September 1, 2017 1:20 pm
Passwords have ruined the Internet.
Think about it. How many online accounts do you have for all the social media, shopping, banking, school, work, and entertainment sites you use? If you have a website or online business, do you require users to create accounts with passwords?
If you do, you’re actively driving away customers and visitors. 75% of users quit after a password reset, and 30% of online customers abandon their shopping carts if forced to register with a password. Passwords create a terrible user experience. They drive more business to the internet giants of tech and retail and away from sites and businesses like yours.
You might argue that passwords serve an essential security function. Wrong. Forcing users to create yet another password simply results in the creation of weaker passwords. We’ve all done it, reused an extremely simple password over and over for the sake of convenience. Plus, even with a strong password, security isn’t quite as tight as you’d think. As online consumers and users, we’re threatened by shady data practices by companies both large and small. As online entrepreneurs, we can’t guarantee the absolute security of our users’ passwords when hacking technologies become more and more advanced every day.
Put another way: Passwords cause more harm than good in an internet that’s clearly ready to move past them!
The technology exists to replace all passwords with highly secure, lightning-fast encryption techniques while still giving websites the necessary ability to properly authenticate their users. It’s called passwordless login. Chances are you’ve got a few questions. We’ve gathered some of the most common questions we receive from developers, bloggers, small business owners, and everyone else curious about passwordless login:
We believe that passwordless login systems have the ability to completely change the internet for the better. There’s no reason why the digital world has to be dominated by a handful of powerful companies, and there’s no reason why it has to be inconvenient for users to engage with new content. Sensitive data doesn’t have to be protected behind extremely thin layers of password security. We already have the tools to move beyond this.
Getting started begins with raising awareness and understanding that alternatives to the old way of doing things already exist. Let’s dive in:
Let’s start with the most basic definition: passwordless login systems are tools that websites can implement so that their users don’t have to log in via a password.
This doesn’t mean that users are simply let into the site without any form of authentication, though. With any type of passwordless login, users still have to verify their identities with one or more forms of authentication (but not passwords). Each passwordless login system works a little differently, so let’s walk through each of them:
Passwordless Email Authentication
The most promising passwordless authentication method, email-based systems verify a user’s identity using their email address and a complex encrypted key code.
Here’s how it works: Users click to log in. An email message is generated for them to send, and it contains an encrypted DKIM key code. When the user sends the email, the code is received, processed, and decrypted by the login server and by the website. The user’s identity and email address are matched against the website’s records, then they’re allowed access. We cover the whole process in greater detail on our How it Works page, but the main point is that email authentication is lightning-fast, ultra-secure, and completely eliminates the need for users to create new passwords.
Passwordless email authentication methods are already becoming popular in certain contexts. One great example: nonprofit pledge giving tools. Nonprofit donations sit at the intersection between the need for tight security and the need for flawless user experience. After all, making an online donation has to be quick and safe, otherwise many donors would lose their motivation, even when that donation is just a promise to fulfill a pledge.
Token-based and email authentication operate on similar concepts. With email-based systems, your email address is associated with a unique encrypted key as it’s processed through security servers. With token-based authentication, a website’s server sends a unique encrypted token to you.
This token is attached to your login session and then decrypted as you request various actions. This means it verifies your permissions to view content, make posts, etc. each time you begin a new action. By checking the token’s signature against its security algorithm, the site can effectively verify users’ identity for multiple actions and subdomains, greatly reducing login friction along the way.
Token-based authentication is extremely efficient and flexible, but it can be tricky for some sites to implement. Email-based authentication tools work via a similar concept of encrypted keys, so they’re often the fastest way for websites to get started with these innovative login techniques.
For more information on how token-based authentication works, we recommend our more comprehensive guide on the topic.
Growing in popularity is the fingerprint, face, or iris authentication (also known as biometrics). You might already use a fingerprint or face scanner on your smartphone. You probably don’t think of them in exactly these terms, but they’re a form of passwordless login.
The concept is simple; for fingerprint authentication, users press their thumbs on their phone’s fingerprint reader camera to authorize payments or gain access to their accounts. While this technique is intuitive and secure, completely streamlining the login process to its core, it does come with some challenges. Namely, accessing technology with a fingerprint reader can be costly for your users, and the technology is less cost-effective for businesses and nonprofits.
Unfortunately, these technologies have also already been proven to be less secure than expected. Tiny fingerprint reader cameras only register parts of your fingerprint, for instance. The odds of another person’s finger matching that part of your own print are surprisingly high.
Biometrics are developing fast, though. A passwordless login system that makes use of encrypted email authentication and a truly secure biometric could completely change the ways in which we engage with the internet.
2. Are passwordless login systems more secure?
We touched on this topic at the start of this article. Are password-based login systems actually insecure? Yes. Are passwordless login systems more secure? Also yes.
While there are tons of ways to actively make your passwords stronger — changing them annually, avoiding using information that a hacker could easily learn about you, etc. — very few of us actually take these precautions. That’s because we’re either too busy to deal with them or because going to all that trouble for an online account (that might not be particularly important anyway) feels like a huge waste of time.
As a result, many people use the same password or similar variations. This creates a domino effect that allows hackers access to multiple accounts just by cracking a single password.
As a website administrator or online entrepreneur, your users’ information could still be at risk even if you institute tight password controls. Poor security on other sites could make it easier for hackers to gain sensitive information. For instance, if a hacker cracks a user’s email address they can request a password change on your website, jeopardizing your user’s data and making you liable for the breach.
Passwords are a glaringly weak link in the entire authentication process. Removing them is the solution.
Passwordless login systems offer a smarter alternative. Email authentication allows your new users to register by simply entering their email addresses; they’ll have secure, convenient access to all your content and tools without creating more and more vulnerabilities for you with their weak passwords. Plus, these systems make use of more advanced authentication methods than traditional username/password systems. They scramble sensitive data and decentralize access using these techniques:
- Tokenization is a form of security that randomly generates a token or a string of characters. This token can be a substitute for the real data and is harder to crack because there is no mathematical relationship between the real data and the token.
- Encryption is very similar to tokenization, but uses an algorithm to transform sensitive information into ciphertext. This ciphertext can only be decrypted with the encryption key.
These security measures are used in traditional online donations or payments as well, but they offer even more security when paired with one of the three password authentication methods we discussed earlier.
3. What are the benefits of implementing a passwordless login system?
Now that you know about the security of passwordless logins, you’re probably wondering what other benefits implementing a similar system will have for your company or nonprofit.
Organizations are constantly looking for best practices to make the login process quick and easy. Passwordless login systems not only make the process simple, but they also save users from the hassle of remembering a new password.
You’re probably aware that one of the main causes of donor and shopping cart abandonment—when people leave your form before confirming their gift or purchase—is because users have to create an account in order to move forward.
While having an account is essential if organizations want to encourage their users to make repeat transactions, users are less likely to give again if they can’t remember their password.
Passwordless login systems give users the best of both worlds: users can keep their payment information on file, saving them time in the future, and they won’t have to remember a long complicated password, which will encourage repeat donations.
Additionally, users won’t have to struggle to create a password that they feel is secure, which can be one of the most time-consuming aspects of creating an online account.
Moreover, your users are more likely to make impulse purchases or donations because the process will be much easier.
Think about it this way: Nonprofits that implement an email verification passwordless system can cut down their donation process, and donors won’t have to spend any additional time trying to remember or retrieve their account password.
Takeaway: Implementing a passwordless login system saves time and removes the frustration of having to remember another password.
4. Are there any risks to using passwordless login systems?
As with any new system that your organization implements, passwordless login systems do come with their own set of risks. But compared to the weakness of traditional login systems, the risks are relatively low.
Of course, you’ll have to go with a reputable vendor, and there is a small chance that the new program won’t be compatible with your website’s infrastructure.
For the users, there is still a chance that their accounts can be compromised. For example, if a hacker gains access to a user’s email account, the accounts using email authentication could be compromised.
However, vendors (like Swoop) have additional security measures to ensure that this doesn’t happen. If Swoop receives a login attempt from a different device or IP address, they will send the user a text message to confirm that the request was made by the user.
Other passwordless login systems have their own set of risks and challenges. For example, hackers can access an account protected by biometrics by creating a master fingerprint using the most common characteristics of fingerprints. Additionally, face scanners can be tricked by using high-quality photos.
Each passwordless login option comes with it’s own set of risks but compared to traditional password and username logins, these alternatives are much more secure.
Takeaway: It’s important for nonprofits and businesses to do their research to determine which option has the least amount of security risks.
5. What types of organizations and companies can use passwordless login?
Password login systems are completely universal, which means that for-profit and nonprofit organizations can use them. What’s more is that passwordless login can be used for more than just a way to enter your accounts.
Passwordless Login for Businesses
Your company can use password alternatives for internal security, online users, or a combination of both.
Moreover, any account can be replaced with a secure password alternative. Passwordless login can be used to:
- Log into an online account.
- Make secure payments to an e-commerce site.
- Sign up for a subscription or service.
By using passwordless login options, you’ll be able to keep your user’s information safe and enforce stronger security measures for your employees.
Passwordless Login for Nonprofits
Nonprofits and faith-based organizations can use passowrdless login to make the donation process easier and more secure for their supporters.
When donors give to your nonprofit, they can save their payment information using a password alternative like email authentication. The next time a donor gives, the person will only complete three simple steps!
But organizations shouldn’t just consider their donors when making the switch to passwordless login systems. Organizations are vulnerable to cybercriminals who want to gain access to your donor database.
As such, nonprofits can implement email, token, or biometric authentication for internal programs so that information is more secure.
Takeaway: Passwordless login is such a great option for businesses and nonprofits because these systems can be used both for internal and user security.
6. How user-friendly is passwordless login?
As passwords become more obsolete, your users might already be familiar with similar password alternatives. If you’ve ever signed up for a website using your Facebook or Gmail account, then you’ve used a form of passwordless login.
With that said, users already have some understanding of how the process works, so there is less of a learning curve.
Additionally, experts stress how passwordless login systems don’t require any memorization; the tools a user needs to complete the login process are readily available.
Generally, the process requires only two to three steps and takes about the same amount of time as a traditional login process if not shorter!
Without the hassle and responsibility of creating a strong password, users can conveniently log into their accounts feeling confident that their information is secure from unauthorized users.
Takeaway: Passwordless login is extremely user-friendly, because users are most likely familiar with the process. Plus, logging in with more security measures doesn’t take any longer than the traditional process.
7. How Difficult Is it to Implement Passwordless Login?
Since there are several different types of passwordless login, the time and effort it takes to implement will vary. But for the most part, these systems can be easily implemented on your website.
Imagine that your organization wants to offer Swoop’s email authentication to your users:
- First, we’ll assess your existing site’s architecture to determine the best process for implementation.
- Second, our developers will begin the process of incorporating email authentication into your website’s infrastructure, which could take anywhere from 10 to 16 hours.
- Last, your organization can use our tool internally and for users with little set-up on your side.
As you can see, the process doesn’t require a lot of work on your organization’s part.
Alternatively, if your organization wants to use biometrics, the implementation process could take much longer. Not only will you need the software integrated into your website, but you’ll also have to ensure the the program works with compatible devices like an iPhone for example.
Takeaway: Implementing passwordless login will vary depending on the type of system you choose. Luckily, most of the hard work is completed by the provider’s development team.
8. How do we promote passwordless login to our users?
As with any new giving method or process, your users will have some hesitation about using passwordless login systems. It’s likely that they will question its security as well as its ease of use.
If you want people to use your passwordless login system, you need to be able to put their concerns at ease as well as show them how it works.
Here are a few ways you can promote your passwordless login system:
- Create a video to post online. Create a video that shows users how the authentication process works—whether you’re using email or fingerprint verification, showing your users all the steps will make them more familiar and comfortable with the process. You can post your video to social media or on your website.
- Have an event speaker demonstrate the process. Nonprofits that host events can ask attendees to make donations during an event as a way to raise additional funds. It’s also a great opportunity to show your supporters how easy it is to set up and use a passwordless login system.
- Highlight your new giving feature in your newsletter. Newsletters are the perfect place to let users know that your passwordless login system. Make sure to link to other resources where they can learn more about the process and include a link to where they can log in.
- Engage with users on social media. After launching your passwordless login system, encourage your users to ask questions on Facebook and Twitter. That way, you can answer the concerns that matter most to your customers or donors and get them excited about your easy-to-use login process.
As you can see, there are countless ways you can promote your passwordless login system to users and make them feel comfortable using it.
Takeaway: Users may be hesitant at first, but by demonstrating how to use the tool and answering your users’ questions, they’ll get on board in no time!
There you have it: eight of the most common questions about passwordless login systems answered. Hopefully, these answers have helped you decide if this is something your organization should implement (we hope the answer is yes!).
For more information about passwordless login systems and more solutions to online donation forms, check out these fantastic additional resources:
- Nonprofit Password Alternatives: Are you looking for more ways to get rid of troublesome passwords for your donors? You’re in luck! This article takes you through the pros and cons of three alternatives.
- Mobile Giving Guide: What better place to implement your passwordless login system than on your mobile donation forms? Learn everything you need to know about mobile giving with this comprehensive guide.
- Fundraising Software for Nonprofits: If your organization is looking for free or inexpensive fundraising solutions, we’ve got a list of the top nine free fundraising software providers.
This post was written by Jamie L.