September 6, 2017 2:19 pm
There’s no greater annoyance than being unable to log on to a website due to a forgotten password. It’s so frustrating to sit there guessing at your password and getting it wrong over and over. What if you’ll simply be unable to access your account and complete the (probably very simple and quick) task you were trying to complete?
But the real problem is that passwords cause serious security vulnerabilities for people and for web applications. Security experts claim that 90% of passwords are hackable, and this is not just because people use weak passwords most of the time or because they reuse a single one over and over again. It is just the nature of any 8 digit code that is generated a human.
9 out of 10 times a human-generated password will be predictable, and hackers can easily access the information they need to predict it from social media accounts and online searches using social engineering techniques. This doesn’t just apply to personal accounts, either. Password security issues can seriously derail a company’s website.
In short, passwords have the following significant drawbacks:
- They’re easy to forget.
- They’re difficult to manage across a variety of systems.
- They’re easily susceptible to major hacks.
- They frustrate users and hinder growth for websites.
All things considered, passwords are a major problem, and the internet would be so much better if there were a way to get rid of them.
That’s where password alternatives come in.
Not only are these alternatives more convenient but they also enforce stronger security policies to protect you and your users’ personal information. Follow along as we explore the following password alternatives that more and more organizations are taking advantage of:
- Two-tap email authentication
- Social media account authentication
- Biometric authentication
- Final thoughts on creating a comprehensive system
By the end of this post, you’ll better understand you simply don’t need to force your users to create passwords on your site. By getting rid of the barriers that passwords create, your website can grow and prosper.
Bonus! Before we get started, you might want to check out our complete guide on password security. It will give you a deeper understanding of the challenges passwords can cause and other ways to resolve these concerns.
Password Alternative #1: Swoop’s Two-Tap Email Authentication
This is one of our top password alternatives for a number of reasons, but we’ll start at the beginning: email.
Email has long been one of the most important of all online accounts. In fact, our personal email accounts typically act as a sort of hub for every other account we create online. We use it to reset forgotten passwords on other sites, for instance.
The central position of email to all your digital accounts means that if your email account gets compromised, everything else could be at risk. All the modern email providers (Gmail, Yahoo and Outlook) provide advanced security features that you can easily turn on to lock down this most important account.
Password alternatives and techniques that build on this level of security can provide some of the fastest, most effective, and safest log in experiences available. Some sites have doing it for a while. The old-fashioned way of leveraging email account security to authenticate web users involves opening a confirmation link in an email that you requested from the site.
While effective at removing the need for passwords, this method has a few drawbacks. Namely, the confirmation email could take anywhere from a few seconds to several minutes to arrive. Modern web users demand a faster experience!
That’s where modern two-tap systems come in.
How Swoop’s Two-Tap Email Authentication Works
Combining the old-fashioned email authentication system described above with innovative security procedures results in a faster, even more user-friendly log in experience that completely removes the need for passwords. Here’s how it works:
From a browser window, the user pushes the login button: The button is actually a mailto link. It generates a pre-written email for you to send:
The user sends the email: This is where the magic happens. Once the email is sent, the outgoing email server generates and embeds a 1024/2048 bit, fully encrypted, digital key into the header of the email. Swoop’s authentication server follows the public key cryptographic procedure to decrypt this key. Each email sent receives a unique key for that message. The level of security for these encrypted keys is beyond comparison to traditional passwords.
User Is Logged Into Their Account: When the key decrypts and passes all checks, the Swoop authentication server directs the website to open the user’s account and begin a session. This all takes place in a matter of seconds and makes for an extremely streamlined user experience.
By leveraging email accounts, two-tap email authentication password alternatives, sites have the option to completely and literally eliminate passwords for that domain. Plus, practically everyone online has an email account, making this a truly universal solution to the password.
Authenticating by digital keys is a simple and cost effective choice. No special biometric hardware required, no app to download, and no customer opt-in needed. One simple integration with a nominal fee, and you’re in business. Your users are free to log into a discussion, see premium content or to make payments without the stress or hassle of passwords.
How Does Swoop Protect Sensitive Information?
This is the chief concern of many companies that need to handle sensitive personal and financial data. Swoop’s authentication method does not expose sensitive information.
The only possible vulnerability in the process occurs during the transmission of the email to the authentication server. However, Swoop tokenizes all the details about the authentication (i.e., the site being logged into or the type of account being set up) making them indiscernible to third parties.
How does Swoop confirm an email account is valid and not spoofed?
The digital keys embedded by the outgoing mail server prevent the authentication server from being spoofed. Using the public key published in the DNS registry to decrypt the digital key, then confirming the match, provides an unparalleled level of security. This is called the Domain Key Identified Mail system, or DKIM.
DKIM is already used by all major email senders to prevent spoofing, but Swoop also makes use of the Sender Policy Framework system, or SPF, to track the progress of each login email. SPF checks to see that the email traveled from authorized server to authorized server.
If you’re curious, we have a more detailed explanation of the entire process on our How it Works page.
The bottom line:
Two-tap email authentication is an exciting option for completely eliminating passwords from your website.
No other technology, by itself, offers this same opportunity or can take your website into the future of security and user experience. The future of the open internet is passwordless, and two-tap email authentication is the best way to get there.
Password Alternative #2: Social Media Account Authentication
Here’s another of our favorite password alternatives. As a step down from two-tap email authentication, social media account log in options are still a strong choice for sites that want to eliminate the need for new users to create passwords.
They work on a similar concept, too. Building from the more advanced security features embedded in the authentication processes of top social media platforms, these solutions offer another user-friendly way to log in fast without using a password. Users log in to your site via their credentials on Facebook or Twitter, effectively acting a secure proxy validation.
As a password alternative, social media account authentication has a few major benefits, including:
- The ability to significantly reduce the need to create new passwords
- Tons of saved storage space across the internet
- Boosts to account creation on your site by streamlining the process of data input
There are a few downsides to social media log in options, though. Many web users are uncomfortable with linking their social media accounts across their other accounts. Plus, many consumers simply don’t trust the social media giants following recent scandals of unethical data practices. A Pew Institute study recently found that 60% of Americans won’t use social media account authentication options.
However, 40% is still a major proportion of all web users! We still highly recommend that sites looking to reduce their dependence on passwords adopt one or two social media sign in options.
Offering a few social media account authentication options most relevant to your users in addition to a universal email authentication option will create a truly comprehensive set of password alternatives. Cover all your bases by making use of all the tools at your disposal. After all, security is all about creating redundancies in the process.
Password Alternative #3: Biometric Authentication
The last of our favorite password alternatives involves some developing technologies. Biometric systems use our unique biology to replace the need for a password.
A common example? Many of us already use fingerprint scanners on our smartphones to avoid manually entering a code every time we want to unlock our phones.
That’s why using biometrics to log into an account or make payments is a natural next step for this digital security system. To give you a better idea of how these password alternatives work, we’ll cover the basics and single out a few top benefits and setbacks.
How Biometric Password Alternatives Works
Biometric systems rely on an additional security element that’s personalized to each user. This highly customized process helps users access accounts or make online payments with just one step.
For instance, the fingerprint payment system requires users to have a device with finger scanning capabilities. While the process varies slightly from one device to the next, the primary steps are the same:
- The user just needs to rest his or her thumb on the device’s fingerprint scanner.
- Once the user’s thumbprint is confirmed, the individual can access his or her phone and make online payments.
With biometrics, the process is simple and intuitive:
Biometric scanners are also now being used to make online payments, such as Mastercard’s fingerprint and facial recognition technology which confirms a cardholder’s identity for easier online shopping. With the steady influx of biometric verification, companies can only imagine how these tech initiatives of tomorrow can impact security issues today.
Top Pros and Cons of Biometrics
There’s no denying that biometric authentication is more glamorous than traditional passwords, and thus more appealing. After all, everyone has a totally unique set of biological features; it only makes sense for us to use these password alternatives as a way to enhance both online and offline security.
Other significant merits of biometric authentication include:
- Fingerprints and eyeballs are harder to fake than payment or identity cards.
- The key to accessing your account or making payments is always with you and can’t be forgotten.
Despite their high-tech allure though, there are a number of disadvantages to take into consideration with biometric systems. Consider these drawbacks:
- Accessing a device that can scan your fingerprints or face can be costly.
- Someone can copy your fingerprint or eye retina to create a replica.
- Scanners can be fooled by a picture/mold of someone’s fingerprint or a contact lens of someone’s eye retina.
- Someone can force you to use your fingerprint to unlock confidential information.
It might seem that many of these potential issues involve extreme dedication and expertise; while some do, recent developments have begun to indicate that the fingerprint sensor on your phone is not as safe as you think! Smartphone fingerprint scanners are a great example of the inherent weaknesses of biometric login systems.
Smartphone fingerprint scanners are small, so the phone records multiple partial images of your fingerprint. A swipe only needs to match one to gain access. One biometrics expert estimates it would be extremely easy to gain access to 1 out of 10 phones with biometric login enabled. The limitations of the technology makes biometrics a suprisingly vulnerable authentication method for many contexts.
However, the technology is also developing extremely quickly. We’ll likely see a truly secure and effortless biometric authentication option within the next several years.
Final Thoughts on Password Alternatives
Passwords need to go. There are real alternatives out there that can help get rid of them once and for all, ready to be adopted whenever you’re ready.
Consider all the alternatives we’ve explored in combination with each other:
- Two-tap email authentication is the complete solution to the password. Inherently secure and extremely streamlined, email authentication from Swoop is basically free.
- Social media account authentication would make a smart additional option to include alongside Swoop. Some users are comfortable using this method, and that’s what matters. It removes the need to create passwords and eliminates another barrier between new users and your site.
- Biometric authentication is exciting, but it’s still years away from proving truly secure. Also, the costs of biometric hardware and software could be crippling for many businesses.
Security is all about redundancy. A tight security system will contain plenty of overlap that ensures nothing falls through the cracks. We believe the future of the internet relies on a combination of these 3 password alternatives. An existing credential like your email or social media account authenticates your web session, then an advanced biometric tool verifies. In just a few years this whole process will likely take only a few seconds.
For more information on password security and website authentication, please browse our additional resources:
- 6 Shocking Reasons Why Passwords Won’t Protect Your Website — Still not convinced that password alternatives are the best option for your organization? Our article addresses 6 reasons why using passwords could put your organization’s information at risk.
- Understanding the Fundamentals of Website Authentication — Want to learn more about how users can verify their accounts? Our comprehensive guide is full of tips and tricks to improve your website’s authentication.
- PayPal Alternatives: A Comprehensive Guide — Explore superior options for collecting online payments and donations in addition to strengthening your security.
- Single Sign-On Authentication: The Swoop Guide — SSO authentication is an extremely important step in the process of eliminating passwords! Learn about the process, benefits, and limitations of this method.
This post was written by John Killoran