Going passwordless

July 23, 2024

It's time. After years of rolling auth for various products, systems and apps, I'm tired of doing passwords. I'm going passwordless.

Passwords are tedious. It's not hard, there's just a lot of steps required to implement it correctly; it requires care to pull off.

In the end, the security of an account is in the hands of the user. Users are often human and humans are bad at passwords.

Sure, spin up your password_hash column, throw argon2 in there and you're good to go.

But then you need to worry about throttling, email verification, password resets, password policies, password storage, password rotation, password complexity, password reuse, password spraying, password stuffing, password leaks, password breaches, passwordless, passwordful, password, password, password.

On a serious note though, passwordless is a great way to improve security and user experience and it's easy to implement. It's a win-win. From now on, I'll just use WebAuthn for everything I build myself.