- Last Week As A vCISO
- Posts
- Passwordless Auth and Humpback Whales
Passwordless Auth and Humpback Whales
Lessons we can learn from identifying humpback whales
The humpback whale is one of the largest animals in the world. An adult whale weighing an average of 50 tons, this animal makes an annual migration from Alaska to Hawaii every year to give birth. The way researchers identify and track these whales is through their tails, also known as a Fluke. Each Fluke is as unique as a fingerprint. It’s also less costly than a tracking device which can cost upwards of $10,000 and sometimes gets lost.
Enter passwordless authentication. It’s the new hip thing. Just ask for a person’s email or phone number and they get a temporary login link or code. There is lots of software now that you give you this functionality out of the box. It actually solves a few problems in authentication security and usability.
Having someone validate themselves with a valid email address (or phone number) is important. We want to know this person owns the email address. Otherwise, they can enter any email address and password and they have an account. (You would not believe how many accounts are sent to me from Ayman’s all over the world!)
Removes the need for a user to have and remember a password. Kind of a 2 in 1 here. That means you don’t have to worry about checking their password length and complexity, storing it, or checking with a stolen pw database.
Extra security if you want. This single factor can have extra security on it and the session is usually tied to just that device. The extra security can be if the IP, user-agent, or any other predetermined attribute of the sessions changes, automatically log them out. One good example is if the IP changes to a location hundreds of miles away. You can also add in smart authentication like fingerprint or any type of FIDO2 authentication on top.
Passwords are so 2020. Let’s say goodbye to them as well. :)
Take care,
Ayman
Reply