Authentication Methods
2 minute read
What authentication methods does Authproject provide?
Authentication Methods
Once a user enters their email, they are presented with options to select how they want to authenticate.
Password
A password is among the oldest authentication methods, but is still widely used today. After entering their email, a user will enter a password to prove that they are who they say they are. This system, while common, is vulnerable to password reuse attacks - where a user uses the same password as on another site, if that password is discovered, can allow an attacker access to the user’s account on Authproject.
Magic Link
A Magic Link is a link emailed to the user which will allow them to sign in. The link, once clicked, will authenticate the user without the need for a password. If an attacker requests a magic link, the only way to authenticate is to receive the email that the user sent. As long as a user’s email account is secure, magic links are a good way to sign in without the need for a password.
Passkey
Passkeys are becoming more common. They are a cryptographic attestation that the user has access to a device, where that device then validates the user’s identity in some other way - usually using biometrics, or a PIN code. It is a method of passwordless authentication, where a user simply clicks a button or scans a QR code, and are quite robust against all but the most sophisticated adversaries. However, if the user loses the device, they will not be able to sign in using a passkey.
One-Time Code
One-time codes are common for two-factor authentication. A user will either receive a code via email, text, or by checking their authenticator app, and will enter the code presented to log in. One-time codes are resistant to replay attacks, as the code changes with time. Therefore, an attacker can only use a one-time code for up to a certain amount of time after it has been generated - then it becomes no-longer valid.