The term “passwordless” gets thrown around a lot, but how does passwordless login actually work? It’s a common question with both a simple — and slightly more complex — answer.
In this blog, we break down the process behind passwordless login and discuss the best way to implement it in your organization.
What does it mean to go passwordless?
Passwordless login refers to any authentication system that lets users verify their identity and log in without a password. To be called “passwordless login,” a system only needs to use something other than a password to verify a user. However, not all passwordless implementations are created equally.
While there are a wide variety of approaches to passwordless login, genuine passwordless login eliminates password-derived vulnerabilities and outdated methods from all of their operations:
- Usernames and passwords
- One-time passcodes/passwords
- Email “magic” links
It’s important to distinguish between simple passwordless and genuine passwordless. Anyone can exchange passwords for biometrics, but only genuine passwordless removes the above variables from their entire process. Eliminating passwords from surface-level login simply isn’t enough.
For example, if you send emails with magic links to customers, you’re still using their email account’s authentication method. If their email account uses a password as part of the login process, it’s not genuine passwordless.
How does genuine passwordless login work?
Genuine passwordless login utilizes strong authentication and never shares any secrets, keeping everything related to a user’s identifiers private. To accomplish this, a system must utilize pairs of cryptographic keys.
A key pair is generated when a user initially registers a new account. The user holds a private key, and it never leaves their possession. The corresponding public key can be held by anyone. The pair required for logging in to a specific account will always include the same public and private keys.
Whenever they want to log in, a user has to unlock their private key by completing a challenge, such as a face or fingerprint scan. Once their key is unlocked, it pairs with the public key held by the service provider. Then, they’re granted access.
A step-by-step look at how passwordless login works
Let’s take a closer look at the flow of genuine passwordless login by breaking it down step by step. First, let’s talk about how the factors of authentication work and what traditional, single-factor authentication looks like.
There are three factors of authentication, and you can mix factors for added trust. These factors are knowledge (something I know), possession (something I have), and inherency (something I am). When more than one of these factors is in use, it’s called multi-factor authentication or MFA. Here are a few examples of each factor of authentication:
- Possession: a hard token, USB key or mobile device with an authenticator app
- Knowledge: a password, PIN or answer to a challenge question
- Inherency: facial recognition, fingerprint or other biometrics
Most single-factor authentication requires a user to declare who they are (a username) and answer a knowledge-based challenge (a password). This low-security approach to authentication brings the burdens of security holes and a poor user experience.
However, the most critical thing to remember in single-factor, knowledge-based authentication is that the supposed “secret” is shared by both the user and the service provider. That means users have to trust their password with a company that may be vulnerable to cyber attacks — and may be unable to prevent that secret from getting out.
Genuine passwordless means no username, no password and no identifiers passed between parties. With genuine passwordless login, the goal is to keep a user’s identifiers under their control. The best way to achieve that is with the FIDO standard.
Unlike traditional MFA, which typically involves a combination of ownership and knowledge factors, FIDO-based passwordless authentication links a user’s private key to a cryptographic public key. Whenever the user tries to log in, they verify their identity using the locally stored key. When that matches up with a public key, they’re given access.
Let’s walk through it step by step using the flow chart below:
- When a user registers for an app or service, a registration approval request is sent to their device. They confirm this request using their biometric reader.
- A private key is generated for the user.
- A corresponding public key is sent to the app or service.
- The public key is registered. The only way to unlock the public key is with the private key.
- When the user tries to log in, a challenge is generated and sent to their device.
- The user approves the challenge by unlocking the private key with their biometric reader.
- The challenge is signed using the private key.
- The public key determines if the right private key was used, and the user is logged in.
And that’s it! The most important thing to remember is that in genuine passwordless, a user’s private key serves as a buffer between them and the provider. Their biometrics never leave the device because they’re only used to unlock the private key.
Why should I go passwordless?
There are a number of advantages to passwordless authentication:
- Smoother user experience: no more attrition or fatigue due to password resets and frustrating registration sequences
- Heightened security: strengthened standards make it harder for attackers to impersonate legitimate users or steal their credentials
- Reduced overhead: IT no longer needs to issue, manage and reset passwords, eliminating the need for password-related help desk tickets
However, going passwordless can present a number of obstacles. Traditionally, passwordless implementation requires a large budget, a team of developers and a lot of time. The infrastructure and development costs alone turn even large enterprises away.
Now, thanks to BindID, solving the password problem has never been faster or simpler.
BindID helps organizations rapidly implement a passwordless, customer-centric identity experience across any device, app or channel — including non-digital channels like kiosks and call centers.
Unlike typical passwordless implementations, BindID can be deployed in weeks or months rather than years. Its minimal coding requirements mean that as little as one developer can have it up and running in a fraction of the usual time. With its lightning-fast implementation, BindID is the perfect choice for a rapid turnaround.
Using the FIDO2 standard, BindID creates a secure environment that provides a genuine passwordless login experience for your customers. Infrequent customers no longer have to slog through tiresome reset processes, and return visitors are able to log in unencumbered by typical MFA challenges. That means reduced attrition, increased satisfaction and more satisfied customers.
Passwordless login may still be a relatively new concept in authentication, but it’s quickly emerging as the most convenient and secure option available. BindID represents a dramatic leap forward in the industry that both improves the customer experience and provides an ironclad layer of privacy and security.
Ready to learn more? Explore more about BindID and how it can help your organization rapidly achieve genuine passwordless authentication.