In the past decade, a lot of high profile websites got themselves compromised and a lot of financial and user information got dumped on the internet leaving the users jeopardized to identity theft. However, most of the companies claim that the passwords have been hashed with salt and the hackers will not able to get the cleartext passwords from those hashes and in the same email they also ask users to change their password immediately. Both statements are opposite to each other and these indicate a possibility that maybe the passwords can be converted to cleartext.

A lot of users have a bad habit of reusing their password on different websites so if hackers get access to the cleartext password he can do a lot of harm to the users not just on the compromised website but also on other sites where user has used the same password.

Now companies have started implementing password-less logins on their website which is actually a mechanism that bypasses the need of a password. These password-less logins are getting popular. You don’t have to remember your password each and every time you login. Some users use different passwords for different websites but have a hard time remembering them.

Passwords Vaults are even getting popular but this is like saving all money in only one vault which if gets compromised, you are suddenly broke.

What is Password-less login and how it actually works:

Well, Password-less login is a technique to let you log in to your accounts without using any password. There are some different ways which companies use to implement the password-less login. let’s discuss them one by one.

    o
  • Sending a Magic Link on the Email: o
      o
    • There are some high profile websites like Slack Which implement this functionality. You just have to enter the email in the login field and they will send him a magic link which will let them login without the password. Email providers takes security seriously. But most of the times they don’t do the email encryption between the mail server and this poses a significant risks even the tokens can be sniffed over a insecure network if the basic security protocols has not been implemented.
    • o
    o
    o
  • Sending an OTP via SMS or email: o
      o
    • In this authentication, the application sends an OTP via SMS or email to the users on their registered mobile number/email. In order to log in, the user has to enter the correct OTP which eliminates the requirement of password (works as One Time Password) and the user gets logged in. If the application doesn’t have the basic security things such as Rate limiting or captcha on the OTP then an attacker may brute Force the OTP and can get access to the account of the victim.
    • o
    o
    o
  • Authentication Via Logged in Users: o
      o
    • This is implemented by Google. Let’s take an example to understand how it works. Let’s suppose you have an android device in which you have Signed in your Google Account. Now, as soon as you try to login via desktop it will send you a notification on your android device which asks for the approval and as soon as you approve the request you automatically get signed into your account. They also ask for some other verification via this notification like if you try to sign in from an unknown IP address etc. There are some conditions which require this to work such as your email id should have to be signed in to mobile devices so you can approve the login. This seems secure but can put your account to jeopardy if someone gets access to your device just for a few seconds.
    • o
    o

But the question still remains…

How secure are these password-less logins??

These practices are as secure as the users of these practices and the implementation of the same. Password-less login is a good practice as long as the user is able to keep their devices completely safe. But this is just one layer and when we talk about security, having multiple layers is always better. Hence, if you combine these techniques with a password and use a practice known as 2FA (two-factor authentication) then that would be the best thing you can use out there.

Related Articles

Social Influencers for Spicemoney

Tuesday , 10 September 2019 In "Spicemoney"

Retailer Card with Spicemoney

Saturday , 19 October 2019 In "Spicemoney"

Are password-less logins really safe?

Saturday , 19 October 2019 In "Spicemoney"

Shubhani Rawat 20 Mar 2019

Hi, I am Shubhani. I am a Technical Writer at Spicemoney.

Comment (2)

jayveer singh

Commented on October 22, 2019
reply

NIce

Reply (Admin)

Commented on October 22, 2019

Thank you jayveer

sukhendra singh

Commented on December 25, 2019
reply

nide blog

Leave a Reply