More websites and portals are switching to passwordless logins, but they are implementing them incorrectly, which is frankly annoying. Why are we “[replacing] passwords with something worse”?
This trend began some time ago. One of my favorite Swiss newspapers, Republik, started requiring login through email confirmation: users enter their email address and then confirm it by clicking a link. They claimed this approach enhanced security, and perhaps it does. The system works well enough since users remain logged in for extended periods. After clicking the confirmation link, you stay logged in for a year, and this duration renews each time you access the site. The mobile app maintains login status even longer. This implementation I can tolerate.
Now another of my favorite tools, Strava, has also started using email codes. The problem is that I need to log into Strava frequently. I’m not sure why, but I seem to require authentication more often than necessary.
Strava “nudging” me to activate the passwordless login. Source: Screenshot from Strava Login.
Strava advertises that users will never need to remember passwords again, but I don’t actually know my Strava password anyway. It’s stored in my password manager, which fills it out automatically. This process is much faster than waiting for a password to arrive via email. This highlights the core issue: passwords have been invented, they work reasonably well1, and I don’t want to constantly take the detour through my email.
Good passwordless logins
The issue is that a standard exists for passwordless logins: passkeys, which are now increasingly supported, primarily by major tech companies. They are widely supported through embedded systems; for example, my iPhone has built-in support for them. However, the gold standard remains a physical hardware key that you connect to the USB port of your phone or laptop2.
My two YubiKeys on my keychain: one for personal use and one for work.
However, these modern and highly secure methods are not supported by Strava (or Republik, for that matter). If these companies genuinely want a passwordless future, they shouldn’t give me the email approach. I receive enough emails as it is. Instead, I want the passwordless standard of the future: passkeys that I can use with my hardware security keys.