DEV Community

Cover image for Implementing Secure Hanko Authentication: Password and Passkey-Based Login, Registration, and Logout in Any Tech Stack
shivam kumar singh
shivam kumar singh

Posted on

Implementing Secure Hanko Authentication: Password and Passkey-Based Login, Registration, and Logout in Any Tech Stack

Hanko is a lightweight, open source user authentication solution that takes you on the journey beyond passwords.

- Advantages and disadvantages of building a login that uses only passkeys

  • Advantages of Using only Passkeys
  1. Increased security
    Passkeys eliminate the reliance on passwords by the system. This gives the system more security and is harder for attackers since they cannot bypass the biometric-based or hardware-based authentication in the system.

  2. Easier to use
    Passkeys provide an effortless and instant login. There is a reduction in remembering and hence managing the password; this offers less frustration and more use, especially when using passkeys on mobile devices.

  3. Fewer issues with password recovery
    With passwords, the demand for intricate account recovery processes is relatively low. Passkey systems normally rely on fallbacks like biometrics or device pairing that may make recovery fluid without security questions or backup codes.

  4. Immunity to Phishing
    Passkeys depend on either device-based or biometric authentication rather than credentials entered in a form. This means they are impervious to phishing attacks. Such immunity presents enormous security benefits for users in industries or environments vulnerable to social engineering attacks.

  5. Fewer Administrative Overhead
    In the case where organizations would not be using passwords anymore, the administrative overhead on dealing with resetting passwords and troubleshooting login failures is significantly reduced. This constitutes a large percentage of IT support requests.

  • Drawbacks in Using Only Passkeys
  • Dependency on Devices Passkey authentication can be device-specific, including smartphone, security key, or biometric scanner. In cases where access to the device is lost, or a compatible device is not available, it will be challenging to log in into an account or recover one. Passkey-only systems may keep out people who do not have newer hardware or devices that can do biometrics. Most devices and browsers have yet to implement passkeys, so the impact will be minimal, and it will be necessary to include a fallback.
  1. Privacy Issues related to Data
    Biometric data will bring some privacy risk issues when the data are improperly stored or transmitted. Even though passkeys by default utilize secure local storage, the user may well have privacy concerns using his biometric data.

  2. Account Recovery Challenges
    Without passwords or other conventional identifiers, account recovery could be more difficult if the user loses their passkey or access device. Hence, fallback and multi-device syncing solutions are essential to prevent user lockouts.

  3. Complexity of Integration
    Implementing passkey-only authentication may involve more setup and infrastructure, especially if users are changing devices often. The complexity of the authentication flow can be increased by adding multi-device syncing, secure backup, and fallback methods.

  4. Risk of Vendor Lock-in
    Some passkey solutions make the user dependent on one specific device or authentication provider, a dependency that can put them into a tight squeeze as an organization in the future if ever the requirement changes.

- How passkey autofill (Conditional UI) works

  • Enable Passkey Detection in the Browser
    Conditional UI is part of the WebAuthn API, which provides for a login prompt when the user wants to use a passkey without a button click to start the login. The supported browsers can check whether passkeys are available for the website they are currently visiting and activate the autofill process by prompting a login on reaching the login page.

  • Auto-Initiating Authentication Prompt
    With Conditional UI, the browser will automatically prompt the user to log in with a passkey stored on their device. Passkey users don't need traditional "Sign In" buttons anymore. When the user visits a Hanko-powered login page, the browser's native prompt will present the passkey stored for the site and the user can authenticate by one tap or glance when available for biometrics.

  • Intuitive User Experience
    Users who have saved passkeys don't require entering their usernames or password. The browser will determine the existence of a passkey and immediately provide it to the user as an available login option. For example:

  • On iOS, a user will be prompted by Face ID or Touch ID

  • On Android, the system will prompt for fingerprint.

  • On desktops, if hardware authentication devices are present in the 3. computer, the prompt might ask the user to tap the security key.

  • Fallback Options
    If a passkey cannot be used, or even if the user hasn't set up a passkey on that device, Hanko UI Conditional UI just falls back to other kinds of authentication like traditional login with a password, and it's dependent on it being turned on, or the first time around, tells the user to create one.

  • Less friction:
    For instance, because of this Conditional UI, login friction is reduced in that interaction does not need to go back and forth multiple times with the login fields.

  • Improved Security:
    The risk of phishing and credential theft is decreased when using passkey-based authentication, making Conditional UI not only easy but also safer to use.

  • Cross-Device Synchronization:
    Most contemporary devices, including iOS, Android, support cross-device synchronization for passkeys. This enables users to make use of Conditional UI through various devices, thus becoming more accessible.
    Requirements and Compatibility.

  • Browser Support:
    The current support of Conditional UI is for Chrome, Safari, and other browsers with the support of WebAuthn Level 2 API.
    Platform-specific behavior The implementation may be different slightly on each platform; iOS will handle Face ID in a different way or the way Android handles showing prompts for fingerprint recognition. It is, however the same for all Hanko-supported platforms.

  • Making passwords optional - what’s important when users can delete their passwords?
    When the use of Hanko Auth to make passwords non-compulsory and permit users to delete them, it’s essential to plan around both person experience and safety to maintain a easy transition and strong authentication. Here are the key issues:

  1. Providing Alternative Authentication Options
  • Passkeys or Biometric Authentication:
    If customers delete their passwords, they should have an trade, secure login method like passkeys, biometrics, or hardware protection keys. Hanko's guide for passkeys can be a number one option, allowing customers to authenticate thru tool-based totally biometric or hardware-based totally credentials.

  • Multi-Factor Authentication (MFA):
    If passwords are removed, enabling MFA as a secondary safety layer adds an additional degree of protection, particularly if users opt for lower-protection alternatives (e.G., email-most effective login).

  1. Clear Communication and UX for Password Removal Clear Prompts and Confirmation: When allowing customers to delete their passwords, provide clear, unambiguous prompts that designate the change. Inform customers that they received’t be capable of use traditional password login once they delete their password.
  • Easy Recovery Options:
    Include easy, accessible recuperation alternatives in case customers lose get right of entry to to their passwordless method (e.G., if a consumer’s biometric fails or they lose their device).

  • Guided Walkthrough: Show a step-through-step guide explaining the way to use opportunity login techniques to installation a passkey or safety key before they delete their password, making sure they’re now not locked out.

  • Backup Email and Phone Verification:
    Collect an e mail or cellphone range for account healing earlier than users delete their password. These fallback alternatives are important in case customers lose get entry to to their number one tool or passkey.

  • Using passkeys as a password replacement vs. for MFA
    When using Hanko Auth, access keys can be used as a signature replacement. (the primary authentication method) or as multi-factor authentication (MFA) coupled with a signature This is an analysis of the differences. Use cases and considerations for each approach.

  1. Access key is a replacement for Senha. In this configuration The access key serves as the only method of authentication. This completely eliminates the need to use your hands. Find out how it works and what to consider:

- How does it work?
Primary authentication method: Users log in using device-based credentials such as biometrics (Face ID, Touch ID) or hardware security keys (such as YubiKey).

  • Quick and easy:
    Users can authenticate without logging in. This will be replaced with a single action. (Biometric verification or touch security key)
    strength.

  • Fast User Experience:
    The login process has been made easier. change or speed up And it's easier for users who don't need to memorize or translate sentences anymore.

  • Greater security:
    Access keys reduce the risk of phishing, bruteforce attacks, and identity fraud. When linked to a specific device or biometric factor.

  • Less account retrieval costs:
    Without Senhas, there is less need for Senha redefinition and support costs are minimized.

** Considerations**

  • Device dependency:
    If a user loses or loses their device You may need to reset your access key or opt for a secure account recovery option.
    Backup mechanism: Use a backup authentication method, such as a recovery code, for users who cannot use their primary access key device.

  • User education:
    Educate users about how access keys work and the importance of enabling additional account recovery options.

** Use case concept**

  • Highly secure applications: Applications where phishing and identity theft are a major concern (e.g. financial services).

Image description

Top comments (0)