Passwordless authentication: Process and implementation

Passwordless authentication is an advanced identity verification system where, instead of passwords, other modern methods of authentication are used to determine user authenticity. Removing the password from the authentication process makes the system and its resources completely immune to password-based cyberattacks such as dictionary attacks, brute-force attacks, credential stuffing, and more. Additionally, the user experience is improved as password fatigue and the resulting risky password management practices are eliminated.

How does passwordless authentication work?

In a passwordless authentication model, the standard replacements for the password are an inherence factor that is based on elements already part of the user (also known as biometrics), and a possession factor that is based on elements owned by the user (for example mobile-based OTPs and hardware tokens). Using multiple stages of passwordless authentication, including both inherence and possession factors—or multi-factor authentication—is the recommended approach.

While password authentication involves comparing the password provided with a hash stored in the database, passwordless authentication uses cryptographic private-public key-pair authentication. During authentication, the application or system being accessed sends over the public key specific to the user account. The user attempts to match the public key with the private key, which can be accessed by performing biometrics, entering an OTP, or authenticating using a hardware token. If the public-private key pair is successfully matched, the user is authenticated.

ManageEngine ADSelfService Plus, an identity security solution with MFA, SSO, and self-service password management capabilities, offers passwordless authentication with a maximum of three stages for SSO-based logins to enterprise applications and logins into its Android and iOS mobile application.

Implementing passwordless authentication using ADSelfService Plus

Here are the steps to enable passwordless authentication for SSO using ADSelfService Plus.

Step 1: Enable SSO for the enterprise application

1. Log in to the portal as an administrator.
2. Open Configuration > Policy Configuration > Add New Policy.
3. Select the OUs and Groups in your configured domain whose users could benefit from SSO and passwordless authentication, and create a policy.

   

4. Go to Configuration > Password Sync/Single Sign-on > Add Application.
5. Select the application for which you want to enable SSO and passwordless authentication.
6. Provide the required information in both ADSelfService Plus and the target application to enable SSO. Make sure to mention the policy created earlier.

   

Step 2: Enable the required authentication methods

1. Navigate to Configuration > Multi-factor Authentication > Authenticators Setup.
2. From the Choose the Policy drop-down, select the policy created.
3. Select the authentication methods you prefer for passwordless authentication and provide the information required to configure them.

   

Step 3: Enable password authentication

1. Move to the MFA for Applications tab.
2. In the MFA for Cloud Applications Login section, check the box next to Enable authenticators, enter the number of authentication methods to be enforced, and select the authentication methods configured earlier from the drop-down.

   

3. Click the Advanced button, and in the pop-up that opens, go to Applications MFA.
4. Check the box next to Enable Passwordless Login under Cloud Application Login MFA.
5. Click Save.
6. Click Save Settings in the MFA for Applications tab.
7. You have now enabled passwordless authentication for enterprise applications.

Why choose ADSelfService Plus as your passwordless authentication solution?

• Wide choice of authenticators: Choose from a bevy of authenticators, from complex inherence factors like fingerprint and FaceID to fool-proof time-bound possession factors like Google Authenticator and YubiKey Authenticator.
• Multi-factor authentication: Instead of replacing the password with just one authentication method, ADSelfService Plus lets you enable up to three layers of authentication.
• Granular configuration: Don't set the same authentication requirements for all users. Enable passwordless authentication using specific authentication methods for particular OUs and groups of users based on specific requirements.
• Support for custom applications: Enable passwordless authentication for custom SAML, OIDC, and OAuth-based applications as well as over 100 established cloud applications.