Passwordless Authentication

This method uses unique biological characteristics to verify identity. Common implementations include:

• Fingerprint scanners (Touch ID)
• Facial recognition (Face ID, Windows Hello)
• Iris or retina scanning
• Voice recognition The biometric data is typically stored and processed locally on a Trusted Platform Module (TPM) or secure enclave on the user's device, never on a remote server. It provides a seamless user experience but depends on the security of the local hardware.

One-Time Passcodes are time-sensitive, single-use codes sent to a user's verified possession. While often used as a second factor, they can be primary in passwordless flows. Types include:

• Time-based OTP (TOTP): Generated by an authenticator app (e.g., Google Authenticator) using a shared secret and the current time.
• SMS OTP: Code sent via text message. Less secure due to SIM-swapping and interception risks.
• Email OTP: Code sent to a registered email address. OTPs are more secure than static passwords but can be phished or intercepted.

A magic link is a unique, time-limited URL sent to a user's registered email address. Clicking the link authenticates the user without entering a password. The system validates the token embedded in the link. This method is simple to implement and user-friendly but has security considerations:

• Relies on the security of the user's email account.
• Vulnerable if the email is intercepted or the inbox is compromised.
• Requires the user to switch contexts from the app to their email client.

Hardware security keys are physical devices (e.g., YubiKey, Titan Key) that implement the FIDO U2F or FIDO2 protocols. They provide the strongest form of phishing-resistant, possession-based authentication. The private key is generated and stored on the device, which requires a physical touch (button press) or PIN to authorize a login. They are used for:

• Two-factor authentication (2FA)
• Passwordless login (as a FIDO2 authenticator)
• Multi-factor authentication (MFA) scenarios They are highly resistant to remote attacks but can be lost or stolen.

This method sends an authentication request as a push notification to a trusted app on the user's registered device (usually a smartphone). The user reviews the login details (service, location, etc.) and approves or denies the request with a single tap. It leverages the security of the device's lock screen (PIN, biometrics). Examples include Duo Push and Microsoft Authenticator. Advantages include user convenience and contextual information to prevent phishing. Security depends on the integrity of the notification channel and the user's vigilance in verifying the request details.

Passkeys are a user-friendly implementation of the FIDO2 standard, typically managed by platform providers (Apple, Google, Microsoft). They are synchronized across a user's devices via a secure cloud service (e.g., iCloud Keychain) or can be device-bound. Key features include:

• Phishing Resistance: Cryptographic proof is tied to the specific website domain.
• Cross-Platform Use: QR code-based sign-in allows using a passkey from a phone to log in on another device.
• Recovery: Managed through the user's existing ecosystem account recovery mechanisms.

While not purely cryptographic, social logins ("Sign in with Google") are a common form of passwordless authentication that delegates the authentication process to a trusted Identity Provider (IdP) using protocols like OAuth 2.0 and OpenID Connect (OIDC). In this model:

• The user grants the application limited access to their profile from the IdP.
• The IdP provides a secure token to the application, confirming the user's identity.
• This removes the need for the user to create and manage a new password for the application.

Biometric authentication uses unique physical or behavioral characteristics—such as fingerprints, facial recognition, or iris scans—as a passwordless factor. In secure implementations:

• The biometric data is used to unlock a local cryptographic key (e.g., on a device's Secure Enclave or Trusted Platform Module).
• The raw biometric template is never transmitted or stored on a server; it remains on the user's device.
• This provides a high-assurance, convenient factor that is difficult to steal or replicate, forming the user experience layer for standards like FIDO2.

A primary security benefit is resistance to phishing and credential stuffing attacks. Since there is no shared secret (password) to steal, attackers cannot trick users into revealing it. Authentication relies on cryptographic proof (like a private key signature) tied to a specific device or service, which cannot be reused on a fake site.

Security shifts from password protection to private key custody. The main risks are:

• Device loss or compromise: If a device-bound key is not backed up, access is lost. If the device is infected, the key can be stolen.
• User responsibility: Users must securely back up recovery methods (e.g., seed phrases for Web3 wallets). Poor key management is a leading cause of asset loss.

Methods like FIDO2 security keys or authenticator apps create a dependency on a physical or secondary device. This introduces risks:

• Single point of failure: Loss of the device can lock a user out.
• Supply chain attacks: Malicious hardware or compromised app stores could distribute tampered authenticators.
• Network dependency: Some methods (e.g., SMS/email magic links) require a secure channel, which can be intercepted.

The underlying authentication protocol and its implementation are critical. Flaws can undermine security:

• Weak cryptography: Using outdated or broken algorithms for key generation or signing.
• Implementation bugs: Vulnerabilities in client libraries or server-side verification logic.
• Protocol downgrade attacks: Allowing a fallback to less secure methods (like passwords) can negate benefits.

Secure account recovery is a major challenge. Without a password reset flow, systems need robust alternatives:

• Social recovery: Using trusted contacts, but this adds complexity and social engineering risks.
• Custodial services: Relying on a third-party (like a wallet provider) to restore access, which creates a central point of trust.
• Biometric fallback: If biometrics (a common passwordless factor) are compromised, they cannot be changed like a password.

Cryptographic authentication provides stronger audit trails and non-repudiation. Each login attempt generates a verifiable, unique signature. This allows for:

• Clear forensic logs: Precise tracking of which key was used for access.
• Legal evidence: Cryptographic proof that a specific entity authorized an action, which is stronger than a shared password log.
• Revocability: Compromised keys can be explicitly revoked on a blocklist, unlike a leaked password which may be used indefinitely.