Glossary / Authentication
Passwordless Authentication
Passwordless authentication verifies a user without a stored password, using factors such as passkeys, security keys, biometrics, or one-time links and codes instead.
Also: passwordless
Passwordless authentication removes the password from sign-in. Instead of a secret the user has to remember and the server has to store, it relies on something harder to steal: a cryptographic credential on the user’s device, a biometric check, a hardware security key, or a one-time link or code sent to a verified channel.
The strongest form is based on FIDO2 and WebAuthn, where passkeys prove identity with a key pair and no shared secret ever reaches the server. Weaker forms such as email magic links or SMS codes remove the password but inherit the security of the channel they use.
For CIAM, going passwordless cuts the cost and abandonment of forgotten passwords, removes a large class of phishing and credential-stuffing attacks, and tends to raise sign-in completion when implemented with passkeys.
Sources
- FIDO Alliance, Passkeys: https://fidoalliance.org/passkeys/
Related terms
Standards
- W3C WebAuthn
- FIDO2 CTAP2