Passwordless Authentication is an authentication flow which allows user to access an application or IT system without providing a password or answering security questions. Instead, the user provides some kind of evidence such as a fingerprint, proximity badge, or hardware token code. Passwordless Authentication is often used in conjunction with MFA and SSO solutions to improve the user experience, increase security, and reduce IT operations expense and complexity.

How Passwordless Works ?

Traditional forms of authentication performed using memorized secret (you know) along with an out of band authenticator (email or phone). Passwordless involves authentication using cryptographic keys, it uses standards like Fast IDentity Online (FIDO)

Standards to know

NIST 800-63 Digital Identity Guidelines for Authentication

  • Guidelines on Types of Authenticators that can be used
  • Strength of Authentication is measured in terms of Authentication Assurance Level(AAL)
  • Higher AAL means strong security (AAL1, AAL2 and AAL3)

FIDO (Fast IDentity Online) Standard

  • Uses cryptographic key for authentication
  • Private key is stored in the device, is activated upon unlocking device
  • Private key is used to sign the challenge when requested

Passwordless Adoption Strategy

Passwordless journey will not be a easy journey for any enterprise as there are number of use cases starting from
availability of FIDO enabled devices to type of users and use cases. Organizations must use phased approach to be
successful, also highly recommend performing pilot to receive feedback from the user community before going big-bang.


The increased need of security with the change of working model and access model of application and also with the Pandemic bringing in new perspective where the security has to maintained irrespective of user perimeter, Zero Trust based solution started to surface in which is a security model based on the principle and thought of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Zero Trust tries to go away from perimeter-based mechanism of security and encourages a model for trusted access no matter where users are coming from.

Zero Trust pushes for the following

Verify/Authenticate always

Authenticate and Authorize always based on all data points including user identity, location, device health, service or workload, data classification, and anomalies

Learn More

Use least-privilege access

Provide least privilege and Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices to help secure application and data

Learn More

Assume breach

Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Learn More

So where does password based solutions fit in the Zero trust implementations ?

How does a Zero trust solution with password look it.

  • Password provides a moderate level of assurance
  • Week factor in the MFA solution
  • Easier factor to do attack like credential reuse attack
  • Need to factor in password management solution

Zero Trust enforce don’t trust on anyone . The moderate level of assurance and lack of trust on Passwords because how easily they are shared, stolen, reused, replayed. Trusting someone with password is totally reduce the benefits of Zero Trust model. It becomes more of a pain to implement a robust Zero trust based solution with password in the system. Removing passwords out of the implementation equation gives the implementor time to focus on everything else.

How does a Zero trust solution with password less look it.

  • Solution with higher level of assurance
  • Reduced weakness of MFA solution
  • Avoiding credential reuse attack
  • Lower cost due to avoidance of password management solution and support system