What is passwordless authentication?

Passwordless authentication is a way of logging into accounts without needing to type in a password. It relies on alternatives to passwords, such as biometric authentication, one-time codes, physical keys, or authenticator apps.

Learning Objectives

After reading this article you will be able to:

  • Understand what passwordless authentication is
  • Learn the mechanisms and the different types of authentication
  • Evaluate the benefits and drawbacks of passwordless authentication

Copy article link

What is passwordless authentication?

Passwordless authentication is a way of logging into accounts without typing in a password. Instead of passwords (which can be hard to remember and easy to get stolen), the following alternatives can be used:

  • Biometric authentication like fingerprints or facial recognition—for example, Apple Face ID.
  • One-time codes or magic links, which are codes or links sent directly to the user's phone or email.
  • Authenticator apps like Google or Microsoft Authenticator that generate one-time codes.
  • Physical tokens like YubiKeys that are either plugged into a computer or tapped against a phone.

How does passwordless authentication work?

Before granting user access, identification verification systems verify characteristics to make sure the user is who they say they are. The characteristics, also known as “authentication factors” are: knowledge (something the user knows), possession (something the user has), and inherent qualities (something the user is). Passwordless authentication works by using one or two of the three authentication factors, for example, either with biometrics (something the user is), or hardware keys (something the user has).

Below is an example of how it works:

  1. First, the user sets up a passwordless login method, such as registering their fingerprint, linking their email for magic links, or connecting a physical key to their computer or phone.
  2. The user logs in. This part is a bit different depending on which method of authentication is used. For example, with biometrics, it is typically a fingerprint, the face, or voice that is used to log in. The system will check and match the one that was registered. On the other hand, hardware tokens or physical keys log in by having the user plug in or tap the physical key to prove it’s them. The key will then generate a unique code that verifies their identity.
  3. Logging in, the system will check the method that was used to match what is on file (whether a fingerprint, the code from the user’s app, etc.) and if it matches, the user will be granted access to their device or account.
  4. For added security, passwordless authentication will sometimes be paired with another method, like sending a code to the user’s phone on top of using a fingerprint. This helps add another layer of protection.

What are the benefits of passwordless authentication?

Passwordless authentication benefits can include decreased risk from phishing, improved user experience, and reduced costs for businesses.

  • Enhanced security: Passwordless authentication reduces the risks of phishing, hacking, and credential theft. Without a password to be compromised in data breaches or leaks, there is less chance of tricking users into revealing credentials.
  • Improved user experience: Users can log in with a fingerprint, face scan, or click, which makes the process much easier and faster than having to remember complicated passwords.
  • Reduced costs for businesses: When enterprises use passwordless authentication, it can reduce IT support and maintenance costs related to password management and streamline account recovery processes when users lose access.

What are the challenges of passwordless authentication?

Although there are benefits to passwordless authentication, it still comes with several challenges. For example, users often expect to sign in to cloud applications on multiple devices, but passwordless authentication can make this more challenging. Integrating various authentication methods with existing systems can lead to compatibility issues, and not all apps support non-password sign-ins. User adoption may be another hurdle, since users experience a learning curve and have to adjust to a new method of signing on. Passwordless authentication can also pose risks, such as the potential loss of sensitive biometric information if a device is lost or stolen. Reissuing lost tokens can be difficult or costly, and it doesn’t address all security concerns. Attackers may shift to other methods, like social engineering, on-path attacks, or even physical device theft. There may also be upfront costs to implement passwordless authentication, as well as ongoing maintenance costs.

How does Cloudflare implement passwordless authentication?

The Cloudflare One platform has unified security capabilities, including passwordless authentication, by integrating one-time PIN login, SSO integration, and authorization cookies. Cloudflare checks every HTTP request to ensure that the request has a valid CF Authorization cookie. Learn more about Cloudflare One.