In this blog we are covering almost all the login methods that exist. This blog also covers newly introduced login methods such as Passkeys.
Password Based Login
In the old days, we had only password-based logins. So the user will enter a secret alphanumerical string as password and username. If both are provided correctly the user can enter the website. However, more security was needed.
Passwords with Image Challenge
The user enters a username and password and if both are correct the user is taken to another screen. On this screen user chooses a secret image, maybe a duck or a dog, or a beach, which they selected when creating the account. If chosen correctly the user can log in to the site. Images are easy to remember hence this method adds to security. The hacker/back actor cannot replicate the site because they would not know the correct idea for every user. Little better!
Password + OTP in email or SMS
The user now alongside entering a username and password also receives a secret code, a number, or an alphanumerical code in the alternate communication channel. This channel can be phone, email, or a colleague's email. The user has to enter the secret code to enter the site. This was heavily used to reset the password but due to high robustness now this method is ubiquitous.
Password + Authenticator App
Authenticator apps such as Google Authenticator changes a secret every minute or so. After entering a username and password user also have to use Authenticator App's secret to enter the site. Authenticator Apps are used largely to join SSO federation in the enterprise.
Email magic link
As a novel method, instead of using passwords or OTP, are replaced with email links. Users can click on the link and get into the site. If email is hacked then it essentially gives open access to the user's account on-site.
Fido
Here the user does not enter a password. Instead of using hardware module integration the site checks if the site can log in. Upon login, the site receives a public key specific to that site. The site can retrieve user info using the public key. Users cannot move between devices, each device will create new login which is a disadvantage.
Passkey
Like Fido, the user does not have to provide a password, and the device lets you log in to the site. Using Google Password Manager Passkey can be shared between devices. Passkey can also be used to log in to Laptop but authenticate using phone and QR Code pairing.
Biometric Auth
Primarily used in phone apps, where the user does not have to enter a password. The App provides Biometric authentication from fingerprint or face unlock. If the user has registered Biometric Auth then it's easy to log in however Biometric Auth is not an exact but probabilistic match so some disadvantages here.
Identity Federation
Identity Federation uses sign-in using Social Accounts i.e. Google Sign In / Facebook / Twitter. Hence user does not have to store passwords on the Site but using OAUTH permissions are provided to the site to check email address and user info.
Conclusion
Choosing from one method depends on how much security is needed such the user experience is not cumbersome. For high-risk account protection, Google Authenticator, combining a few ways, and forcing users to change passwords every few months is a good idea. These login methods help avoid phishing attacks and many other attacks so choose wisely.
In addition to exploring various login methods, we invite you to discover the unique advantages of our company. At Percs, we leverage web3 technology to deliver innovative solutions to brands, with a special focus on token gating. Token gating allows for exciting opportunities to enhance user experiences and create new avenues for engagement. To learn more about how our web3-powered solutions can benefit your brand, visit our website and explore the incredible perks we offer.
