Passkeys are the new hot shit in the developer world, well, at least it seems that way since I use 2 services that push this on me and I only allow one to do so, and for good reason. In this post, you'll find out what passkeys are, why it's not so easy and why I think Magic Links is a better alternative.
What are passkeys?
People are forgetful and don't want to/can't remember long and complex passwords. Although there are services such as KeePass or LastPass where you can secure passwords with a master password, this is still too complicated for some people.
In short: short passwords are not secure and long passwords are difficult to remember.
Passkeys should offer a solution here, namely that you can use the WebAutn browser API via your mobile device, for example with a fingerprint. Then all you need is your e-mail address and you can log in. No more password required.
Ingenious, isn't it?
Passkeys are not easy
While the theory sounds incredibly great and ingenious, the practical realization is anything but easy, because in addition to expert knowledge in Javascript implementation, cyber security and possible potholes in development, because after all, it should be secure, but in order for it to be secure, you have to be able to implement it securely in your own application. Because without a password, the user can no longer access their data in the event of a problem.
Corbadowhich help to implement passkeys, say that it is 100x more difficult to integrate passkeys into productive operation than a simple demonstration of passkeys shows.
Because there are various pitfalls that can become a problem, for example, does the passkey also have to work on a new device or what if the old device has been lost? What if you request the passkey login via the web application, but no authentication request appears on the mobile device (this has happened to me several times with one service, so I use the passkey and password option)?
Implement passkeys
No, I'm not going to give you any instructions here, because the topic is complex and as a developer myself, I prefer to stick to security experts who know how to do it properly.
The experts at Corbado have published a tutorial here that explains how to implement it:
Passkey Tutorial: How to Implement Passkeys in Web Apps
Magic Link as an alternative
But is there a secure and simpler alternative to passkeys? Yes, there is, and these can be found on the Internet under 2 different names, either Magic Link, but sometimes also called Magic Login, both mean the same thing, but are just different names.
What is the Magic Link?
This is the outsourcing of authentication; the user no longer logs in to the web service, but to their email provider. The web service therefore does not store the user's password.
How does it work?
In principle, it is quite simple and yet secure, because with the web service you only enter your registered e-mail address via the Magic Link procedure. The service then sends an e-mail with a link and an authentication token to the user.
In order to log in to the web service, you must log in to the e-mail provider where you can access the e-mail, so you authenticate yourself by having the password for your own e-mail account whose e-mail address you want to log in to the web service. After clicking on the link, you will be logged in to the web service and can use it as normal.
So what are the advantages and what are the disadvantages?
Advantages of Magic Links
- Simplicity and user-friendliness:
- Users do not have to remember or create passwords.
- The registration process is quick and uncomplicated.
- Security:
- Minimizes the risk of password theft and phishing attacks, as no fixed passwords are used.
- Links are often time-limited and can only be used once.
- Reduced password management:
- Users do not have to create or change complex passwords.
- No need to perform password reset processes.
- Accessibility:
- Users can log in from any device with their e-mail address without needing any additional information.
Disadvantages of Magic Links
- Dependence on e-mail:
- Users must have access to their e-mail in order to log in.
- If there are problems with the e-mail service, the login process may be disrupted.
- Security risks for e-mail accounts:
- If a user's email account is compromised, attackers can easily log in.
- E-mail links can be intercepted or forwarded if e-mail security is not guaranteed.
- User acceptance:
- Some users may not be familiar with Magic Links and prefer traditional login methods.
- May be perceived as less trustworthy if users are not sure how it works.
- E-mail delays:
- Delays in receiving e-mails can slow down the registration process.
- Emails could end up in the spam folder, making access more difficult.
So it clearly offers the advantages, but also the disadvantages, where the disadvantages can be strongly influenced, so you should always protect your email account with 2FA (2-factor authentication) and use a large email provider, such as Gmail, which offers the know-how and security features to minimize hacking attacks. Email delays are 1-5 minutes in the worst case, depending on the email provider, but in my experience they are received within a few seconds.
Of course, user acceptance is a problem, because anyone who has not yet had any experience with it will find it more difficult to get to grips with it, as you want to use the web service but also need to have your email account open at the same time. Nevertheless, you save yourself the risk of the password for the web service being stolen by hackers and misused, because if there is no password, none can be stolen. And you don't have to remember or manage several passwords.
I therefore like to implement Magic Links as a login option in my own services that I develop.
From a developer's point of view, magic links are technically easier and faster to implement in various programming languages, whereas passkeys, as far as I know, can only be realized with Javascript, because the query has to be executed in the browser window on the client side
Further sources: