Passwordless Login

Rex Fong
2 min readAug 13, 2020

In order to improve security of online services, many companies have steered away from username-password authorization due to security concerns.

In theory username-password strategy can provide sufficient protection given the password is robust and the password is changed frequently. However in reality, this is hard to achieve as users tend to select simple passwords that are easy to remember personally and would rather trade security with convenience. Because of the advent and proliferation of mobile devices adoption, it is now possible to design an authorization system that is both secure and convenient.

Is Username-Password authorization that bad?

In the past, such as “basic authorization”, a user system would pose a username-password challenge, whereby password is being stored in a centralized database, and a dedicated remote server will perform password comparison to decide on access grant.

Authorization strategy that require password challenge has the following disadvantages.

  • Weak Password: The problem with password mechanism is that users often are given the duty to provide a strong but memorable password. This is an inherently contradicting requirement, and 1) either users are being hacked due to weak password ( or 2) users forget their passwords and require an administrator to reset their passwords.
  • Scalability: To scale a backend server that depends on sessions, it requires server load balancing which makes the infrastructure more complex.

What is passwordless?

OTP (One-Timed Password), is one of the many implementation of the passwordless strategy. OTP works by having the server and the user’s authenticator both agreeing to the same secret in advanced, and both system will use this predetermined secret to generate a time-bound password (how a password is generated). In another word, both the server and the user’s authenticator both has the ability to generate a short-term password in a synchronized fashion, instead of relying on the user to remember a secret in their memory to match with the server’s database record (what the password is)

Because in most cases, the user will only have to setup the authenticator once, we reduce the chance of exposing the predetermined secret, whereas traditionally, the predetermined secret is used every single time a user needs to login. Also instead of having the user to memorize the secret, we delegate this task to the authenticator, which is capable of remembering a much more complex password.

In case of brute force attack, OTP will rotates the password every once a while, making it really difficult for an attacker to compromise it and even if compromised, the password will be changed after just a short moment.

Many major banking and high-stake organizations have already switched to passwordless approach due to extensive researches and financial gains.

Our application

Because of all the benefits, the church has chosen to adopt the passwordless approach for long-term benefits with a 2 minutes rotation period and SHA-256 encryption algorithm.

Based on your mobile operating system, we recommend iOS user to use the following apps:

Authenticator (By Simple 2-factor authenticator)

And Android users to use:

Sophos Authenticator

Please visit for more detail documentation