How big consumer apps use modern authentication & security technology
The modern authentication method like magic links and more!
🖖 Hi, I’m Budi. This free post gives you an overview of modern authentication technology. Each week, I share some insights about product design.
If you find this post valuable, check out some of my other posts:
Q: What authentication technology do big consumer apps use?
Passwords are no longer a reliable way to keep users secure. Many new and rising authentication technologies are available. I’ve been digging this topic and I’d love to share my findings, which could be useful for product designers and builders.
Method 1: Magic links (sign up and login)
Magic links are a passwordless way to authenticate users. After signing up, you’ll get an email with a link where you can click to authenticate yourself. Some companies like Slack, by default, don’t ask users to put in a password. This way, the company has less liability for making your password secure.
User flow: Sign up/login → get a link on email → click the link → done
Ideal for: sign up and sign in.
Key benefit: users don’t store any passwords on your database. Less liability.
Companies that use this method: Medium, Slack, Notion
Method 2: Passkey to login without password (login)
I noticed Google and GitHub have been pushing this new passkey technology recently. It’s a simple and secure alternative to passwords. When you sign in to your account, Google will ask you to scan your face or fingerprint on your other devices to confirm that you are who you say you are. This is another form of two-factor authentication. KAYAK claimed they’d improved their security after implementing passkey (link).
User flow: sign in → verify using fingerprint or face ID → done
Ideal for: sign-in, preventing phishing
Key benefit: login without password, but verify using another device
Keyword to look: passkey, passwordless
Method 3: Biometrics authentication instead of PIN (Open app)
In the past, many banking or fintech apps required users to enter PINs for extra security. But now biometrics like face ID and fingerprints have become a default way to “open the app.”
User flow: open the app → face ID / fingerprint → done
Ideal for banking, financial services, healthcare, or apps requiring extra security before users can open them. Apps like banking usually store sensitive information.
Key security benefit: users can open the app quickly—better experience for users, but still have extra security.
Companies who use this: Apple, Samsung, GoTrade, Wise, PayPal
Method 4: Phone number as an identifier (Sign up and login)
Many apps uses phone number as the unique identifier. WhatsApp is the first one popularize this approach. The obvious benefit is non-tech savvy people don’t have to remember usernames or passwords.
Observation: all communication apps are using phone number as the only unique identifier.
Key security benefit: Phone numbers are difficult to steal, unlike emails. When people noticed their phones are stolen, they can take action. So a lot of consumer apps these days utilizing this as the authentication method.
Companies who use this: WhatsApp, Telegram, Wise, Tinder, Clubhouse
On two-factor authentication
A lot of apps has already integrated two-factor authentication. This is widely adopted authentication method. So I’m not gonna talk about it.
Bonus: 3D captcha for bot prevention
While researching, I found that Twitter and GitHub have been implementing this new captcha type. My guess is they’re trying to prevent the bots. It’s interesting because you need to solve the puzzles 3 times before creating an account.
In summary
New and uprising authentication methods:
Magic links: Allow users login or sign up without password. Magic links is the most convenient in term of the user experience, not many apps are using this but we’re seeing it in rising.
One time code: Allow users login or sign up without password
Passkey: Allow users to login using another device to verify
Biometrics: Allow users to quickly open the app with sensitive info
Phone number as unique identifier, friendly for mass audience with non-tech savvy users (example: WhatsApp)
Almost all big consumer apps using two-factor authentication as an extra layers. Preventing identity theft.
If you’re finding this newsletter useful, consider sharing it with friends. Or subscribing if you aren’t already.