Password-Less Authentication

27th September 2019

At Trickle, we don’t use passwords to authenticate our users. Instead, we send an email to a registered email address with a one-time access link. Why do we do this? Read on to find out!

Most websites authenticate people with passwords, and 86% of passwords are terrible.

https://www.troyhunt.com/86-of-passwords-are-terrible-and-other-statistics/

To combat this, a lot of sites try to enforce rules that make the password more secure.

One of two things will happen: either people will use incredibly weak passwords (that still meet the security rules) or they will write them down and subsequently lose or forget them! Enter… “password reset”, which is usually done by sending an email to the user. It’s ultimately just a way of authenticating someone by proving ownership of their mailbox.

This creates an interesting “weakest link in the chain” effect. Even if the password is the most secure password ever, the password reset functionality reduces the security of the account to that of the mailbox. An attacker can simply bypass the password using the password reset function, assuming they can access the mailbox.

Thus we have the following observations:

  1. 86% of passwords are terrible.
  2. The remaining 14% of good passwords are only as secure as the mailbox they are linked to.
  3. Passwords are a giant pain for everybody involved, and can actually prevent people from completing sign-up.

We can solve problems 1 and 3 by removing passwords entirely and authenticating via the mailbox every time. And thanks to point 2 we do not reduce the overall security of the system.

In fact, since passwords are considered the primary weakness, security is actually increased if additional security measures are deployed within the organisation’s own enterprise email system (such as 2-factor authentication, password rotation, complexity rules etc.).

In summary, password-less authentication gives us the following benefits:

  •  Improved security. No more weak passwords. No more password database leaks.
  • Single Sign On. If the user can access their mailbox, they can access Trickle.
  • The security of trickle can “piggy back” the security of the organisation’s enterprise email system and thus inherit any investment made in this area. This can help to satisfy internal security policy requirements.
  • Improved sign-up/sign-in experience for users. No extra passwords to create, remember, or write down.

The world would be a better place if there were far less passwords to remember.

We are doing our bit to help!

Stay in the know

We produce a monthly Newsletter about all things HR and People Engagement.

If you’re interested in receiving our Newsletter, fill out your information.