May 11, 2022
3 min read

Eliminating Password Burden: Introducing Asgardeo Passwordless Authentication

Have you ever found passwords to be extremely inconvenient? In a developing world, you've been using older technology?

Password policies have been significantly toughened in response to modern security requirements, and establishing a memorable password following these policies is quite tricky. With the present pandemic, the globe is quickly moving toward a remote work environment, and the use of internet-based services is rapidly rising. As a result, remembering numerous passwords for various websites is no longer an option. As a result, many users tend to reuse passwords across multiple sites and generate passwords that are weaker but still allowed by policy. As a result, security threats using passwords are on the rise, ranging from password stuffing to brute force attacks. User accounts are also regularly compromised as a result of data breaches in weaker software and database implementations that do not conform to security best practices.

Asgardeo, a next-generation IDaaS (Identity as a Service) solution, recently announced FIDO2-based passwordless authentication, which allows application developers to simply integrate secure authentication mechanisms into their applications without the need for passwords. Let's first define passwordless authentication and why we should utilize it before diving into Asgardeo.

What is Passwordless Authentication?

Passwordless authentication, as the name implies, is a method of logging in or gaining access without having to input a password or answer security questions. Passwordless authentication reduces the need for hazardous passwords and their administration, while also improving the security of user accounts by reducing their vulnerability to assaults. Proximity badges, physical tokens, USB devices/keys, magic links, biometric identification, mobile applications, and other passwordless authentication technologies are available. The majority of these techniques are commonly utilized in multi-factor authentication to increase security. Some of these solutions, however, can be utilized as a first-factor authentication system.

Why Passwordless Authentication?

We've been introducing new passwords to different sites each day because many of us are building accounts and profiles on multiple websites. Okay! Please hold on. Why not use the same password for multiple sites, you might think? Or use a social login option, which can be found on many famous websites today? First, using the same password for many sites is not a good idea because it exposes all of your profiles to data breaches. Second, using social login to eliminate the need for passwords is another option.

Passwords are difficult to remember and have increasingly complex criteria, as I said in the opening. Different sites may have different password policies, so a password generated for one site might not work on another. For me, remembering a password designed for a modern enhanced password policy is often challenging. Furthermore, given today's security requirements, changing passwords regularly is much more inconvenient.

It's 2022, and we've been using passwords for much longer. Although passwordless authentication and Fast Identity Online (FIDO) technology have existed for some time, online services and identity providers have yet to use them. Passwordless authentication is now possible because of the incorporation of biometric capabilities into most modern mobile devices and laptops passwordless authentication will become the future of authentication.

Passwordless authentication enhances the end-user experience by eliminating password fatigue. The user no longer needs to create a lengthier, more secure password and may receive unified access to all programs by simply connecting to a USB device or scanning their fingerprint.

What is FIDO?

Fast Identity Online (FIDO) is a set of open-source authentication methods developed by the FIDO Alliance to replace passwords. To achieve safe authentication, FIDO protocols use basic public key cryptography algorithms. The private keys will never leave the security device, and all conversations will be encrypted.

The FIDO Alliance has published three sets of specifications.

  • UAF (Universal Authentication Framework): FIDO UAF protocol offers the passwordless authentication option. Users leveraging this protocol should use one or more security factors available in their security/ digital device to sign a challenge issued by the FIDO server.
  • U2F (Universal Second Factor): FIDO U2F protocol offers the second-factor authentication option. Users must provide two evidence factors to prove their identity. With the introduction of the FIDO2 protocol, this has been renamed CTAP1.
  • FIDO2: FIDO2 is the newest set of specifications from the FIDO alliance.

FIDO2 and Webauthn

The Client To Authenticator Protocol (CTAP2) of the FIDO Alliance and the W3C's WebAuthn definition are combined to form the FIDO2 specification. WebAuthn is a standard online API for FIDO authentication incorporated into platforms and browsers. CTAP2 is a CTAP version that allows users to use external and built-in authenticators to provide passwordless, two-factor, or multi-factor authentication. The WebAuthn API is a tool for creating and managing public key credentials. Both CTAP1 and CTAP2 authenticators can communicate with it.

Asgardeo Passwordless Authentication

Passwordless authentication using Asgardeo can be used in web apps, mobile applications, native applications, command-line interfaces, and any software program that can consume a REST API. To deliver a safe passwordless authentication experience, Asgardeo uses the FIDO2 specification. A collection of REST APIs are used to access FIDO authenticator services. Security device registration and authentication are two paths in the flow.

Users must first enter into their organization's myaccount to register a security device. A new key pair, consisting of a private key and a public key, is generated during registration. This private key is kept on the FIDO2 security device and never leaves it. The relying party id is a private key that is tied to the registration server's domain (Asgardeo domain). The Asgardeo server will have access to the public key. You can give a security device a friendly name after it has been successfully registered. If not, a default display name will be assigned.

FIDO2 device registration in Asgardeo

The Asgardeo server (also known as the Relying Party) will send a WebAuthn challenge to the FIDO2 client during authentication. A browser, a mobile application, a software program, or a platform could all be used as a FIDO2 client. The user will then accept the authentication request using the FIDO2 authentication mechanism that was previously set up. At this point, the registered domain (relying party ID or Asgardeo domain) is compared to the domain of the authentication request, and authentication is refused if the two do not match. If two domains match, the FIDO2 client will use the authenticator's private key to sign the challenge and send it to the Asgardeo server. The user will be authenticated to the specified service if everything checks out.

FIDO2 passwordless authentication in Asgardeo

WSO2 has released an early adopter version of Asgardeo, an IDaaS that sets new industry standards for enabling developers without security expertise to easily embed CIAM features into their apps within minutes. Try out Asgardeo's free trial or discover more about its features here or why not join the IAM4DEVS community to get the latest tips and tricks on all things Identity!

Alternatively, if you’re looking for an enterprise grade, API driven, open source solution that can manage millions of user identities without spiraling costs please view WSO2 Identity Server