reboottime
commented
1 year ago Passwordless Authentication
One Time password( OTP)
- Unlike static passwords, which can be reused, OTPs are valid for a limited time, typically a few minutes. This means evne if someone intercepts an OTP, they can't use it to log in later.
- Additionally, OTPs requires "something you own" as well as "something you know" to log in ( can be a cell phone ( less secure than others) or email address that the user has access to, making it harder for hackers to steal)
How OTPs work in detail
Alternatively, a hardware or software key can be used to generate OTPs for multi-factor authentication (MFA), for example, like Google 2FA.
Overview
This is a note extracted from Password, Session, Cookie, Token, JWT, SSO, OAuth - Authentication Explained - Part 2, By Alex Xu, it introduces three ways of passwordless authentications:
While the article claims it has introduced JWT token-based authentication in part 1, it actually hasn't done so yet. Therefore, in this note, I will cover the topic of JWT authentication with my understanding.
Passwordless Authentication
When it comes to authentication, there are three factors to consider
Password fall under "something you know", One-Time Password(OTP) prove that the user owns a cell phone a device, while biometric authentication "something unique to you"