Sign in Subscribe
Security Featured

A Comparison of Popular Authentication Methods

How do you choose between passwords, magic links, social auth, and web3 auth? Find out which is best and why.

Nicholas Fasching

6 min read
A Comparison of Popular Authentication Methods

In 2017, the average American had 150 online accounts that require passwords, but that number is predicted to increase to 300 by the end of 2022, according to popular password manager Dashlane. Password-based authentication is a standard and a default. This brings security concerns as 85% of people admit to reusing passwords.

In this blog, we will be covering all the major authentication methods:

  • Email and Password
  • Email Magic Links
  • Social Login (Google, Facebook, Apple, etc.)
  • Web3 Login (Metamask)
  • Apple Passkeys

Stick around to see the ranking of each authentication method, and the authentication method that I recommend. Let's get started.

Email and Password

The combination of Email and Password is currently the most common, but also one of the least secure authentication method. If you use 2-factor authentication along with a password manager, Email and Password could be a viable option, but under no circumstances should you use just Email and Password with a weak password.

The issue with Email + Password is that humans can't remember the 300 passwords for each account they own, so they end up reusing passwords. If you sign up for 10 accounts using the same password, and one of those applications take security less seriously than the others, you could have your password leaked, then all 100 of those accounts are compromised. This can be mitigated by using a password manager such as Dashlane or Lastpass, but if you use a weak password for your password manager, then a hacker could have access to all of your accounts.

Email + Password should always be paired with a password manager set up securely (learn to do this below in "Password Managers") and a 2-factor authentication method (also covered below in "2 Factor Authentication").

Email Magic Links are when you set up an account only using your email, and you receive a link sent to your email to log in. Email Magic Links can be even less secure than Email and Password if the password for your email is reused or weak. If a hacker gets access to your email, then they have access to every account you have set up with Email Magic Links.

Email Magic Links have become more popular because of its quicker sign-in flow making sign-ins less inconvenient. If you make sure to have a secure password for your email, then Email Magic Links could be a good option for the simplicity of logging in. Though, I would recommend social login over Email Magic Links.

Social Login (Google, Facebook, Apple, etc.)

Social login is when you use a different authentication service (such as Google) to prove who you are with the service you want to use. Some people might have the misconception that social login is insecure, but it is actually safer and quicker than email + password or email magic link.

One concern someone might have is privacy with social providers. The social provider will be able to see every website you sign up with. But, you will be able to see every website you signed up with, so you know where you have shared your information. This is a trade off that you will have to decide if you take.

How it Works

Social login providers example.

When you go to sign up or log in with a company, you can click one of the social providers. It should look similar to the above. When you click on one of these, it will send you to the social provider's website to log in.

Sign in with Google social login flow.

Once you sign in, the social provider will then show you the list of information the application wants. This makes it so you can decide if you want to share your personal information.

Microsoft permission step in social login flow.

When you continue and allow the application to have your information, the social provider will perform a process called Single Single On (SSO). SSO gives the app a token that shows the authentication status. I will not go into detail about this, but you can know that this process is very secure. You can read more about this on auth0's blog.

Why is Social Login Better than Email + Password?

Social Login is superior to Email + Password because it is more secure because it only gives the app a 1-time token to prove authentication that cannot be reused. Social Login is also superior because of its speed, once you are logged in to your social provider, you can log into any of your accounts instantly using that provider. SSO has been shown to be 5.2x faster than email magic links and 1.3x faster than email + passwords according to clerk.

Keep in mind though, that SSO is only secure if you use a secure, non-reused password with 2-factor authentication to log in to your social provider.

These social providers are large companies with white hat hackers to help protect against data breaches. But it could still happen, so you should make sure to change your password when a data breach happens and make sure to use 2-factor authentication.

Web3 Login (Metamask)

Web3 is the blockchain-based web. You don't have to understand what that means to know that web3 is even more secure than social logins. Due to the nature of blockchain, it is impossible to hack (unless you can hack 500,000 computers simultaneously). If you use a password manager to create a secure web3 password, you will have an unhackable account. Similarly to social login, using web3 won't share your password with the application you want to use, it will just share your unique wallet ID. The main downside is you might accidentally share your password in a process called phishing.

What is a Wallet ID?

Web3 authentication is based on wallets. You sign into websites using your cryptographically unique wallet ID. This allows websites to prove your authentication status without needing to know your personal information or passwords. Another benefit is you can safely transfer cryptocurrencies using your wallet.

Metamask is the most popular web3 wallet. You can use it to transfer cryptocurrencies and log in to websites. Web3 is an interesting technology that I recommend learning about if you're curious. Keep in mind that Web3 is still relatively new, so not many website will support it yet.

Apple Passkeys

Passkeys is a new authentication method from Apple that is in iOS 16 and macOS Ventura. You can log in using just your username and a biometric such as Touch or Face ID. The way that Passkeys are built, makes it so they can't be phished. Passkeys are really fast and easy to use because you only need your face or finger to log in.

Apple passkeys take a little bit of effort to use on unsupported devices, but I have a guide to set up passkeys to help.

Rankings

  1. Apple Passkeys with 2 Factor Authentication
  2. Apple Passkeys
  3. Web3 Login with 2 Factor Authentication
  4. Social Login with a secure password & 2 Factor Authentication
  5. Web3 Login with a secure password
  6. Email + Password with a Secure Password & 2 Factor Authentication
  7. Email Magic Links with a secure email password & 2 Factor Authentication
  8. Email + Password with Reused Passwords (Very Common)
  9. Email Magic Links with a weak email password

Conclusion

The best way to log in currently is to use Apple Passkeys with 2-factor authentication. Because Apple Passkeys are not available on every device, the next best option is Social Login with a secure password & 2-factor authentication. Email + Password with a password manager and 2-factor authentication is also just as secure, but it is less convenient. I would recommend a Web3 Login over Social Logins, but Web3 Logins are still not very common to find yet. You should never use Email Magic Links or Email + Password with a weak password unless you have to.

If you have any questions, feel free to leave a comment.