Passwordless authentication is a modern technique for signing into applications that does not depend on "memorized secrets," which are more commonly referred to as passwords. Instead, applications authenticate users with the help of third-parties like Google or Facebook, or by sending special, single-use links or codes to their email address or phone number.
Developers can easily add passwordless authentication to their application using Clerk's developer tools for authentication and user management.
Passwordless authentication has been growing in popularity for three primary reasons:
Critics of passwordless authentication cite one primary downside: signing in with passwordless authentication is slower than signing in with passwords.
Based on our data at Clerk, passwordless authentication is 4.2 times slower than passwords on average, because of the extra time it takes to deliver the emails and text messages. The notable exception is social sign-in, which is 23% faster than passwords on average.
Any authentication strategy that does not depend on passwords is considered to be passwordless authentication. Today, there are four solutions that are commonly seen throughout the web.
Because different users may prefer different strategies, it is common for applications to offer more than one solution for passwordless authentication. Clerk offers all four solutions in its developer tools, and allows developers to easily mix-and-match as they see fit for their audience.
Social sign-in is fastest option by far, averaging ~6 seconds for users to complete. Magic links take about ~30 seconds, while both one-time password solutions take ~35 seconds. The variance on magic links and one-time passwords is also much greater, which we attribute to varying lengths of time for users to access their email or text messages.
Social sign-in is also the most popular option for passwordless authentication. When available, Clerk sees 53% of users selecting social sign-in over the alternatives, and that number has been trending higher. However, social sign-in should not be offered in isolation since users are not guaranteed to have an account with the third-party vendors, or may have concerns about the privacy of authenticating with a third-party.
Applications using passwordless authentication can still offer multi-factor authentication. The only requirement for multi-factor authentication is that each factor must be of a different classes. In general, there are three classes of authentication factors:
To implement multi-factor authentication when using passwordless authentication, developers simply need to ensure that the first and second factors belong to different classes. Developers using Clerk receive this functionality in all plans, including a self-serve flow for users to opt into multi-factor authentication.
Whether passwordless authentication is provides greater security than password-based security is a nuanced discussion.
In general, it is easier to build a secure solution for social sign-in and email-based passwordless authentication (with magic links or email OTP) than it is to build secure password-based authentication.
The challenge with password-based authentication is that credential stuffing attacks must be protected against. Clerk protects against credential stuffing using Have I Been Pwned, a service that informs us when passwords have leaked so we can ask the user to verify another way and choose a new password. We provide this out-of-the-box, but if a developer is building a password-based solution themselves it can easily be overlooked.
The final option, SMS OTP, is widely considered to be less secure than both passwords and alternative passwordless authentication solutions. This is because SMS messages are susceptible to being hijacked, particularly through social engineering attacks at the phone carriers.