The issue of securely identifying and authenticating users has been a challenge for developers since computer systems became commonplace. If you are storing sensitive information on computers or servers that other people have access to, or using an online account, you will want to keep your data secure. Usernames and passwords have been the obvious choice for security for a long time, but they are not a perfect system. The team at Auth Armor is changing the way businesses think about account security.
We talked to the team from Auth Armor about usernames, passwords, and multi-factor authentication, and how they are helping businesses improve their account security while giving users a smoother and more friction-free experience.
Let us start with the basics, what is the issue with passwords?
Authentication processes tend to focus on one of three things:
- Something you know
- Something you have
- Something you are
Passwords fall into the first category, and that presents a few problems. Firstly, passwords can be forgotten, and this leads to users writing down passwords. Secondly, they can be guessed and cracked. And maybe most dangerous of all, passwords are based on shared secrets. Both sides need to know the secret (the password). What happens when the server is compromised? Now the password is exposed, and the user has no idea about it. Shared secrets are the root of the problem with passwords. In 2022, there were an estimated 24 billion username and password combinations leaked and made available on the dark web, and that figure increases every year.
If you are trying to protect something especially important such as financial or medical information, passwords may not be secure enough by themselves. Conversely, when less security is needed, a password could present too much friction. Forgotten passwords are a common reason for user churn and abandoned shopping carts.
The traditional username and password way of authentication used to be sufficient, but in today’s world, with supercomputers, hacks and breaches occurring frequently, dealing with lost, stolen or phished login credentials rapidly becomes apparent.
Can’t you solve insecure passwords with password length/complexity requirements?
Setting password complexity requirements may discourage users from choosing poor passwords such as “letmein” or “1234” but beyond that it offers only marginal security improvements. Wordlists such as All-In-One, Rockyou, and HaveIBeenPwned contain a huge number of commonly-used passwords sourced from previous data breaches. The reality is password complexity is a poor solution to the problem, and often exacerbates the problem with password security, as many people will write them down somewhere because they are too complex.
A computer with a single GeForce 4090 GPU – expensive, but consumer-grade hardware – can brute force an 8-character password in just 48 minutes. Longer passwords will, of course, take longer to brute force, but the conventional wisdom of telling users to choose a password that contains upper and lower case letters, numbers and special characters simply isn’t conducive to creating passwords that are secure. Cracking passwords is not the most effective way to attack accounts, but it is still performed and will only continue to get more efficient and faster, making it a more used method for account takeovers and breaches.
Doesn’t 2FA/MFA address some of those issues?
Using a second authentication factor can help with these issues in that it adds an extra barrier for attackers to overcome. However, depending on the method of authentication chosen, it can create new issues.
SMS-based 2FA is vulnerable to sim-swap attacks, and less sophisticated attackers can also often bypass this form of 2FA by sending fake SMS messages to the user’s phone number. Anyone can send a SMS that looks like a real code and trick someone into entering it.
TOTP-based 2FA is based on shared secrets that the server and the mobile device have. However, these secrets cannot be hashed like passwords, therefore, once a server breach has occurred, the hacker can generate unlimited codes on behalf of the user.
Any 2FA/MFA method that requires typing in codes also introduces friction and is error prone.
Can’t people just use authenticator apps instead?
Not all Authenticator apps are equal. Some authenticator apps are a step up from SMS-based authentication, utilizing TOTP codes, but they are still not foolproof. They rely on shared secrets as we talked about before, which can be stolen. At Auth Armor, we feature a biometric enabled Authenticator app that does not use any shared secrets and instead uses biometric authentication right from the user’s own device.
You mentioned negative impacts on the user experience, can you give some examples?
Usernames and passwords worked well enough when people were accessing only one or two digital systems per day. Now that almost everything in the average person’s working and personal lives has gone digital, it is less practical.
The average person has more than 100 passwords. Or, more precisely, they have more than 100 accounts with passwords. They probably re-use passwords across those accounts to save them from having to remember so many different account credentials.
When users re-used passwords, all it takes is a breach at one organization to start the cascade of problems. Once a hacker gets the password from somewhere else, they can now attack all the user’s accounts that used the same password. This is a huge problem for businesses because this is something you cannot protect against. Even if your system is the most secure password-based system around, all it takes is for another website or app to have poor security, the password is exposed, and now your service is vulnerable to attack.
Typing usernames and passwords can be quite slow, especially on a mobile phone. An adult who has been using the Internet personally and professionally for many years may have accounts attached to several different email addresses. They may even have changed usernames over the years, so they have two things they need to remember for each account.
Add in a second authentication factor and things become more frustrating. What if they are using codes sent by email as a second factor, and the code goes to their spam folder?
Failed login attempts are frustrating. Many websites start showing cryptic CAPTCHAs to users after a couple of failed attempts, then either preventing the user from trying again for a set period of time or requiring a password reset after a given number of failures.
In the workplace, this kind of issue can hamper productivity and places extra load on the IT department doing password resets. For consumer-focused apps, the added friction of being locked out of an account can be a major source of user churn and lost conversion.
That is why we are such huge advocates of passwordless authentication. It is more secure and it is easier to use.
How does passwordless authentication help with these issues?
Passwordless authentication goes back to basics. Instead of getting the user to prove what they know or what they have, you can use built in security chips that nearly all devices now have. This includes biometrics and other strong authentication methods to authenticate people based on “what they are” using FaceID or fingerprints and sometimes a combination of “what they are” and “what they know” by using pins or lock patterns. This information is not shared and utilizes the secure chip on the device to generate a cryptographically secure message to prove the user is who they say they are.
Unlike authenticator apps based on shared secrets, Auth Armor features a biometric authenticator app that uses the WebAuthn standard for increased security. Users cannot forget their username or password, and cannot have their login details brute forced, phished, or otherwise compromised.
Logging in with biometrics reduces the friction and is much faster than typing a username and password. Using passwordless can slash the number of failed login attempts seen on your app or website and can cut the time it takes users to log in by around 70%. This means less work for your account support teams, happier users, and reduced user churn.
What about people who do not have modern smartphones, or who do not have a smartphone at all?
We appreciate that while smartphones with fingerprint readers and/or FaceID are common, they are not ubiquitous. Fortunately, it is possible to implement passwordless authentication in other ways using WebAuthn and FIDO. For example, unlocking an account can be tied to the PIN used to unlock the phone.
Another option is MagicLink emails. With this login option, all a user must do is provide their email address, and they will be sent a one-time-use link to unlock the app. There is no password to enter. MagicLink is a popular authentication option because users typically have their email accounts already set up on the devices they use regularly, so they do not have to worry about keeping track of multiple usernames and passwords.
We also offer an option for scanning a QR code for instant authentication without a username. For example, if a user wants to log in on their laptop or a tablet device, they can scan a code on their already-authenticated smartphone to log into this additional device.
How comfortable are users with passwordless authentication?
Today a growing number of services already use passwordless authentication, from fintech companies to shopping apps. Smartphones are common across most demographics now, and even the most non-technical end user is likely to have scanned a QR code in a restaurant or feel comfortable entering a PIN or using the fingerprint sensor in response to a prompt. These are actions they do whenever they unlock their phone or use Google or Apple Pay.
We have found that when developers offer passwordless authentication as the default option, users adopt it quite readily and benefit from the friction-free login experience.
Persuading existing users of older apps that already have username and password login options set up can sometimes be harder. However, we offer some suggestions for UI “nudges” to encourage users to upgrade their accounts to passwordless and have found that over time developers can help their users transition from legacy authentication to a smoother and more secure passwordless experience.
How easy is it to implement passwordless for new apps?
Our state-of-the-art authentication platform is easy to use. We offer a powerful but simple API that is easy to integrate into websites, apps, and services. We also provide an array of tools and SDKs, such as our robust JavaScript SDK and libraries for a variety of popular programming languages and stacks. We have created several demonstration websites to showcase sample use cases. Check out our documentation for all this and more.
We offer several methods of secure authentication and authorization, including our biometric authenticator app, enabling QR code scanning, and real-time push messaging, native WebAuthn and MagicLink emails. Our APIs and tools make it easy to implement any authentication use case, no matter what language your app or website is being written on, or what platform it is running on.
What about existing applications?
If you already have an app or website up and running and you are using traditional usernames and passwords, it is easy to add passwordless authentication as an additional login option. We recommend that developers then add a post-login prompt to their app to ask users to upgrade their account to use passwordless.
If a user repeatedly skips the upgrade option, you can add a modal prompt explaining the features and benefits of going passwordless. Give users a deadline to transition their accounts themselves, then make the setup option unskippable after that deadline. We have found this migration strategy works incredibly well for many of the developers that work with us.
Any final words?
The login screen is the first thing users see when they visit and come back to your website or app. Offering a frictionless login experience is critical to user retention. It is something we are deeply passionate about at Auth Armor, and we have invested a lot of time and effort into making it possible for developers to provide a secure, reliable, and low-friction login experience.
We provide simple API pricings, including free tiers, for everything from independent developers and community/non-profit users up to large enterprises with huge user bases. We also provide special pricing for startups and nonprofits. No matter how large or small your project is, you can offer a smooth and polished authentication experience for your users with Auth Armor.
Check out our website to get started, read whitepapers, resource guides and more. Feel free to reach out and set up a demo or just a quick chat to learn more about passwordless authentication.
Related Categories