How to Build a Seamless Yet Secure Passwordless Auth
"Secure" and "seamless" don't often go together as adding more security to your auth flow is usually done by adding more barrier.
No one is a fan of the username and password combo. People can barely remember their login for every app or website so they end up using the same password on multiple sites, which makes it not secure. Therefore, apps and websites that require high-level of security (especially those in regulated industries) have implemented Two-Factor Authentication (2FA).
2FA is an effective way to verify a user's identity by requiring two of the 3 types of authentication factors:
What you know: Password, PIN
What you have: Phone Number, Device
Who you are: Fingerprint, Facial Recognition
The most common combination that we see nowadays is password (what you know) and one-time code sent via SMS (what you have). However, not only is password not secure, it also brings friction to the login experience. As for phone number, it is also not secure in the sense that scammers today use a combination of old-school techniques like SIM swapping and social engineering to convince people to give out their one-time codes. The scammers can then successfully gain unlimited access to people's accounts which contain sensitive information.
How Cotter can help secure your Authentication
For those who need extra secure yet seamless auth for their apps/websites, Cotter is excited to introduce you with our Device-based Authentication!
Cotter follows the FIDO Protocol to implement Device-based Authentication. The way it works is that Cotter's SDK will generate cryptographic key pair that replaces password. This key will be stored securely in the user's device. Since the device is the only one that knows these keys, it is called a Trusted Device.
Because of the way asymmetric cryptography works, your secret key is never sent over the internet to any server (not even Cotter's server). Cotter only needs to verify that the requests are actually made with the key using cryptographic functions to ensure that they are actually coming from the Trusted Device.
Why is Device-based Authentication Secure
Device-based authentication is secure because the cryptographic keys are stored in the Trusted Device and only that device knows what the keys are. Moreover, most devices (smartphones) are now equipped with Biometrics that makes it hard for scammers to gain access to the device.
If you're interested to try out our authentication flow, check out our quick start guides below: