instagram account. The attacker can create 5000 IP addresses and run an automated script to perform the attack. To evade the IP blocking system, he can switch between IPs.
Secure 2FA System
We learned from the Instagram case that we need to have a system in place and a proper, more logical system. There have been numerous other cases where attackers managed to bypass 2FA. Honestly, we do not know the popular services we use, have really a strong 2FA system. If Facebook can mess it up, then anyone else can too.
Passwordless Login system
For sure, users love to log in to their online accounts as quickly as possible. But as a developer, it is quite irresponsible only to have a passwordless login system. Passwords play an important role, and today, we can easily store encrypted passwords in the database.
As I said, users’ errors are impossible to get rid of. Developers can make users follow a system that forces them to be safe. In a passwordless login system, a user can log in just by clicking a URL.
Built-in password managers in the web browser have helped a lot. Web browsers can save users’ passwords and auto-fill the password field when the user visits the website’s login page next time. So password systems are not that frustrating as they used to be.
Passwordless login systems are also common these days. It allows app users to log in to their accounts without having to type complicated passwords.
Though a passwordless login system has its own disadvantages, it is a quick way to authenticate a user into an application. Still, as a developer, I also need to ensure that the user’s email id is not compromised where the authentication URL is sent.
In password systems, an attacker has to do some heavy lifting to access the target account. In passwordless login, the attacker only needs to compromise users’ email id. We have seen how malware can steal money from PayPal without any 2FA. So getting one link from an email account is also possible.
Make 2FA Mandatory for passwordless login and password login
At this point, you may not be able to think about which system to go with. The passwordless login system that’s quick or password login + 2FA?
What I think is that we can use a combination of both. We can provide the password system + 2FA and passwordless login + 2FA. If anyone manages to get access to the user’s email id, he can not log in without completing 2FA. It is quick and secure.
Secondly, the 2FA system should be strong. It should be able to recognize a brute-force attack on a certain account and block IPs for a little longer.
Instead of developing our own 2FA system from scratch, we can use Google authenticator. Their system is easy to set up, easy to use, and secure. The OTPs are refreshed at a short period of time that eliminates the possibility of brute-forcing the endpoint.