Passwordless vs. password-based login, which one to use?

I think the "magic link" (a.k.a passwordless) method of authentication is actually great for the average user, particularly as many (most?) of them will be on mobile, where passwords are an absolutely pain. They're also useful as you don't have to use email, you can instead send out the link via SMS, WhatsApp etc. which can drive people to mobile (if that's what you want).

That said, here on HN you will probably get a different response, as people here are generally power-users and much more privacy and security aware (not a bad thing). There was a good discussion on this yesterday:

https://news.ycombinator.com/item?id=32080540

I'd be interested to hear the security argument for or against magic links.

Passwordless logins can be really handy but it can be an absolute painful experience when using desk top computers and mobile devices.

If you have an iPad and you want to access your site, you will receive the link in your mailbox and then need to send the link via Airdrop or other means to your iPad. It's always a bit of struggle for some of online training sites that use this approach

"Passwordless" is a huge group.

Honestly, I personally like passwords. When using a password manager they are very secure and very convenient. Plus they are understandable, I know how to back them up, enter them in a different device and more. Everyone knows how they work and what to expect.

Magic links can solve problems for users that don't have a password manager set up, but can be less convenient for those who do. Assuming you allow password resets via email anyway it is more secure.

U2F/WebAuthn is much more secure but hard for users to manage right now. This is getting better with Apple, Google and Microsoft coming up with systems to sync the keys across browsers (as long as you stay within their ecosystem).

Client certs are the most secure but lack infrastructure to make it convenient. It has basically been obsoleted by WebAuthn.

Some sites support WebAuthn[0]. It's supported on the latest Yubikeys, but there is the caveat that the Yubikey could get damaged/stolen/lost, and you have to have some recovery method in place. Most services employ a single use recovery code mechanism that you store somewhere trusted and safe. IMHO Passwords are here to stay. 'Passwordless is the future' is a marketing ploy that hasn't gained traction.

[0] https://en.wikipedia.org/wiki/WebAuthn

I don't like passwordless logins because between the occasional lag to get the email, the risk of ending in spam, and the fact sometimes it doesn't work (if I'm trying to log in incognito but the mail handler trigger the default browser in normal mode)... it just doesn't feel as foolproof. If both options are offered its fine, but sites that are 100% passwordless annoy me

I think it depends entirely on your use case. If the user isn't storing a lot of info in your app then passwordless is the way to go.

Also, important to recognise that replacing a password with a different single factor does not enable passwordless as used by most enterprise companies. Passwordless implies two factor, with both factors not including a password.

General rule is to use what people are used to, which is passwords. Don't innovate outside of your USP.

Follow up question - what are some tools that can help implement secure passwordless auth?