GuideA complete guide to passwordless authentication

What is passwordless authentication?

Passwordless authentication is a modern technique for signing into applications that does not depend on "memorized secrets," which are more commonly referred to as passwords. Instead, applications authenticate users with the help of third-parties like Google or Facebook, or by sending special, single-use links or codes to their email address or phone number.

Developers can easily add passwordless authentication to their application using Clerk's developer tools for authentication and user management.

Benefits of passwordless authentication

Passwordless authentication has been growing in popularity for three primary reasons:

  1. Convert sign-ups faster - Choosing a password during sign-up takes time, especially when users do not use a password manager like 1 Password or LastPass. Passwordless authentication enables application developers to remove this field from their sign-up form, so new users convert faster.
  2. Eliminate forgotten passwords - The security community refers to passwords as memorized secrets in part to acknowledge one unfortunate characteristic: passwords can be forgotten. Many applications prefer passwordless authentication because users are prone to forgetting their passwords, which can be a burden for support staff if there is not a well-designed flow to reset the password.
  3. Prevent credential stuffing - "Credential stuffing" is when attackers take leaked passwords from one application and try using them to sign into another application. The attack succeeds when a user has reused the same password across both services, and when the second application hasn't protected against the attack in another way. This concern is completely mitigated with passwordless authentication, since passwords aren't used at all.

Downsides of passwordless authentication

Critics of passwordless authentication cite one primary downside: signing in with passwordless authentication is slower than signing in with passwords.

Based on our data at Clerk, passwordless authentication is 4.2 times slower than passwords on average, because of the extra time it takes to deliver the emails and text messages. The notable exception is social sign-in, which is 23% faster than passwords on average.

How does passwordless authentication work?

Any authentication strategy that does not depend on passwords is considered to be passwordless authentication. Today, there are four solutions that are commonly seen throughout the web.

4 types of passwordless authentication solutions

  1. Social sign-in - By far the most commonly-used and fastest passwordless authentication strategy. The user is a presented with a button to "sign in with" a third-party like Google or Facebook where they likely already have an account. When the button is clicked, the user is redirected to the third-party which then shares identity information with the application in accordance with the OAuth 2.0 protocol.
  2. Magic links - A special link is sent to the user's email address. If the user is able to click that link in a short period of time (usually 10 minutes or less), it is assumed that they are the owner of the email address and they are allowed to sign in. Learn more about Clerk's magic links.
  3. Email-based one-time passwords (Email OTP) - A secret code of 6 digits (also called a "one-time password" in the security community), is sent to the user's email address. If the user is able to verify that code a short period of time, it is assumed that they are the owner of the email address and they are allowed to sign in.
  4. SMS-based one-time passwords (SMS OTP) - A secret code of 6 digits (also called a "one-time password" in the security community), is sent to the user's phone number. If the user is able to verify that code a short period of time, it is assumed that they are the owner of the phone number and they are allowed to sign in.

Because different users may prefer different strategies, it is common for applications to offer more than one solution for passwordless authentication. Clerk offers all four solutions in its developer tools, and allows developers to easily mix-and-match as they see fit for their audience.

Conversion speed

Social sign-in is fastest option by far, averaging ~6 seconds for users to complete. Magic links take about ~30 seconds, while both one-time password solutions take ~35 seconds. The variance on magic links and one-time passwords is also much greater, which we attribute to varying lengths of time for users to access their email or text messages.

Popularity

Social sign-in is also the most popular option for passwordless authentication. When available, Clerk sees 53% of users selecting social sign-in over the alternatives, and that number has been trending higher. However, social sign-in should not be offered in isolation since users are not guaranteed to have an account with the third-party vendors, or may have concerns about the privacy of authenticating with a third-party.

Passwordless and multi-factor authentication (MFA)

Applications using passwordless authentication can still offer multi-factor authentication. The only requirement for multi-factor authentication is that each factor must be of a different classes. In general, there are three classes of authentication factors:

  1. Knowledge factors - a knowledge factor is proof that the user knows something only they should know. The line here is a little confusing, but all three of passwords, social sign-in, and email-based passwordless authentication strategies are considered knowledge factors.
  2. Possession factors - a possession factor is proof that the user has something only they should have. SMS-based passwordless authentication strategies fit in this bucket. Others possession factors include USB dongles with a rotating 6 digit code, which typically use the WebAuthN or TOTP protocols.
  3. Inherence factors - an inherence factor is biometric proof that the user is who they say they are. Face- and fingerprint- scanners are examples of inherence factors.

To implement multi-factor authentication when using passwordless authentication, developers simply need to ensure that the first and second factors belong to different classes. Developers using Clerk receive this functionality in all plans, including a self-serve flow for users to opt into multi-factor authentication.

Passwordless security

Whether passwordless authentication is provides greater security than password-based security is a nuanced discussion.

In general, it is easier to build a secure solution for social sign-in and email-based passwordless authentication (with magic links or email OTP) than it is to build secure password-based authentication.

The challenge with password-based authentication is that credential stuffing attacks must be protected against. Clerk protects against credential stuffing using Have I Been Pwned, a service that informs us when passwords have leaked so we can ask the user to verify another way and choose a new password. We provide this out-of-the-box, but if a developer is building a password-based solution themselves it can easily be overlooked.

The final option, SMS OTP, is widely considered to be less secure than both passwords and alternative passwordless authentication solutions. This is because SMS messages are susceptible to being hijacked, particularly through social engineering attacks at the phone carriers.

Ready to see what Clerk can do for you?Start your free trial today

Start completely free with up to 500 monthly active users. No credit card required.

Start building now