Expensify Goes Passwordless, A Good Move

5 Jun 2023
Author Matthew Woods
Security

During Prohibition, buying alcohol wasn't legal. But some bars called speakeasies sold illegal booze. To get in, you needed a password. You'd knock on the door and someone on the inside would ask "what's the password?" If you got it right, they'd let you in. Some speakeasies even had secret rooms or exits to avoid the police. Many famous people went to speakeasies, like Al Capone. But getting caught by the police could mean going to jail.

My company has been using three popular systems for ten years: customer relationship management, accounting and office collaboration. Security has remained the same: we still use passwords.

It's a problem. I keep important info in our systems. Employees use own passwords but they're not unique. Changing and remembering them is hard. I have a vault, but they get hacked. Google and Microsoft have their own managers, but they're not secure because of devices. If someone steals a device, it's bad.

Many apps now have options for fingerprint and facial recognition, and extra steps to log in. But lots of people still use weak passwords, even when logging in over public Wi-Fi. This is not safe and it makes me worried. But there is a solution.

The platform Expensify has new security. The founder calls it "magic links" but it's not really magic.

Barrett wrote a new blog about Expensify's easy user procedure. Users only need to enter their email or phone number and a unique "magic link" will be generated and sent to them. It's a one-time use code. Two-factor authentication and other security options are also available for those who want extra protection.

Barrett wrote in his blog post that passwords are not a good answer to an important problem. Over 100 years ago, passwords were used in speakeasies during the prohibition era in the 1920s. Barrett thinks it's time to find a new way to protect our important financial information.

Passwordless security is not a new thing. Other companies use it too. Expensify didn't invent it. But, it's becoming very popular. Big tech companies are using it too.

Apple, Google, and Microsoft recently said they'll expand passwordless sign-in. They're using a standard made by FIDO Alliance and the World Wide Web Consortium. FIDO Alliance is a group that makes security rules to verify users. The goal is to make logging in more simple and safe.

Passwordless security has its own flaws like any other technology. Experts warn about "interception bots" that can grab links sent from servers. If hackers hack your email or wirelessly impersonate you, they can receive the magic link easily. In the future, hackers may find ways to penetrate passwordless systems.

After being in the business for 20+ years, I learned that there is no perfect security solution. Passwordless logins are better than what we currently have. But, it's not happening fast enough for me. I'm worried that other companies won't be as tough as Expensify.

Expensify is setting an example for other app providers. They're making users use passwordless access without options. Users can add more security if they want. People might not like the change, but it's easy to learn.

For your business, talk to IT consultants and managed service providers to add passwordless security to your network. Ask business application providers to do the same. If you want to do it yourself, check out Hitesh Sant's list of passwordless platform providers on Geekflare.

Make it mandatory for your users, just like Expensify. This takes tough love but it benefits everyone.

Come along with me on Twitter or LinkedIn. Take a peek at my website or check out some of my other masterpieces here.

Read more
Similar news
This week's most popular news