Passwordless Authentication

What is Passwordless Authentication

The traditional way to authenticate user access to a website, mobile or desktop application is by means of a password of a reasonable length and with a reasonable level of complexity.
However, there are a number of problems with this:

Password Re-use: People do not create unique passwords for every site which means if one system is compromised, others are vulnerable too.
Credential Leaks: Passwords and password hashes are frequently leaked on the dark web. Due to password re-use, credential leaks remain the primary attack vector for account take over.

Consequently, when one system has a credential leak, the risk is not only to the site from which the credentials originated, but to multiple others. Hackers know this and use automation to exploit leaked credentials across many systems to gain access often for financial gain.

The use of a second factor (2FA) such as a one-time code or verification link helps protect sites that offer them, but this doesn’t stop the password being tried elsewhere. OTP’s supplied via email or SMS are clearly no use if email or SMS has been compromised as well. In order to protect systems securely, the password must be removed from the equation entirely. This is where no password ie ‘passwordless’ authentication comes in

Encryption is the Key

In place of a password, a users’ unique biometrics such as face or fingerprint are used to generate a private key which is stored on a users device.

This key is unique to the application and can only be accessed by unlocking access via the same biometrics used to create it.

Since only a genuine key can digitally sign an authentication request, the service being signed in to is able to independently verify that it originated from owner of the biometrics and trust it.
One big advantage of this approach is that a system doesn’t need to hold the end-users biometrics to verify the authentication so there are no credentials to steal!

Next-Generation Passwordless Authentication

A further advantage of Luciditi SignIn is that it is integrated with the Luciditi Digital Identity, a verified ID that has is assured by the owner through various means including comparison of facial characteristics against a government issued identity document such as a passport.

Using the Luciditi app for password free authentication, a passwordless session has the advantage of knowing that it is attached to a verified user and therefore offers an increased level of trust. Check out our passwordless article which includes a demo video.

Relative strength of user authentication methods

Password

Bad

2FA SMS

MFA Tokens

Better

Passwordless

Best

ID-Passwordless

Ultimate

Benefits

Luciditi SignIn Passwordless Authentication (FIDO2)

Accounts protected with a highly secure, ID-backed, FIDO2 compliant authentication
Initiate Sign-In through QR Code, Mobile Push or Luciditi Realtime Request
User authenticates with two-taps in Luciditi App
Knowledge that the user has authenticated using their own biometrics on a dedicated device
Users can self-register devices via a common FIDO2 enrolment experience

Man-in-the-middle attacks rendered useless
Brute-force attack on passwords no longer a concern
Costs associated with password resets (IT managed) disappear
No costs for sending OTP over SMS
No vulnerable honey pot of passwords / hashes improving data security compliance and lower risk of financial penalty

Get started with Luciditi Sign-In

We’ve built a low-code SDK which is enabled by inserting less than a dozen lines of boiler plate code into your application. For web implementations, you have the choice of building your own UI or inject our pre-build components into your pages for rapid development.
Learn more about our integration options

Passwordless Authentication can be a complex integration and doing it incorrectly can be insecure. Luciditi Sign-In simplifies things so that you only need to worry about the main touch points with your application – registering a user with an account and signing them in. Its so easy to do, it’s possible to have a fully operational passwordless authentication option up and running in less than an hour.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.