image created by Margaux Peltat for the Chilled Cow YouTube channel
Time for #DevDiscuss β right here on DEV π
Inspired by @dagnelies's Top 7 post, tonightβs topic is...passwordless authentication!
Questions:
- Is passwordless authentication the future, a big mistake, or somewhere in between?
- Have you implemented passwordless authentication in any of your applications? What tools did you use, and how did it work?
- What pitfalls, traps, and flaws should devs be aware of when implementing passwordless auth?
- Do you have any stories of passwordless triumphs and/or fails?
Oldest comments (33)
Passkeys finally look like a usable and safe (by synching the passkeys between devices) way to do passwordless auth.
It's a bit too early for passkeys but at least applications could propose WebAuthn as a compliment to passwords for now.
Passkeys absolutely are intended to be the winner here, and because passkeys are now possible in iOS and, I believe at least in Chrome Canary/Beta, I think that this is the time to start progressively enhancing registration/login flows to work alongside passwords for now and eventually replace them.
The syncing part of passkeys is cool, but we do need to get users used to it, as well as used to the QR code method of using a passkey across device when syncing isn't available. There might be some short term user experience degradation as people figure that out, but once we're over that passwords can be buried
I'd say very much yes that passwords probably are this really funny "early days of computers" thing that won't stick around usefully longterm.
The problem is that we are sort of in an extended hellish in between of all the different ways to authenticate, and we might be that way for a while.
I think the right authentication for the future has to be sort of an abstraction over all the different stuff that came before it, and I don't know if we're there yet.
I'm amazed that we haven't come up with the ability for people to leverage blockchain for securing their online and digital identity. The blockchain could be leveraged for so many digital tasks it makes it the perfect solution. This would allow citizens to do things such as pay for services, vote, and communicate online securely and with validation and verification.
It's an interesting idea but the blockchains are public normally and anonymous so not sure how you could record something in it that helped. I think this is one of blockchain's biggest problems as a payment gateway, wallets get identified and then you have a permanent record of all of your financial transactions available to anyone, avoiding that for passwords would be vital. Blockchain funds very much work on the principle of passwords (or keys) - "Your keys, your bitcoin, not your keys, not your bitcoin" is the problem with exchanges and hacks etc.
Why we need a blockchain if we can have a federated app based on standard tech? Like ActivityPub, Nodejs, Mongo or MariaDB, and some React/react-native UI? Why to blockchain? If it just will be some append-only database, deployed in federated per-server fashion?
In context of identity, such federated app en essence can be an analog of a federated keybase app, store public keys and signed (with related private keys) annotations/binding to keys. Without storing any private keys on servers.
I'd say it's one-part marketing gimmick, and 2 parts evolving the consumer end of authentication to reflect the state of technology we have at our disposal.
This may sound arrogant or crass but I'm going to say yes as the concepts of Passwordless authentication aren't new. SAML for example will federate authentication without a password.
Broadly speaking - be aware that Auth as a mature feature is not a small effort. Building your own user/password auth is a good exercise for learning, but not something you necessarily want to scale & maintain for the next 10 years. I avoid building my own auth these days, instead favoring third-parties like Auth0 or Okta.
No stories, but I'll take the opportunity to give 1Password a shout out. They're an awesome product as a User for password management, and I'm loving their solution for managing and deploying secrets across my environments. The developer experience working with them has been awesome!
For me, it's a good choice to avoid accounts hacked with a normal credential email + password. This is very simple and securised.
Got a private key like a SSH key, is just awesome β¨
I'm using some websites who using just email, and you do check your email to click on the link and validate is you. That is the one of better way to authentification! π
That's an interesting topic, I'll stick around.
I want to apply passwordless into a project but further developments on other projects are consuming my time (and my soul π) so I don't think it will be till march when I'm able to start the given side-project, and the info shared here can be quite useful!
Oh thanks for telling me what it was called. I couldn't remember. πππΌ
And yes, like all systems, we must be careful indeed
Outch π
Not only is it seen as more secure and user-friendly, it _*is *_more secure and user friendly. ;-)
I don't know if it is properly passwordless or not, but I implemented only OTP based authentication system. I was thinking about implementing 2-factor authentication with email/ phone. That time I realized if I need to secure passwords with 2-step verification then why do I need a password? there is no point in using the password. at the same time with OTP base authentication, I dont need to create any API route for resetting passwords also. here is my git: github.com/ishafiul/passwordless-auth