In this post, I will be covering an authentication approach called Passwordless Authentication. This approach can improve user onboarding and login experience.
Passwordless Authentication allows users to log in to their accounts without using a password. Instead, the users need to input an OTP every time they log in to the system. That said, the users enter their email or phone number into the system and they will receive a one-time code for login.
The diagram above describes the authentication flow of Passwordless Authentication. By using this approach, it offers several benefits to us:
Eliminate the need to manage, store, rotate, and reset the password. The cost to manage the password is expensive in the traditional username-password login option because the application owner needs to implement different security policies to protect the password.
Strengthened login security. Now, there is no fixed password for login. Instead, every time the user login, he/she will receive a one-time code from email or SMS. The traditional username-password login option can be attacked by brute force, phishing, keylogging, etc.
Improved user experience. Now, the user does not need to remember the password anymore. Instead, they can receive a one-time code in their email or SMS. (I always use the reset password function😅)
In implementing passwordless authentication, you need to take care of the temporary login code. The code should be short-lived for the sake of security which means you need to set a reasonable expiry time. If the code hasn't been used within the effective period, it should be automatically expired. Also, the code should be revoked after it gets used by the user.
If your email vendor is not reliable, what will be happened?
Thanks for reading Awesome Software Engineer! Subscribe for free to receive new posts and support my work.
But what with costs for sms and email providers? Imagine if you have more than 1000 logins per day?
That can be a heck of a costs...