What is Passwordless Authentication
The traditional way to authenticate user access to a website, mobile or desktop application is by means of a password of a reasonable length and with a reasonable level of complexity.
However, there are a number of problems with this:
Password Re-use: People do not create unique passwords for every site which means if one system is compromised, others are vulnerable too.
Credential Leaks: Passwords and password hashes are frequently leaked on the dark web. Due to password re-use, credential leaks remain the primary attack vector for account take over.
Consequently, when one system has a credential leak, the risk is not only to the site from which the credentials originated, but to multiple others. Hackers know this and use automation to exploit leaked credentials across many systems to gain access often for financial gain.
The use of a second factor (2FA) such as a one-time code or verification link helps protect sites that offer them, but this doesn’t stop the password being tried elsewhere. OTP’s supplied via email or SMS are clearly no use if email or SMS has been compromised as well. In order to protect systems securely, the password must be removed from the equation entirely. This is where no password ie ‘passwordless’ authentication comes in
Encryption is the Key
In place of a password, a users’ unique biometrics such as face or fingerprint are used to generate a private key which is stored on a users device.
This key is unique to the application and can only be accessed by unlocking access via the same biometrics used to create it.
Since only a genuine key can digitally sign an authentication request, the service being signed in to is able to independently verify that it originated from owner of the biometrics and trust it.
One big advantage of this approach is that a system doesn’t need to hold the end-users biometrics to verify the authentication so there are no credentials to steal!
Next-Generation Passwordless Authentication
A further advantage of Luciditi SignIn is that it is integrated with the Luciditi Digital Identity, a verified ID that has is assured by the owner through various means including comparison of facial characteristics against a government issued identity document such as a passport.
Using the Luciditi app for password free authentication, a passwordless session has the advantage of knowing that it is attached to a verified user and therefore offers an increased level of trust. Check out our passwordless article which includes a demo video.
Relative strength of user authentication methods
Password
Bad
2FA SMS
OK
MFA Tokens
Better
Passwordless
Best
ID-Passwordless
Ultimate
Benefits
Luciditi SignIn Passwordless Authentication (FIDO2)
- Accounts protected with a highly secure, ID-backed, FIDO2 compliant authentication
- Initiate Sign-In through QR Code, Mobile Push or Luciditi Realtime Request
- User authenticates with two-taps in Luciditi App
- Knowledge that the user has authenticated using their own biometrics on a dedicated device
- Users can self-register devices via a common FIDO2 enrolment experience
- Man-in-the-middle attacks rendered useless
- Brute-force attack on passwords no longer a concern
- Costs associated with password resets (IT managed) disappear
- No costs for sending OTP over SMS
- No vulnerable honey pot of passwords / hashes improving data security compliance and lower risk of financial penalty
Get started with Luciditi Sign-In
We’ve built a low-code SDK which is enabled by inserting less than a dozen lines of boiler plate code into your application. For web implementations, you have the choice of building your own UI or inject our pre-build components into your pages for rapid development.
Learn more about our integration options
Passwordless Authentication can be a complex integration and doing it incorrectly can be insecure. Luciditi Sign-In simplifies things so that you only need to worry about the main touch points with your application – registering a user with an account and signing them in. Its so easy to do, it’s possible to have a fully operational passwordless authentication option up and running in less than an hour.