Skip to main content

Passwordless Authentication

Coolr Group is enhancing our SaaS platform with passwordless authentication, bringing enterprise-grade security with unmatched simplicity to our customers. Organizations using our platform can now empower their teams with email-based login, eliminating password management across their workforce. Each customer organization maintains complete access control through their existing email systems - when team members change, access updates automatically. This modern approach reduces IT overhead, strengthens security, and offers a frictionless experience that scales with your organization.

Strategic Benefits with Real-World Scenarios

1. Enhanced Offboarding Security

  • Scenario A: Employee Departure

    • Before: John leaves the company but remembers his password, potentially accessing systems from home
    • After: When IT revokes John's email access, he automatically loses access to all connected applications
    • Benefit: No manual password revocation needed; email control equals access control

  • Scenario B: Contractor Management

    • Before: Contractors retain password access after project completion
    • After: Email domain access expiration automatically terminates all application access
    • Benefit: Automated security through email system integration

2. Reduced Attack Surface

  • Scenario A: Data Breach Prevention

    • Before: Coolr's password database is breached, exposing 100,000 user credentials
    • After: No password database exists; tokens are temporary, time limited and single-use
    • Benefit: Dramatically reduced impact of potential security breaches

  • Scenario B: Password Reuse Protection

    • Before: Employee uses same password across corporate and personal accounts
    • After: No passwords to reuse; each login requires email access
    • Benefit: Corporate security isn't compromised by external password breaches

3. Security Control Centralization

  • Scenario A: Access Audit

    • Before: Multiple password-based systems require individual access reviews
    • After: Email system logs provide comprehensive access tracking
    • Benefit: Simplified compliance and audit processes

  • Scenario B: Emergency Access Revocation

    • Before: Security incident requires multiple password resets
    • After: Single email system change blocks all access
    • Benefit: Rapid response to security incidents

User Experience Overview

Login Flow

  1. User navigates to the login page
  2. User enters their email address
  3. System sends a time-sensitive token to the user's email
  4. User retrieves the token from their email and enters it on the login page
  5. If entered within 10 minutes, access is granted
  6. Optional: User can select "Remember me" to maintain login state for 30 days

Session Management

  • With "Remember me": User remains logged in on the device for 30 days
  • Without "Remember me": User must complete the token-based authentication process for each session
  • Users can be logged in on multiple devices simultaneously
  • Each device maintains its own session state

Advantages

Security Benefits

  • Eliminates password-related vulnerabilities
    • No weak passwords
    • No password reuse across services
    • No risk of password database breaches
  • Time-limited tokens reduce attack window
  • Email account compromise is immediately apparent to users
  • No credential stuffing attacks possible

User Experience Benefits

  • No passwords to remember or manage
  • No password reset flows needed
  • Familiar email-based verification process
  • Simple, streamlined login experience
  • Cross-device accessibility

Operational Benefits

  • Reduced support costs for password resets
  • No password database to secure and maintain
  • Simplified security auditing
  • Lower risk of credential-based attacks

Potential Considerations/ Challenges

  • Email delivery delays could impact login experience
  • Email account security is critical
  • 10-minute token window may be insufficient in some cases
  • Email access required for every new session without "Remember me"

Integration Considerations

Multi-Factor Authentication (MFA)

  • Email token effectively serves as second factor

Token Security

  • Used cryptographically secure token generation
  • Implemented proper token length (minimum 6 characters)
  • Stored token hashes, not plaintext tokens
  • Implemented rate limiting on token attempts
  • Limited expiry duration on tokens
  • Clear expired tokens from database regularly
  • Audit log of tokens generated along with IP

Session Management

  • Used secure session tokens
  • Implemented secure session revocation

Future plans

  • Consideration of additional MFA for high-risk actions
  • Additional delivery methods such as SMS/ WhatsApp

Email Delivery

  • Using trusted email delivery services such as Twilio for reliable delivery
  • Implemented email sending retry logic