Passwordless authentication

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering (and having to remember) a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token.

Passwordless authentication methods typically rely on public-key cryptography infrastructure where the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device (PC, smartphone or an external security token) and can be accessed only by providing a biometric signature or another authentication factor which is not knowledge-based.

These factors classically fall into two categories:

Ownership factors (“Something the user has”) such as a cellular phone, OTP token, smart card or a hardware token.

Inherence factors (“Something the user is”) like fingerprints, retinal scans, face or voice recognition and other biometric identifiers.Some designs might also accept a combination of other factors such as geo-location, network address, behavioral patterns and gestures, as long as no memorized passwords are involved.

Passwordless authentication is sometimes confused with multi-factor authentication (MFA), since both use a wide variety of authentication factors, but while MFA is often used as an added layer of security on top of password-based authentication, passwordless authentication does not require a memorized secret and usually uses just one highly secure factor to authenticate identity, making it faster and simpler for users.

"Passwordless MFA" is the term used when both approaches are employed, and the authentication flow is both passwordless and uses multiple factors, providing the highest security level when implemented correctly.