In these Feature Spotlight posts, we highlight a feature in Solid Security Pro and explain why we developed it, who it’s for, and how to use it to secure WordPress sites. Today, we will cover Passwordless Logins, a convenient and secure way to verify a user’s identity without requiring them to enter a password.
What are Passwordless Logins?
Passwordless login is a new two-factor authentication (2FA) method for verifying a user’s identity without requiring a password to log into WordPress. We took the idea of the Magic Links and adapted it into a new login method. (Magic Links is a feature designed to get users past mistaken lockouts by Solid Security’s brute force protection.)
“Passwordless” also describes the login experience for Passkeys and Magic Links because they all let users log in without providing a password.
The Passwordless Login method allows you to require users to adopt strong passwords and a form of two-factor authentication (2FA) without them ever actually using that password or typing in an extra authentication code. All they need is the “magic” link sent to their email address to log in after confirming it (or their username) in a single-field login form.
Why Use Passwordless Logins?
Almost every increase in security decreases the convenience and ease of accessing the secure system.
For added security, the front door of my house has a lock on it. The lock requires that I take the extra step of using a key to unlock the door before I can open it. Adding this extra step to enter my home is probably a good idea, even though it would be easier for me to get in without a lock.
We don’t even think about having a unique lock for each physical door we enter. I have a key for my car, my wife’s car, our house, my office, and mailbox.
The same goes for your online accounts. A strong, unique password and two-factor authentication will protect you from every brute-force login or password-forcing attempt. Unfortunately, there are still many people who use the same weak password in all their online accounts. They’re not using any form of two-factor authentication.
People working in the security industry often have difficulty understanding why weak and recycled passwords are so common. It’s hard to convince people to sacrifice a little convenience to gain a lot of security. They enjoy the convenience they have now. That makes more of an impression that thoughts about a future that hasn’t been realized yet.
Why We Developed Passwordless Logins for WordPress
The security community has started to realize that we have always made security more confusing than it needs to be. Once you have a key for a physical door, you are done. However, with password security, we have made a bunch of rules that can be overwhelming. To make matters worse, it doesn’t seem like we can agree on what the rules for creating a strong password should be.
Whether we in the security community want to admit it or not, using a password manager and two-factor authentication can be a pain and time-consuming, especially as we move more and more of our lives online.
So, we wanted to create a way for people to get all of the security that a strong and unique password provides without sacrificing usability.
3 Reasons to Use Passwordless Logins
For all these reasons and more, Passwordless Logins make securing your WordPress site even easier.
- Adds more brute force protection by bypassing the normal WordPress login method.
- Allows users to log in to your website directly from a link sent securely to their email address.
- Helps reduce login friction by removing the need for complicated passwords or two-factor codes while maintaining a high level of security.
How to Use Passwordless Logins
To start using Passwordless Logins, navigate to the Security › Settings › Features menu and select the Login Security tab. Then enable the Passwordless Login.
After enabling Passwordless Login, activate Magic Links by checking the Magic Link checkbox. You can also activate Passkeys and decide whether they and Magic Links will be mandatory or opt-in security measures for your users.
Next, switch to the User Groups Settings and enable passwordless login for the user role groups you want to require or allow to use this feature.
Now that you have enabled Passwordless Logins, you can enforce strong passwords and two-factor authentication requirements without negatively impacting your site’s user experience.
How the Passwordless Login Method Works
You will be asked to choose a login method on the WordPress login screen if multiple authentication options are enabled. In the following examples, users can log in the usual way — with an email address and/or username and password. (It’s possible to require either an email address or username or allow both.)
Alternatively, users can request a Magic Link when that option has been enabled in Solid Security Pro. The Magic Link will be sent to the email address associated with their WordPress user account.
Clicking the Email Magic Link button in the first two examples above will lead to a second form.
Only a Username and/or Email Address can be required in the simplest configuration of Solid Security Pro. (As shown in the third example above.) This reduces the login experience to a single field and a single step. The user only has to provide one piece of information.
However Solid Security is configured, the user must provide a username or email address to receive their passwordless login link. If the address or username matches a user on the site, the Magic Link is sent to their address. If there’s no match, the login process fails, and Solid Security Pro logs that failure. It’s a strike against the IP and user-agent trying to log in. Repeated failures may result in a temporary ban, a longer lockout, and a notification to security administrators.
Getting Your Magic Link by Email
After submitting a valid username or email, users will see a message confirming a Magic Link email has been sent.
Open the Magic Link email, and click the Log In Now button in your email inbox.
And that is it! No more entering a password or two-factor token. This means that once you enable Passwordless Logins, you don’t have to know your complicated password or copy and paste an extra code to log in. However, the bad guys trying to brute force your site will have a 0% success rate!
Wrapping Up: Get Solid Security Pro Today!
As you can see, the Passwordless Login feature in Solid Security Pro adds a simple two-factor authentication method to WordPress. This adds a significant layer of security for user accounts without any added friction. Your users will find Magic Links simpler than passwords. User can lose, forget, or have their passwords stolen. As a passwordless login method, Magic Links eliminate all those risks.
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed