A one-time password (OTP) is an identity verification tool for authenticating users logging into an account, network, or system. A user is sent a password containing a unique string of numbers or letters that can only be used once to log in. Used or not, these password codes expire after a short period of time.

In Cymmetri, if OTP is enabled for passwordless login, the user is prompted for an OTP which is sent to the user's registered mobile number and email address during login.

After OTP verification, the user is verified and logged in into the system

What is Passwordless Authentication?

Passwordless authentication is a verification method in which a user gains access to a network, application, or system without a knowledge-based factor such as a password, security question, or PIN.

Rather than using a set of information for authentication, the user would provide something they possess, such as biometric evidence or a piece of hardware.

How Does Passwordless Authentication Work?

Passwordless authentication works by using something the user “has” or something the user “is” to verify their identity and give them system access to a website, application, or network. This would be in contrast to a traditional password login, which would be something the user “knows.”

Typically, a Passwordless login starts with the user going onto a device, entering a session, or opening an application and entering some type of identifiable information like their name, phone number, email address, or designated username. From there, they need to verify their identity by inserting something they “have” such as a hardware token, smart card, fob, or clicking a link sent to a mobile device. If the identifiable information or registered device matches a given factor’s information in the authenticating database, they are given access permission.

Alternatively, they could use something the user “is,” which would be the equivalent of a biometric factor. So, when they try to enter a device or account on an application, they could be prompted to insert identifiable information in addition to voice recognition or a fingerprint, eye, or facial scan.

Passwordless in Cymmetri

To set up Passwordless authentication in Cymmetri, the administrator needs to follow these steps: Go to the "Products" section and select "Passwordless."

This action will direct the administrator to the Passwordless configuration page, where they will find the various Passwordless authentication factors listed below.

1. TOTP Based

2. OTP Based

3. Consent Based

4. FIDO Based

We will go in details of these factors one by one on the next page.

Time-based One-Time Password (TOTP) authentication is a two-factor authentication mechanism that uses a time-based algorithm to generate a unique one-time password for user authentication. TOTP is commonly used in security systems, including various two-factor authentication (2FA) applications and services.

In Cymmetri the totp is received on the users mobile device during the login attempt after having it been configured during first login.

During login the user is shown the option of Passwordless if it has been enabled by the admin user.

The user clicks on "Login without password" to proceed with Passwordless authentication.

The user clicks on TOTP based option.

A TOTP for the user has been configured on the users Cymmetri mobile application. The user inputs the totp and is logged in into the system

FIDO (Fast Identity Online) is an open standard for passwordless authentication that aims to reduce reliance on passwords and enhance online security. FIDO-based passwordless mechanisms use public-key cryptography to authenticate users without the need for traditional passwords. One of the key components of FIDO is the use of a hardware security key or biometric authentication.

Here's a brief overview of how FIDO-based passwordless mechanisms work:

1. Registration:

   • During the registration process, the user's device generates a public-private key pair.

   • The public key is stored on the server, while the private key remains on the user's device. The private key is typically stored in a secure element, such as a hardware security key or the device's Trusted Platform Module (TPM).

2. Authentication:

   • When a user attempts to log in, the server sends a challenge to the user's device.

   • The device uses the private key to sign the challenge and sends the signed response back to the server.

   • The server verifies the signature using the stored public key. If the verification is successful, the user is authenticated.

3. FIDO Protocols:

   • FIDO supports two main protocols: FIDO U2F (Universal 2nd Factor) and FIDO2.

   • Cymmetri supports the FIDO2 protocol for implemeting the passwordless mechanism

   • FIDO2 includes WebAuthn (for web applications) for communication between the client (user's device) and the authenticator (e.g., hardware security key).

4. Passwordless Options:

   • FIDO-based passwordless authentication can be achieved through various methods, including the use of hardware security keys, biometrics (such as fingerprint or facial recognition), or a combination of both.

Consent based authentication allows users to verify their identities with explicit consent from their registered devices.

If it has been enabled in the passwordless configuration, the user will be displayed consent based authentication on passwordless login attempt, where the user will be asked for approval.

The user has to "accept" the authentication request received on the user's mobile device as a push notification. Post approval the user is verified and logged in the system