Passwordless Authentication: Best Practices

TL;DR

You want to let users into your web app without them typing passwords directly. This guide covers common methods (magic links, passkeys, WebAuthn) and how to make them secure and user-friendly.

1. Understand the Risks of Traditional Passwords

Before diving into passwordless solutions, it’s important to understand why we’re moving away from passwords:

• Password Reuse: Users often use the same password across multiple sites.
• Phishing: Attackers trick users into giving up their passwords.
• Data Breaches: Stored passwords can be stolen in data breaches.

Passwordless authentication aims to eliminate these risks.

2. Magic Links

Magic links send a unique, time-limited link to the user’s email address after they request access. Clicking the link logs them in.

Implementation Steps:

1. Generate Unique Token: When a user requests login, create a cryptographically secure random token (e.g., using UUID).
2. Store Token & User Association: Store this token associated with the user in your database, along with an expiry timestamp (short lifetime – 10-30 minutes is common).
3. Send Email: Send an email containing a link including the token. Example URL: https://yourwebsite.com/login?token=YOUR_TOKEN
4. Verify Token on Link Click: When the user clicks the link, verify that:
   • The token exists in your database.
   • The token hasn’t expired.
   • The token hasn’t been used already.
5. Log In User: If the verification is successful, log the user in and invalidate the token.

Security Considerations:

• Token Expiration: Crucial to prevent reuse of old links.
• Rate Limiting: Limit the number of magic link requests from a single IP address or email to prevent abuse.
• Email Security: Use SPF, DKIM, and DMARC to protect against email spoofing.

3. Passkeys (WebAuthn)

Passkeys are cryptographic key pairs where one part is stored on the user’s device (e.g., phone, computer) and the other is used for authentication. They offer strong security and a good user experience.

Implementation Steps:

1. WebAuthn API: Use the WebAuthn API in your web application to request passkey creation and login.
2. Credential Creation: The browser prompts the user to create a passkey, typically using biometrics (fingerprint, face ID) or a PIN.
3. Store Credential ID: Store the credential ID returned by WebAuthn in your database associated with the user.
4. Authentication Process: When the user logs in, the browser prompts them to use their passkey.
5. Verify Authentication: The WebAuthn API verifies the passkey and confirms the user’s identity.

Security Considerations:

• Browser Support: Ensure compatibility with modern browsers that support WebAuthn.
• Backup Options: Encourage users to create multiple passkeys (e.g., on their phone and computer) for backup.

4. Phone Sign-In

Send a code via SMS or an app notification that the user enters to log in.

Implementation Steps:

1. Phone Number Verification: Verify the user’s phone number using a one-time password (OTP) sent via SMS.
2. Generate OTP: Generate a 6-digit random code.
3. Send Code: Send the code to the verified phone number.
4. Verify Code on Login: When the user attempts login, prompt them for the code and verify it against the one you sent.

Security Considerations:

• SMS Interception: SMS is vulnerable to interception attacks (SIM swapping). Consider using app-based verification instead.
• Rate Limiting: Limit the number of code requests per phone number.

5. Multi-Factor Authentication (MFA) Enhancement

Even with passwordless methods, consider adding MFA for extra security.

• Backup Codes: Provide users with backup codes they can use if they lose access to their primary authentication method.
• Authenticator Apps: Integrate with authenticator apps (e.g., Google Authenticator, Authy) for time-based one-time passwords (TOTP).