How it works: from a user perspective
A user hits a button on your website to log in or register.
The user will be redirected to the authorization server and will be prompted to enter an email address.
The authorization server sends an email with a one-time access code to the specified address.
When the user enter correct one-time code, the authorization server returns the user to your website along with an access token, which confirms that this user was identified by their email address.
Using the access token, your website grants the authenticated user access to their data.
The user doesn't need to remember a password, and you as a website owner don't have to store and protect user credentials.
How it works: under the hood
Reference Architecture
There are 3 main components:
- [A]
- Your website, a client in OAuth 2.0 parlance. Can be a JAMstack/static website.
- [B]
- The API endpoint of your application serving user requests. That is a Resource server. It can be implemented serverless with API Gateway and Lambda functions.
- [C]
- OAuth 2.0 Authorization server. The server issuing access tokens to the client after successfully authenticating the user. You can either deploy your own server or use Logintoo SaaS (soon, not yet).
Workflow
- The OAuth 2.0 client (your website) requests an access token from the authorization server. This step involves the sequential interactions between client and the authorization server, as described in RFC 6749 and RFC 7636.
- The authorization server authenticates the user by sending and validating an one-time password, and if valid, issues an access token.
- The client makes a request to you API (the resource server) by presenting the access token (JWT).
- The resource server validates the access token, and if valid, serves the request.
The authorization server also issues and rotates Refresh tokens. The Refresh tokens are used to obtain a new access token when the current access token becomes invalid or expires.
A single authorization server can issue access tokens for multiple resource servers.
Open source
-
Authorization Server
-
Sample App
Why passwordless?
'81% of hacking-related breaches leveraged either stolen and/or weak passwords.'
Verizon Data Breach Investigations Report
www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf
'Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organizations, there’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.'
www.gartner.com/smarterwithgartner/embrace-a-passwordless-approach-to-improve-security
'As counter-intuitive as it sounds, passwords can actually hinder the security of your users, making users vulnerable to techniques like phishing, credential stuffing, brute force, and dictionary attacks.'
Swaroop Sham, Senior Product Marketing Manager for Security
www.okta.com/blog/2019/11/why-your-customers-need-passwordless-authentication
'Password replacement options can help organizations provide convenience and ease-of-use without high-security risks.'
