logo
Back to articles

Authentication

Published Oct 7, 2025

Authentication (sorry, no whitepaper for you)

Since I published my now hopelessly outdated authentication whitepaper, I almost immediately started collecting research for a new one. Now I am fully convinced I could just drop everything I gathered so far — everything I need to tell is in this small guide.

Some services still rock it like it is 1995. Sorry, today it is just silly. No one wants one more set of credentials to manage. It is not about security, it is about usability. Your preferred methods should be:

  • Low security: magic links.
  • Medium security: social network login
  • High security: fido2 on physical tokens

Allow fido2 (also known as Passkeys) whenever possible. It assures a pretty decent minimum security level (cloud) and does not limit maximum security level (physical), allowing the user to choose their own threat model. The usability is almost perfect and it is the only one which is really phishing resistant.

Mobile apps are handy when it is a conscious opt in. They should never be a requirement.

If you have reasons to allow good old passwords, forget about “complexity rules”. And stop using words like “choose a password”. It is called “generate” today. Verify it with an entropy meter and known leaks database. Also, a password should never expire unless compromised, but that’s common knowledge now.

Typically you have no such reason, and certainly it should never be the only option. When in doubt, use “magic links” (and do not restrict them to the same device where email is received).

Sessions should not expire. Unless there is a regulatory requirement that you cannot work around. Well, INACTIVE sessions on desktop devices MAY reasonably expire after a week or so, just in case you forgot to wipe your old laptop before disposing of it. Mobile app tokens should absolutely expire NEVER. If you want to protect a mobile user, ask for screen lock. There are apps that people use once a month. Once a year. And still prefer it to “just work”.

Hard Truths

Your authentication is only as secure as your weakest recovery method. Hardware key setup? Worthless if "forgot password" sends a reset link to an unverified email or SMS to a phone number vulnerable to SIM swapping, or just a phishing page tells the user that Passkey login did not work, please enter TOTP code. Stop congratulating yourself on the front door when the back door is wide open.

SMS recovery doesn't protect users—it protects your support costs. Don't pretend you're offering "better than nothing." You're deliberately downgrading account security by adding a third-party attack vector (carriers) that users have zero control over. When their account gets compromised via SIM swap, that's on you. Let users opt out entirely.

Cloud-synced passkey is a fancy name for social login (well, with extra steps). Both live or die by your Apple/Google account security. The phishing resistance is real, but stop pretending synced passkeys are fundamentally more secure than "Sign in with Apple." They share the same single point of failure—and yes, both are acceptable for most use cases.

You love mobile app as the safest authentication method because telemetry. Users hate mobile apps because telemetry, and there are threat models where it is far from being safest. Also, my rooted LineageOS is safer than your stock outdated Android, and I would prefer neither to touch my crypto exchange accounts ever.

Generated passwords stored in managers are cryptographically equivalent to any other shared secret. The problem was never passwords—it was humans. A 256-bit random string stored in 1Password is not meaningfully different from an API key. Stop treating password managers like a necessary evil and admit they solved the actual security problem (usability still sucks). Side note: did you ever see “complexity rules” rejecting perfect randomly generated passwords? That’s more than frustrating.

Finally, your service is not as important as you think. Users who treat your app like their banking login probably shouldn't. Users who treat their banking login like your app definitely shouldn't. Most developers get this backwards in both directions, then wonder why authentication friction kills conversion or why compromised accounts don't get reported for weeks.