Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is Passwordless Sign-in Safe?

You don’t have to use a password to be safe

Sign in with email message

Signing in without a password seems almost nonsensical, yet it can be more secure than traditional sign-ins. More convenient? That depends.

I was reading about passwordless logins and how great they are. Better and more convenient than long complicated passwords that we might use with a password manager like LastPass. I enter my username and click Continue and then press another button to have a link emailed to me. I then go to my email and click the link in my email and voila! I am automatically logged in.

Well that certainly is easier than remembering a password, but I don’t get how it’s more convenient given the number of clicks to get logged in compared to allowing LastPass to fill in the user name and password so that I only have to click one button.

But what I really don’t understand is how this is a more secure way of logging in. Are passwordless sign ins safe? Should I be worried about companies wanting to move to passwordless?

Worried? Nope. Not at all.

It can be a convenience, for sure. As to whether or not it’s more secure, my take is is yes — but we need to understand the scenario it protects you from to be confident about that.

Become a Patron of Ask Leo! and go ad-free!

Signing in with only an email address is almost a backhanded approach to two-factor authentication. By proving you have access to that email account — by clicking a link emailed to you — you’ve authenticated securely and need nothing else. The site using this technique is relying on your maintaining the security of your email account appropriately.

An example: medium.com

Let’s start with an example.

Medium.com is a popular site that offers several different approaches to signing in.

Medium.com sign in choices
Medium.com sign-in choices.

You can, of course, use the other services listed — Google, Facebook, Apple, and Twitter — to sign in using your credentials with them. I prefer to keep all my accounts separate, so I set my Medium account to “Sign in with email”.

When I first set this up, I expected to be greeted with the opportunity to set a password. Nope. When I sign in, it asks for my email address and nothing more.

Medium.com sign in with email
Medium.com sign-in with email.

My account has no password.

Instead, when I enter my email address and click Continue, Medium tells me to check for a message in my email account.

Medium.com - check your inbox for that magic link
Medium.com – check your inbox for that magic link.

Sure enough, an email arrives.

Medium.com emailed sign in message
Medium.com emailed sign-in message.

Click the link, and I’m in. It’s that simple.

Passwordless sign in: convenient … maybe

It is simple, but is it more convenient?

Maybe.

The biggest issue I have with it is that it assumes email is relatively fast — but email is not guaranteed to be fast at all.

In my case, because of the way my email is routed, it can actually take two to three minutes before the email message with the sign-in link appears. I have to wait.

A more traditional email-and-password approach allows me to sign in without the wait at all. If the site is important,1 I’d prefer to be allowed to add two-factor authentication of some sort.

It also makes the assumption that the device you get your email on is the same device on which you want to sign in to Medium. If they’re different, it can be quite cumbersome to sign in — to the point of just avoiding doing so.

But it is more secure.

Passwordless sign-in: safe, almost certainly

This feels a lot like two-factor authentication. It’s not, but it is similar.

Maybe I’ll call it a factor-and-a-half authentication.

“Something you know” is reduced to only your email address. I’ll think of that as half a factor since it’s so easy for anyone to discover your email address.

“Something you have”, however, is your ability to click a link sent to your email account. That proves you are who you say you are, as identified by that email address.

In order to sign in, you must prove you have access to the associated email account. That’s all.

And as long as you keep that account secure, it’s enough. The only way someone could hack into your passwordless authentication is if they first hack your email account.

Perhaps most importantly, there’s no password to fall into the hands of hackers. Even if there were some kind of data breach at a company using passwordless authentication, there’s nothing there to steal.

It’s pretty cool, actually.

Security’s still on you

Now, to be clear, this doesn’t absolve you of responsibility for your security. In a sense, it just moves the target to something else you’re hopefully already keeping secure: your email account.

Therefore, my medium.com account is as secure as my email account. My email account (via Gmail) has a strong password, two-factor authentication, and so on — you know, the usual litany of advice we hand out about keeping your account secure.

But I do still wish I had the option of a quicker sign-in with a more traditional password approach.

Other forms of passwordless sign-in

The examples above all talk about using email as your authentication mechanism: prove you can access email sent to that account, and you must be who you claim to be.

The same can be done with other authentication methods. The most common might be fingerprint scanners and facial recognition. In addition to being used with a password for two-factor authentication, it’s not uncommon for them to be the only factor used to confirm you are who you claim. It’s also quite convenient, and probably faster than waiting for email.

Similarly, sign-in with PIN is another form of passwordless sign-in, though I consider it to be closer to single factor rather than the factor-and-a-half I made up above. A PIN is nothing more than another “something you know”.

I tend to agree with the material you were reading: passwordless sign-in has interesting potential to make our lives easier by needing to remember fewer passwords.

But I’d still prefer it to be optional.

Subscribe to Confident Computing! Tech problem solving & safety tips with a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here's the direct download. (Just right-click and "Save As...".)

Podcast audio

Play

Footnotes & References

1: Not that Medium isn’t important, of course. It’s just that, say, my bank is more important.

5 comments on “Is Passwordless Sign-in Safe?”

  1. I agree that passwordless access is “better”, but it is still connected with a password – the password connected with your email account. So if your email has been successfully hacked, someone else now has the ability to set up all sorts of other accounts in your name and then quickly change the associated email for future invisible access. That invisibility is as simple as going back in and deleting the authentication email. Am I explaining that clearly?

    Reply
  2. Seems like a really good vector for phishing emails – send out enough “click here to access your medium account” emails, and you’re bound to hit someone who’s currently trying to log in (especially if this method of logon becomes ubiquitous) . . .

    I’ve never used this type of verification before: in this situation, it sounds like you would *have* to click on the link in the email to gain access to your account – is this correct?

    Reply
    • That’s a good question. It may be a vector for phishing but I believe it infinitely less susceptible to phishing than a normal login. If you click on the link they send in your email, you are automatically logged in to the website. If it takes you to a login page, you should be wary as a passwordless sign-in won’t ask you for a password. So if clicking on the link asks for a password, don’t enter it.

      And if they happen to catch someone who is coincidently trying to log into a website they are spoofing, they’ll have both the phishing email and the legitimate login email in your inbox.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.