Passwordless Authentication is an authentication flow which allows user to access an application or IT system without providing a password or answering security questions. Instead, the user provides some kind of evidence such as a fingerprint, proximity badge, or hardware token code. Passwordless Authentication is often used in conjunction with MFA and SSO solutions to improve the user experience, increase security, and reduce IT operations expense and complexity.
How Passwordless Works ?
Traditional forms of authentication performed using memorized secret (you know) along with an out of band authenticator (email or phone). Passwordless involves authentication using cryptographic keys, it uses standards like Fast IDentity Online (FIDO)
Standards to know
NIST 800-63 Digital Identity Guidelines for Authentication
- Guidelines on Types of Authenticators that can be used
- Strength of Authentication is measured in terms of Authentication Assurance Level(AAL)
- Higher AAL means strong security (AAL1, AAL2 and AAL3)
FIDO (Fast IDentity Online) Standard
- Uses cryptographic key for authentication
- Private key is stored in the device, is activated upon unlocking device
- Private key is used to sign the challenge when requested
Passwordless Adoption Strategy
Passwordless journey will not be a easy journey for any enterprise as there are number of use cases starting from
availability of FIDO enabled devices to type of users and use cases. Organizations must use phased approach to be
successful, also highly recommend performing pilot to receive feedback from the user community before going big-bang.