Go Passwordless

Creating a passwordless experience for your site or app can streamline the sign in process and help reduce the burden on customer support. Done correctly, it can also significantly enhance site security; however, done incorrectly it can drastically weaken site security.

SnapAuth makes it easy and secure to go passwordless with passkeys!

Let's explore some of common options:

Magic Links

Magic links are one-time-use links, typically sent via email, that will authenticate a user simply by visiting the page. They evolved from user behavior where some people would always sign in through a password reset flow since they didn't even attempt to remember or manage their password.

Pros:

  • Easy to understand
  • Implementation is about the same as a password reset flow

Cons:

  • Easy to create an insecure implementation
  • Subject to deliverability issues (delays, spam, etc)
  • Requires lots of navigating across pages/apps
  • Can produce weird results for users with multiple browsers
  • Cost per use1

User experience: ★★☆☆☆

Lots of switching between apps and windows. Awful across multiple devices.

Security level: ★★★☆☆

As good or bad as the user's email inbox, which you have no control over.

SMS Codes

Signing in via SMS typically involves being sent a short (five to eight character) code and typing it into the website or app. On our increasingly mobile-first world, this can improve the user experience since phones will typically detect this and autofill the form field.

Unfortunately, SMS is a notoriously insecure protocol. It's unencrypted, vulnerable to account takeover at the carrier2 and there's no reliable way to verify the message sender. SMS also has frequent delivery delays and is highly vulnerable to phishing.

Pros:

  • Easy to understand
  • Pretty good experience on mobile

Cons:

  • Inherently poor security
  • Requires SMS access (bad for international travel!)
  • Very easily phished and spoofed
  • Subject to deliverability issues
  • Cost per message sent

User experience: ★★★☆☆

Great on mobile, varies on desktop. Unusable if the user doesn't have access to SMS, which is common during travel.

Security level: ★☆☆☆☆

It should be last-resort as a second factor, and should not be considered as a first factor.

Authentication Apps

Instead of relying on SMS, a user's device can be registered with the service and use push notifications to authenticate. Since push notifications run over a secure channel, this solves most of the security issues with SMS, at the expense of higher complexity.

This was actually co-invented3 by a SnapAuth founder back in 2013.

Pros:

  • Easy to use
  • Highly secure
  • Highly phishing-resistant

Cons:

  • High-friction setup process
  • High vendor lock-in factor
  • Expensive

User experience: ★★★☆☆

The setup process tends to have a lot of friction, but it's not bad once configured.

Security level: ★★★★☆

Varies by implementation, but most are great. Some apps may have phishing risk.

Passkeys

Passkeys, and the broader Web Authentication specification, are designed to address issues from all of these mechanisms, as well as problems with traditional passwords.

They've been in development since 2016 by major industry players and the FIDO Alliance, and are now widely supported in all major browsers and platforms. They're built on decades of knowledge and real-world experience of security on the web, using strong cryptography

Pros:

  • Easy to use
  • Highly secure
  • Highly phishing-resistant
  • No delivery mechanism needed
  • Built-in to existing software
  • Very low setup friction
  • Free (self-managed) to inexpensive (powered by SnapAuth)

Cons:

  • Relatively high implementation complexity when self-managed
  • May be unfamiliar to users

User experience: ★★★★☆

As the new kid on the block, there are some occasional growing pains, but most are on the developer end. The main downside is limited syncing across platforms.

Security level: ★★★★★

Passkeys were designed from the ground up to solve current and future security challenges, and to date have held up extremely well.

Start integrating passkeys

SnapAuth is designed to take away the integration complexity from passkeys. Instead of spending weeks or months on development, you can see results in minutes.

Go passwordless now

Try SnapAuth for free with no commitment.


  1. Unless you run your own email services, which is rare and invites a lot more complexity 

  2. A.K.A. SIM-swapping attacks 

  3. US20140007213A1