Mobile and IoT authentication should not require passwords. That's the philosophy behind a new developer feature from Auth0 called Passwordless, which the company says will simplify programming for mobile and IoT devices.
Auth0 is certainly not the first company to conceptualize logins that don't require passwords. Other programming frameworks, such as this one (also called Passwordless but unrelated to the Auth0 solution), do similar things. Meanwhile, two-factor authentication, which combines traditional passwords with another form of login credential, has become popular with major services including Gmail and Facebook in recent years.
But Auth0 aims to be different by focusing on the mobile and IoT market. "By eliminating the need for users to remember passwords," Auth0 CEO Jon Gelsey said, "developers and IT professionals can reduce hassles for their users, greatly increase the security of their apps, APIs and IoT devices, and accelerate user acquisition. Now, any application can easily incorporate simple yet strong multifactor identity security."
The feature works by allowing users to log in to an app or device by scanning a fingerprint, using a temporary secret link or entering a temporary secret code—or some combination of these. Users receive the information they need via a verified email address or phone number.
Because Auth0's platform is cloud-based, developers can implement the feature by integrating a snippet of code into applications.
Will solutions like this change the game? That's a tough question to answer. On the one hand, traditional password authentication is subject to a lot of inertia. Developers have long known that passwords are bad because people tend to forget them and/or create weak ones; however, better ideas have yet to be widely implemented. There's going to be a steep learning curve for users if passwords go down the Blue Tunnel into the Afterlife.
On the other hand, IoT promises to make the issues with passwords even more dramatic. IoT devices mean more passwords for users to remember and vendors to store securely (or not, given companies' current track record of keeping users' data secure). Plus, compromised passwords on IoT devices could lead to especially dramatic problems (think third parties controlling your home security system or thermostat). Worries over issues such as those could add new impetus to the campaign by companies such as Auth0 to move developers beyond passwords.