TL/DR. Passwords are unstable and insecure. Instead, go Passwordless and allow users to login with the ease of biometrics (such as TouchID, FaceID, Windows Hello) or hardware security tokens (Yubikey). This results in significantly improved security and better user experience. Building a passwordless authentication flow from scratch is very challenging so let NoPasswordLogin do it for you.
81% of hacking-related account breaches last year leveraged weak or stolen passwords. Users have to remember their passwords which is difficult and frustrating. Developers have to worry about the complications of passing passwords through systems and safely storing them in databases.
Web Authentication (WebAuthn) is a recent W3C standard backed by major players like Google, Paypal, Mozilla, Microsoft, Airbnb, and Qualcomm. It is part of FIDO2 which is a phishing proof, passwordless authentication protocol. WebAuthn is a new way of logging into websites that may finally free you and your users from remembering passwords. Instead, you’ll use you: your fingerprint or face, or a hardware token.
The World Wide Web Consortium (W3C) announced that (WebAuthn) officially became a web standard. It serves as the next step in the industry’s drive toward eliminating, or at least reducing, reliance on passwords and instead on focusing on biometrics and other more reliable authentication methods.
It is a credential management API that allows web applications to authenticate users without storing their passwords on servers. The API uses public key cryptography, which involves the use of a private-public key pair, and allows you to keep a private key on your device and the server has a public key, which is useless without the private key.
Passwordless improves security
In traditional authentication, the user types in their credentials on the device/browser then the browser sends those credentials to the server to store and verify. If that data leaks publicly, then hackers can use that information to see whether the user has used the passwords elsewhere.
That’s not the case for passwordless authentication where no password is sent over the internet. Only the data generated by the authenticator is sent to the server and the authentication is done on the authenticator level using a pin, biometrics, etc. From a security perspective, the password can’t be leaked or brute-forced since there’s no password to compromise. This user-friendly process drastically reduces the risks associated with human error in cybersecurity.
Building out an authentication flow using FIDO2/WebAuthn authentication consists of a registration ceremony as well as an authentication ceremony. This can get complicated and your application can be at risk from attack if it's done incorrectly. FIDO2/WebAuthn innovation is still early but NoPasswordLogin will keep up to date with its evolution so you don’t need to.
NoPasswordLogin will take care of the communication with the WebAuthn APIs as well as the Registration/Authentication Ceremony. We provide the tools to integrate and configure it easily into your application.
To get started, sign up for a free NoPasswordLogin account and check out the management dashboard. You can log in with your Google account or use NoPasswordLogin to log into NoPasswordLogin so you can see first hand how it works :)
We also provide hooks into the registration or authentication flow so you can do further verification checks for a user. We POST a UUID `user_id` along with your headers so you can take further action. Some customers have used this extraordinary tool as part of their 2nd-factor authentication to give them that added extra security and peace of mind.
It’s super easy! Our React Component communicates between the NoPasswordLogin platform and the WebAuthn API. Just add your clientID as a React Prop and you are good to go.
Passwordless authentication is a great alternative to the traditional username and password auth because it makes it easier for users to log in and can increase security overall.
Check us out at https://nopasswordlogin.com and add passwordless to your authentication flow for free.
Email us at firstname.lastname@example.org or join us on Slack to speak to us more about integrating Passwordless into your application. Talk to one of our security consultants or Architects to help build your application with Passwordless login.