Going passwordless
July 23, 2024It's time. After years of rolling auth for various products, systems and apps, I'm tired of doing passwords. I'm going passwordless.
Passwords are tedious. It's not hard, there's just a lot of steps required to implement it correctly; it requires care to pull off.
In the end, the security of an account is in the hands of the user. Users are often human and humans are bad at passwords.
Sure, spin up your password_hash
column, throw argon2 in there and you're good to go.
But then you need to worry about throttling, email verification, password resets, password policies, password storage, password rotation, password complexity, password reuse, password spraying, password stuffing, password leaks, password breaches, passwordless, passwordful, password, password, password.
On a serious note though, passwordless is a great way to improve security and user experience and it's easy to implement. It's a win-win. From now on, I'll just use WebAuthn for everything I build myself.