How to switch to passwordless authentication in 3 lines of code
In the digital world, it is a given that enhancing the security of a system inevitably involves a degradation of the user experience. Yet, by choosing the right multi factor authentication (MFA) solution, you can simplify the day-to-day user login experience and benefit from an implementation without any significant development effort.
Author: Romain Breysse, Cybersecurity Engineer
After working for 10 years in the telecom industry on numerous products at different position (IT, marketing, pre sales) in France and abroad , Romain joined inWebo to know to more about the dynamic cyber industry.
As a pre sales ingenior at inWebo, Romain helps our prospects and customer to implement our strong authentication solution and apply best practices in term of cyber defense.
In the digital world, it is a given that enhancing the security of a system inevitably involves a degradation of the user experience.
Our daily experience proves it every time we log in with the famous password: every year we have to increase the length of our passwords, add exotic characters, lower case, upper case etc…., in short, increase the complexity to strengthen the security of our accesses.
We have no choice: in this connected world, cyber attacks are multiplying and making the headlines every week – social engineering, password leakage, phishing, malware, ransomware etc. Drastic measures must be put in place within companies to combat these new threats. IT security has become indispensable.
So when the CISO announces that he is going to increase security, users get scared, they shake: what are we going to have to do tomorrow to access our e-mails :
- Type a 20 character password? Somebody PLEASE help!
- Use an extra physical key? I already have enough keys!
- ZeroTrust security? I won’t have access to anything?
- A passwordless policy? But where’s the security?
- Or add multi factor authentication on all accesses? What is this barbaric name, will it be worse than the password? … Nooo!
No more passwords. Long live the Passwordless!
Everyone uses a password; over the years we have learned to log in with the login/password combination.
However, with the development of computer computing power and the networking of all applications, the security level is getting lower by the day: protecting bank and client accounts with a simple password is careless.
Of course, we can always choose a longer and/or more complex password to enhance security but the negative impact is immediate on the user experience.
Does multi factor authentication (MFA), an essential protection, make the customer experience more complex?
In the face of new threats, regulations are tightening to protect access more effectively. In response, technologies are emerging to replace the password, such as strong authentication.
Strong authentication involves combining different factors to confirm a user’s identity by generating a one-time password (OTP or One Time Password) for each connection:
For instance, the European PSD2 regulation requires banks and online retailers to secure access with strong customer authentication as soon as possible (the deadline is regularly pushed back because the players are not yet ready). Banks have reinforced security so far by sending a one-time password by SMS but even this technique shows its limits in terms of security and ease of use.
Numerous articles are flourishing on the Internet to point out the complexity of MFA (multi factor authentication), which risks pushing users to give up online shopping, hurting online retailers’ bottom line.
How inWebo's passwordless MFA solution streamlines the user experience
Today, on a daily basis, your user types a 10 character password like “Im_FrgttngMyPwd? “This is not very practical.
Tomorrow, with inWebo, switch to passwordless and allow your user to log in simply by typing an easy to remember PIN code (a 4 or 6 digit knowledge factor) within their possession factor such as our browser token which will be your user’s default browser.
In short, passwordless multi factor authentication by inWebo MFA
How is that possible? How can you ensure access security with only a 4 digit PIN code?
It is important to understand that the 4 digits are only one of the factors needed to authenticate. These 4 numbers alone are of no use. They can only be used on the possession factor created by the user: in the example above a browser token chosen and created during the enrollment phase*.
Entering its knowledge factor is only possible on a browser that has been transformed into a possession factor, in other words a trusted browser.
On the other hand, we are talking about a knowledge factor and not a classic password: the knowledge factor is not transmitted via the network at each authentication and is not stored in a classic database. As a result, it cannot be attacked like a regular password.
How will a user create his possession factor, his token?
To be able to authenticate, the user will have to take an extra step to create his possession factor. This step only needs to be done the first time: in everyday life, he will only have to enter his PIN code.
This procedure, called enrollment, takes about 1 minute: the user will, for example, receive an e-mail with a link, he will have to click on this link. A new page will then open on his default browser to ask him to set his knowledge factor.
That’s it. It’s over. The user has just defined his two factors: by creating both a browser token (his default browser) and his knowledge factor. Fast and efficient.
He can now authenticate himself only through the specific browser that has become his possession factor by typing his knowledge factor.
Before / After inWebo’s passwordless MFA
Forget the password headache
Simplify the login experience
This is how inWebo’s multi factor authentication drastically simplifies the user experience.
As an additional benefit, we also found that support teams were less solicited by requests to reset forgotten or blocked passwords. User will inevitably make fewer mistakes with a simple knowledge factor in the form of a PIN code to remember.
Everybody wins: users and IT support teams.
How to migrate to passwordless multi factor authentication in the blink of an eye
Today you use a login/password pair to let your users authenticate. Technically it’s a simple HTML form to allow you to validate these data within your database.
To turn this form into a passwordless multi factor authentication, you just have to:
- add 3 lines of code,
- to hide the original form
then make an API call to our platform.
One line to initialize the inWebo library:
inWebo generates an OTP
inWebo browser token (Deviceless MFA) generates an OTP
Your form receives the OTP
inWebo confirms the OTP
To this end you can find our online documentation with code examples to get you started faster.
Enhance the login experience and effortlessly switch to passswordless
So, no more excuses for not securing your applications. You have the choice to continue with an insecure password, tedious to use by your users and remain exposed to all the existing computer attacks OR to reinforce your security with a strong AND simple authentication for your users!
The 2 messages to remember are: