In our last few posts, we have discussed how to store passwords in the database, how to protect our users by using MFA, how to log them in via SAML or SSO, and more.
But all of these techniques have one thing in common: Our users still need to have their password stored somewhere. The question is where.
Let’s take John as an example.
John is using 5 SaaS applications regularly.
If he relies on SSO, that’s an easy task. He has only one password to remember (his IDP / OAuth password). But what happens if he doesn’t use SSO?
Like many people, John will probably create a new password for each of his 5 SaaS applications, thereby exposing his account in the event that any one of them is breached.
And furthermore, what if John can’t keep track of which password goes where? What happens then? Will he just decide to use an identical password for every single one of his accounts?. This will create bigger security risks if any one of these accounts are hacked.
SaaS authentication is a very sensitive and important topic you must address while getting started. Credential Stuffing and Keylogging are just a couple of ways hackers are exploiting application databases and data storages to harvest passwords and other sensitive information. Read more in our Password Hacking article.
What are Passwordless Logins?
Passwordless authentication usually requires the user to provide some kind of proof that he is really the user he is claiming to be, without providing the actual password as a part of the authentication flow.
This may sound complex but actually it isn’t.
Let’s take a closer look at this flow:
We’ve all experienced and gone through this process without actually thinking about the fact that we are running through a passwordless login flow.
The proof for the authenticity of the user, in this case, is being able to prove ownership via the control over the OTP code which was sent via the verification email.
But is email the only method for passwordless logins?
Well no, it actually isn’t. There are other methods we can turn to.
For starters, we can rely on the use of “ownership methods” in order to provide validation such as phone numbers, dongle keys, HW tokens, and more. The second technique will be the use of “Inherence methods” such as fingerprints, face recognition etc.
All of this sounds quite familiar, right?
We did mention OTP and “Device ownership”. Does it sound like another MFA methodology? Well, in most cases MFA is required as another level of security for password-based logins. When we provide passwordless-based authentication, we can “spare” this part and log in the user directly as soon as he has proved his ownership.
The Pros and Cons of Implementing Passwordless Authentication
So, does this mean that you should quickly run tomorrow morning to delete ALL passwords from your DB and solely provide passwordless based authentication?
Let’s wait a bit before running to delete them all and first consider the pros and cons for passwordless vs. password-based authentication.
The pros when it comes to passwordless authentication are rather obvious:
- Hardening security – Passwords are always weak. This is true in each and every SaaS application. Human nature drives the users to maintain the same password across all SaaS applications, which leads to an increased risk of password breach.
- UX – Users do not need to remember passwords. They must just change them every X days and follow strict password policy rules when changing passwords since passwordless offers an easy flow via email.
The cons of the passwordless approach, amongst other things, are:
- Hard to implement – In most cases, email + passwords are very easy to implement but a flow where we need to maintain expirations on tokens and shipping out emails, makes the implementation complex and increases development costs.
- Still not a standard – While users are used to email and password-based authentication, the “entry point” for passwordless authentication is somehow limited.
- Dependency on 3rd parties – Using password+email-based authentication means we can take care of activation immediately. When one of the users is not getting his activation email, the dependence makes it harder to integrate.
- Less relevant in the case of IDP / SSO based authentication.
When our users log in via SAML and SSO authentication, there is no need for passwordless SSO authentication (at least on the SaaS application side). The users have one password for the entire span of their SaaS operations and this is the same password which is used for their email login.
Implementing Passwordless Authentication
Passwordless SSO and logins are here to stay. This idea of not requiring a user to remember any passwords to the multiple accounts they are using enhances the level of trust in the authentication flow.
At Frontegg, we took all of these requirements into consideration when building our SaaS as a Service platform. If you have any questions as to what the correct model is for you and what implementing passwordless authentication should look like, then feel free to reach out. We are here to help.
Make sure you check out our latest blog post covering the Top Passwordless Authentication Solutions you Must Consider in 2021.