Passwordless

Passwordless authentication identifies users by email or phone number. Instead of accepting a password, the system verifies users by sending a login link or single-use password.

A good example of this method is Slack's 'magic link'. The user receives an email with a login link when they enter their email.

This method delegates some of the security responsibility to external entities like email accounts or phones.

Strengths

The advantage of passwordless authentication is naturally the lack of passwords. It can help users suffering from password fatigue. It can also improve security since many users will reuse passwords across applications, leaving them vulnerable if they are compromised.

Weaknesses

Passwordless authentication requires users to leave the application to confirm their identity, which can harm the UX.

If someone gains access to a user's email or phone, they would be able to sign in to the application on behalf of the user.

When to use it

Passwordless authentication can be a solution if it's not possible to use regular username/password authentication.

It's also a good solution to use as part of a multi-factor authentication scheme.

When not to use it

If it's essential to keep the users in the app at all times or not rely on 3rd party entities, then it's best to avoid this authentication method.

Authentication scaffolding

Starter kits for Laravel, Vue and React.