Passwordless Authentication

Mitigate impact of Credential leaks with Luciditi Sign-In

Quickly add FIDO2 Passwordless Biometric Authentication to your applications using the Luciditi low-code SDK


What is Passwordless Authentication

The traditional way to authenticate user access to a website, mobile or desktop application is by means of a password of a reasonable length and with a reasonable level of complexity.
However, there are a number of problems with this:

  • Password Re-use: People do not create unique passwords for every site which means if one system is compromised, others are vulnerable too.

  • Credential Leaks: Passwords and password hashes are frequently leaked on the dark web. Due to password re-use, credential leaks remain the primary attack vector for account take over.

Consequently, when one system has a credential leak, the risk is not only to the site from which the credentials originated, but to multiple others. Hackers know this and use automation to exploit leaked credentials across many systems to gain access often for financial gain.

The use of a second factor (2FA) such as a one-time code or verification link helps protect sites that offer them, but this doesn’t stop the password being tried elsewhere. OTP’s supplied via email or SMS are clearly no use if email or SMS has been compromised as well. In order to protect systems securely, the password must be removed from the equation entirely. This is where no password ie ‘passwordless’ authentication comes in

Encryption is the Key

In place of a password, a users’ unique biometrics such as face or fingerprint are used to generate a private key which is stored on a users device.

This key is unique to the application and can only be accessed by unlocking access via the same biometrics used to create it.

Since only a genuine key can digitally sign an authentication request, the service being signed in to is able to independently verify that it originated from owner of the biometrics and trust it.
One big advantage of this approach is that a system doesn’t need to hold the end-users biometrics to verify the authentication so there are no credentials to steal!

Next-Generation Passwordless Authentication

A further advantage of Luciditi SignIn is that it is integrated with the Luciditi Digital Identity, a verified ID that has is assured by the owner through various means including comparison of facial characteristics against a government issued identity document such as a passport.

Using the Luciditi app for password free authentication, a passwordless session has the advantage of knowing that it is attached to a verified user and therefore offers an increased level of trust. Check out our passwordless article which includes a demo video.

Relative strength of user authentication methods





MFA Tokens







Luciditi SignIn Passwordless Authentication (FIDO2)

  • Accounts protected with a highly secure, ID-backed, FIDO2 compliant authentication
  • Initiate Sign-In through QR Code, Mobile Push or Luciditi Realtime Request
  • User authenticates with two-taps in Luciditi App
  • Knowledge that the user has authenticated using their own biometrics on a dedicated device
  • Users can self-register devices via a common FIDO2 enrolment experience

  • Man-in-the-middle attacks rendered useless
  • Brute-force attack on passwords no longer a concern
  • Costs associated with password resets (IT managed) disappear
  • No costs for sending OTP over SMS
  • No vulnerable honey pot of passwords / hashes improving data security compliance and lower risk of financial penalty