Not all passwordless methods are created equal

Auth Thoughts is a monthly newsletter produced by Team Descope, the collective consciousness of everyone at Descope. Read on for a monthly roundup from the world of #identity and #authentication.

Which passwordless method wore it best?

Passwords have no place in a popularity contest, and rightly so. But once you start stacking up passwordless authentication methods against each other, the situation becomes a bit more nuanced.?

With the presupposition that every method is better than passwords, how do passwordless methods compare against each other? We put together a (non-scientific, opinionated) graph below:

Sharing our workings below:

??Passwords: Let’s just nod and move on.

??Authenticator apps: TOTP is one of the stronger and more secure forms of authentication available today. However, using it does have some friction that can hinder widespread adoption among all user types. Registering with a QR code, opening a dedicated authenticator app, and filling in the code within a short time limit all introduce friction compared to other passwordless methods.?

??Magic links: Magic links are very easy to use and are burned into most users’ muscle memories. Their security depends on the security of the user’s email account, which can always be hacked. However, setting one-time use and time expiry limits on magic links can minimize the impact of email account takeover.?

?? One Time Passwords: Most users are familiar with OTP authentication. Whether they receive the OTP over text, email, or messaging services, all those avenues are firmly ensconced in their mental models, enabling easy adoption. OTP is susceptible to some form of attacks, however – SIM swapping, man-in-the-middle attacks, shoulder surfing, and social engineering, to name a few.??

??Social login: If you’re already signed in to the identity provider, social login is often a one-click process and super smooth. It’s fairly secure as well, although its security depends on the security of your identity provider. If your Google or GitHub account gets hacked*, connected accounts can be next in line.

*Probably because the attacker got hold of your password, which brings us back to our bête noire.

??Biometrics / Passkeys: When implemented correctly, passkeys and FIDO authentication strike a great balance between security and usability. Since they use asymmetric cryptography, passkeys are unphishable. The actual login process is the finger swipe or face identification you already use to unlock your device. And don’t worry – your biometric data never leaves the device.

This graph is meant more as a discussion point than a diktat. Leave a comment below and let us know what you think!??

0 to Auth in 60 minutes

Interested in learning how to add authentication to an application? Join us for Descope’s first 0 to Auth Workshop on May 3rd at 8:30 AM Pacific Time.?

In this session, we will add passwordless authentication – OTP and social login with Google – to a full-stack JS application. The workshop is meant for beginners and experts alike, so every developer is welcome. See you there!

Concept corner

We’re always happy to talk auth when given the chance. Here are some refreshers and best practices to keep in mind.

??? What is an authentication server? An authentication server plays a key role in maintaining and implementing authentication. By serving as a barrier between an app server and client, it ensures that only users with proven identities can obtain access to sensitive information. Learn how an authentication server works.?

??? What is a JSON Web Token (JWT)? A JWT is a compact, self-contained token that, in terms of authentication, helps servers establish trust between an unknown client and themselves. JWTs are mobile-friendly, extensible, and provide enhanced security – we recommend using them! We jotted down some more jot thoughts.

Meme of the month

Broken authentication is usually not funny, but we could all do with some gallows humor.

The meme above was posted on AuthTown, our open user community for app builders to come together and learn about authentication. We’d love to have you too!

Hot off the press

Here’s a recap of what’s been happening in the auth world over the past month.

?? 'GhostToken' Opens Google Accounts to Permanent Infection | Dark Reading

?? Booking.com's OAuth Implementation Allows Full Account Takeover | Dark Reading

?? Meet PassGAN, the “terrifying” AI password cracker that’s mostly hype | Ars Technica

Helpful resources

Thanks for reading Auth Thoughts! If you’d like any other updates from the world of identity and authentication included in this newsletter, please let us know in the comments below.

Here are some other links to have handy:

??? Sign up for Descope if you want to use our authentication platform.

?? Auth Thoughts, if you want to share this newsletter with others.

?? Identipedia, if you’d like to learn more about concepts around identity and authentication.

?? Passwordle, if you have 5 minutes to spare and like word games.

See you in May!