Why we're moving away from passwords

Recently with the launch of Halo Security, we have added a new feature that allows you to log in without a password. With passwordless authentication, you will receive a secure link and a one-time code to your email address which is then used to log in to the Halo Security platform.

The problems with passwords

For “legacy” password authentication to be secure, passwords must be generated with appropriate length and randomness and changed regularly.

Password reuse is a problem that arises when the same password is used on multiple sites. This means that if one site is breached, malicious actors may use it on other sites you have access to or release a database that contains it. These databases are used in “credential stuffing” and “brute force” attacks.

It’s also nearly impossible to remember secure passwords, and users often rely on password managers to store them. This typically offloads the risk onto a 3rd party service.

Why passwordless authentication

Passwordless authentication is secure. The link and code that are generated to log in are secure and impossible for an attacker to guess using modern technology and techniques.

This information expires and can only be used a single time, eliminating attacks that we would typically see from password reuse. Leaders in the authentication space, like Duo, Auth0, and Okta, recommend and use passwordless authentication.

FAQs for Halo Security users

What does Halo Security recommend to keep my account safe?

We recommend using a combination of passwordless authentication along with two-factor authentication. You will still be able to use the “Sign-In with Google” functionality to log in if that is what you prefer.

What if an attacker has access to my email account? Won’t they be able to receive the link and code?

If an attacker gains access to the email associated with your account, passwords would not have helped. They could submit a “Forgot Password” request to reset it. This is why we recommend enabling two-factor authentication on all accounts for an additional layer of security.

What do I need to do to use passwordless authentication?

Nothing! When logging in, choose “Log in with Email” and use the same email address linked to your account. You will receive an email containing the link and one-time code shortly after.

Conclusion

We hope you find logging in without a password to be a convenient experience! If you have any issues or questions about passwordless authentication, feel free to reach out to our support team.