Passwordless login using Asgardeo

Passwords are fast becoming a thing of the past and for the right reasons. For better user experience and security, services should allow their users to log in without passwords. With Asgardeo, this should be a walk in the park as businesses can set up a passwordless login experience for their customers without breaking a sweat. In this article, we look at why passwords are bad, what passwordless login is, and the benefits offered by passwordless login before learning how to configure passwordless login in Asgardeo.

Passwords are bad

According to a study carried out by Transmit Security, more than 50% of the survey participants had shared the password of at least one of their accounts with someone else. 41% of them had shared their passwords often. Besides, 55% of the customers had stopped using a website owing to a complex login process. To top everything off, 87.5% of the users had been locked out of their accounts following failed login attempts and 92% of those users had left the website without recovering their passwords.

In addition, passwords are vulnerable to brute force attacks and attackers can compromise them through phishing, sniffing, and using keyloggers. Moreover, people also have the habit of reusing the same password in multiple accounts, writing their passwords down, or simply using crude passwords that are easy to crack.

Passwordless login

Passwordless login tries to address the security issues inherent to passwords. This makes use of a variety of technologies to allow users to log in without their passwords.

One such commonly used technology is One-Time Passwords (OTP). Users get an OTP code in an SMS or an email after they enter their username. Users can then enter the correct OTP code into the website to log in.

Magic links are another way by which users can log in without passwords. Here, they get an email with a secret link that will allow them to log in to their website.

Push notifications are also a popular strategy. Here, a push notification is sent to a user’s mobile device when a user attempts to log in to a website. If the user confirms their intention to log in on their mobile device, the website logs in the user.

Biometrics is another popular method of passwordless login. Here, users use biometric sensors on their devices to log in to websites. The FIDO2 (Fast Identity Online) specifications define the standard for such authentication allowing different browsers and devices to play together.

FIDO2

The FIDO2 specifications allow us to use common devices to log in. These specifications contain the WebAuthn standard that provides a standard API across multiple browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, and Safari to allow FIDO2 authentication.

This allows us to use biometric sensors on our devices such as fingerprint sensors and infrared cameras to log in. It is also compatible with Windows Hello and Apple Touch ID. Furthermore, we can also use our mobile phones and dedicated USB keys to log in with FIDO2.

FIDO2 makes this possible by leveraging asymmetric encryption. When you register a FIDO2 device such as biometrics, USB Key, or mobile phone with a website, the FIDO2 device generates a public-private key pair. The private key is stored in the device while the public key is stored in the server of the website. When a user tries to log in, the server generates a challenge, encrypts it with the public key, and sends it to the FIDO2 device. The device then decrypts and completes the challenge using its private key and communicates it to the server. Consequently, the user is logged in.

Advantages of passwordless login

The biggest advantage comes in the form of a vastly improved user experience. Imagine being able to log in to a website by just placing your finger over a sensor. This is what passwordless login accomplishes.

Passwordless login also affords tighter security. Unlike passwords, FIDO2-backed Passwordless logins cannot be compromised by brute force attacks. Moreover, it also provides safety from phishing and sniffing attacks. Your accounts cannot be remotely hacked either.

Configuring passwordless login using the Console app

Now that we have seen what passwordless login is and its benefits, let’s see how we can configure this in Asgardeo. Asgardeo provides passwordless login via FIDO2 authentication.

To get started, create an application using the Console app, and go to the edit view.

In the edit view, click on the “Sign-in Method” tab to configure the login flow of this application. To make your life easier, Asgardeo provides a pre-configured template to add passwordless login to your application. Simply click on the “Add passwordless login” card to add passwordless login.

This template adds a basic authenticator and a Security Key/Biometrics authenticator to the first step. So, users can use either their username and password or their FIDO2 key to log in to your application. You can remove the username and password authenticator to mandate passwordless login.

Registering Security key/Biometrics

Let’s see how a customer can now register their Security Key/Biometrics to perform passwordless login. You may have to create a customer user account if you don’t have one already to complete this step.

Go to the My Account app belonging to your tenant by appending your tenant name to https://myaccount.asgardeo.io/t/, and log in with the credentials of the customer user account you created. Then, move to the Security page by clicking the relevant menu item on the left.

On the Security page, you will be able to find the Security Key/Biometrics section under the “Additional Authentication” section. Click on the plus icon to register your Security Key/Biometrics.

Once you click on this button, your browser will guide you through the registration flow. This flow differs from browser to browser but should generally involve you selecting either a key or a sensor on your device followed by you inserting the key or you using the sensor. I used Microsoft Edge to register my Apple Touch ID, so I got a screen like the one in the screencap below.

Once you complete this step, the My Account app will prompt you to enter a name for the device so that you can identify it easily. I just named it “Mac Touch ID”.

Let’s test the flow

To get rolling, initiate the login flow from your application. When you land on our SSO page and you will be able to find the option to sign in using Security Key/Biometrics.

Click on this button to go to our passwordless authentication page where your browser will give your further instructions to log in.

Since I registered my Touch ID, I only needed to place my finger on the sensor and just like that, I logged in to the application.

That’s how easy it is to set up passwordless login with Asgardeo.