Passwordless authentication is a verification method in which a user gains access to a network, application, or system without a knowledge-based factor such as a password, security question, or PIN.
Rather than using a set of information for authentication, the user would provide something they possess, such as biometric evidence or a piece of hardware.
Passwordless authentication works by using something the user “has” or something the user “is” to verify their identity and give them system access to a website, application, or network. This would be in contrast to a traditional password login, which would be something the user “knows.”
Typically, a Passwordless login starts with the user going onto a device, entering a session, or opening an application and entering some type of identifiable information like their name, phone number, email address, or designated username. From there, they need to verify their identity by inserting something they “have” such as a hardware token, smart card, fob, or clicking a link sent to a mobile device. If the identifiable information or registered device matches a given factor’s information in the authenticating database, they are given access permission.
Alternatively, they could use something the user “is,” which would be the equivalent of a biometric factor. So, when they try to enter a device or account on an application, they could be prompted to insert identifiable information in addition to voice recognition or a fingerprint, eye, or facial scan.
To set up Passwordless authentication in Cymmetri, the administrator needs to follow these steps: Go to the "Products" section and select "Passwordless."
This action will direct the administrator to the Passwordless configuration page, where they will find the various Passwordless authentication factors listed below.
TOTP Based
OTP Based
Consent Based
FIDO Based
We will go in details of these factors one by one on the next page.
Consent based authentication allows users to verify their identities with explicit consent from their registered devices.
If it has been enabled in the passwordless configuration, the user will be displayed consent based authentication on passwordless login attempt, where the user will be asked for approval.
The user has to "accept" the authentication request received on the user's mobile device as a push notification. Post approval the user is verified and logged in the system
A one-time password (OTP) is an identity verification tool for authenticating users logging into an account, network, or system. A user is sent a password containing a unique string of numbers or letters that can only be used once to log in. Used or not, these password codes expire after a short period of time.
In Cymmetri, if OTP is enabled for passwordless login, the user is prompted for an OTP which is sent to the user's registered mobile number and email address during login.
After OTP verification, the user is verified and logged in into the system
Time-based One-Time Password (TOTP) authentication is a two-factor authentication mechanism that uses a time-based algorithm to generate a unique one-time password for user authentication. TOTP is commonly used in security systems, including various two-factor authentication (2FA) applications and services.
In Cymmetri the totp is received on the users mobile device during the login attempt after having it been configured during first login.
During login the user is shown the option of Passwordless if it has been enabled by the admin user.
The user clicks on "Login without password" to proceed with Passwordless authentication.
The user clicks on TOTP based option.
A TOTP for the user has been configured on the users Cymmetri mobile application. The user inputs the totp and is logged in into the system
