Passwords are generally used for every registration account that we open, but are they the best option nowadays? How could we improve the user experience for registering in an account?

Passwords are not user friendly, but when it comes to opening new accounts, companies usually urge their users to create random passwords with different requirements (Upper case, lower case, numbers, special characters, longer than 8 characters etc.). Consequently, in the end, users are not able to recall the initial password they chose. Besides, users open new accounts continuously and remembering them all is not an easy task…

All these situations are a source of frustration for users, and it has been proven in the study that 75% of Americans struggle with keeping track of their passwords.

Passwords are easy to crack as they are not secure enough. Hackers are able to break into many accounts due to the fact that users end up using weak passwords. E.g., to hack a password-based system, a bad actor may use a dictionary attack, which is often considered the most rudimentary hacking technique (keep trying different passwords until you get a match).

According to Google’s findings:

• Almost a quarter (24%) of Americans have used some variation of the following weak passwords: abc123, Password, 123456, Iloveyou, 111111, Qwerty, Admin, and Welcome.

• 59% use their name or birthdate in their password
• 43% have shared their password with someone
• Only 45% would change a password after a breach

Password reset flow

A password reset flow is essentially a passwordless login with many additional steps tacked on. 

If the user forgets their password, a link is sent to their email account. From that link users can create their new password. But instead of receiving a quick email login link, otherwise known as a “magic link”, users will see something like this:

In this case, for a simple email verification, the user must navigate six different screens to set up a complex new password that they will end up forgetting after 2 days. 

A better option could be using an email magic link that reduces the annoying 6 steps process to two simple ones. When a user clicks the “Forgot password?” button, they are prompted to enter their email address. If they are registered with the app, they’ll receive a magic link in their inbox which, when clicked, automatically signs them back into their account.

That’s it. No complicated new password, no compromised security. Once a magic link is used, it becomes invalid, so there are no options left to put an account at risk.

According to a Mastercard and Oxford University study, one in three online purchases is abandoned during the checkout process because of a forgotten password. The study also revealed that 21% of users forget their passwords after two weeks, and 25% of users reset one password daily.

The Path to Passwordless

The future of registration will change from passwords to passwordless authentications to enable a modern and convenient digital transformation. They will eliminate the dependency on passwords, they will create a better user experience, they will reduce IT time and costs and they will provide better security for accounts. 

Some of the alternatives for Passwordless signup:

• Email link (Magic Link) Authentication

It is also known as Email login and basically it is a one-time use link sent to the user during the authentication process. When clicking on that link, a new page will appear where the user is already logged in.

• Email OTP Authentication 

Known as OTP (one time password). It is a link sent to the user’s inbox with a code number that needs to be used in the verification process during the signup. After writing the number, the user will be able to login. 

• Biometric Authentication

Another way to authenticate the user is by using a fingerprint authentication, facial recognition or retina scan. This way, the user does not need to type any code or click on any link. Fast and easy!

• Social login

Also known as social sign up. Users just need to use an existing social account such as Google, Facebook, LinkedIn etc. When clicking on that social button, the user will be logged into the account through the existing credentials he already has for that social network.

Photo by Towfiqu barbhuiya on Unsplash

Is Passwordless Authentication Safe?

The safety of passwordless authentication depends on what you mean by “Safe”. If we talk about an alternative that is more difficult to crack, in that case we can definitely say yes. But if you think about an alternative that can’t be hacked, in that case there is no such authentication system available. 

If you're reusing the same credentials everywhere you go, you're creating a massive trap hole for your cybersecurity. However, this could be mitigated by replacing your weak passwords with passwordless authentication measures. They would be much harder to crack and drastically increase your account's security.

Having said that, passwordless login doesn't solve all security problems associated with passwords. Instead of a password, you're relying on something else.

●     If you're using a smartphone authenticator or hardware token, your login depends on it. In case your device gets stolen or broken, you could be locked out of your services for a while. 

●     When using biometric data, a high level of quality is necessary so that the system does not accept photocopies instead of real faces in identity theft cases

In addition to that, when it comes to biometric data, some users might be privacy-cautious, and opposed to anything that collects such sensitive data. So in that case, you need another option to authenticate them. 

Conclusion

If you think that passwordless authentication will solve all the problems related to the user registration, this won’t be the case. It still requires maintenance and good cyber hygiene to efficiently keep your users safe from online threats. However, it goes without saying that this alternative is currently the best option available in the market to reduce friction and increase security.