Passwordless authentication

In this topic, you will learn what passwordless authentication is, why it offers stronger security and better user experience than traditional passwords, and how it is not a new idea but remains underused. You will also see how passwordless methods integrate with secure networking to reduce risks and improve access control.

The security gaps in passwords and multi-factor authentication

In this section, you will learn why passwords, while theoretically secure, are highly vulnerable in real-world use, and how even traditional multi-factor authentication can be bypassed through phishing, device compromise, or social engineering.

Passwords were a solid idea when users had just one to remember and attackers lacked the computing power to crack them. But over time, systems multiplied and so did the number of passwords users had to manage. To stay secure, passwords became longer and more complex—harder to remember and easier to mishandle. As a result, people reuse them across services, choose weak ones that are easy to guess, or rely on predictable patterns based on personal information. This makes passwords a major vulnerability rather than a line of defense.

  • No visibility into reuse: There is no reliable way for an organization to verify whether a user has reused the same password on other personal or work-related systems, increasing the risk of compromise through credential stuffing or data breaches elsewhere.

  • Complexity requirements backfire: Enforcing complex password rules (e.g. symbols, numbers, uppercase letters) may improve theoretical security, but in practice users often write them down, save them in unsecured files, or store them in browsers without proper protection.

  • Frequent password changes lead to poor practices: When forced to change passwords regularly, users tend to modify the existing one slightly (e.g. adding a number or changing one letter), which results in weak variations that are easy to guess or crack.

  • Password managers are not a universal solution: While password managers help generate and store strong credentials, they are often too complicated or inconvenient for daily use by average users. Some cloud-based password managers have also suffered major security breaches, undermining trust.

  • Phishing remains highly effective: Even strong, unique passwords can be stolen if users are tricked into entering them into fake login pages or malicious websites. Attackers often rely on social engineering rather than technical flaws to gain access.

  • Passwords can be extracted from compromised devices: If a user’s device is infected with malware or already compromised, stored or entered passwords can often be retrieved by attackers regardless of their complexity.

Multi-factor authentication (MFA) was introduced as a solution to the problems with passwords. Initially, this meant sending one-time codes via SMS, but those were soon found to be vulnerable to SIM swapping and interception. Authenticator apps followed, offering stronger security, but even those can be bypassed in various ways. While MFA adds a layer of protection, it is not foolproof.

  1. SIM swapping and SMS interception: Attackers can trick or bribe mobile carriers into transferring a victim’s phone number to a new SIM card, allowing them to receive MFA codes sent via SMS.

  2. Phishing for MFA codes: Fake login pages can prompt users for both passwords and MFA codes, forwarding the credentials in real time to attackers.

  3. Man-in-the-middle (MitM) attacks: Tools like reverse proxies can intercept login sessions and tokens, bypassing both passwords and MFA.

  4. Malware on the user’s device: If a device is already compromised, attackers can access MFA tokens, session cookies, or intercept authentication flows directly.

  5. Push fatigue (MFA fatigue attacks): In push-based MFA, attackers repeatedly send login approval requests to the user’s phone, hoping the user approves one out of annoyance or confusion.

Solving password problems with passwordless authentication

In this section, you will learn what passwordless authentication is, the most common methods used today, and how these approaches work together to remove the risks and limitations of passwords entirely.

Passwords can be guessed, stolen, or misused, but passwordless authentication removes them entirely from the login process, eliminating many of the most common attack paths. By relying on factors that are harder to steal or replicate, passwordless methods provide both stronger security and a better user experience.

  • Device-based certificates: A digital certificate installed on a trusted device is used to authenticate the user automatically, without the need to enter any secret. Certificates are hard to steal and can be revoked if the device is lost.

  • Biometric authentication: Fingerprint scans, face recognition, or other biometrics ensure the person logging in is the authorized user. Biometrics are stored securely on the device and never transmitted.

  • Physical security keys: Physical keys act as a secure hardware-based method of proving identity. Even if the key is stolen, it often requires a user gesture (like a touch) to confirm use.

  • Platform-based authentication: These built-in systems link device identity, biometrics, and cryptographic keys to allow fast and secure authentication tied to the local device.

When combined, for example, using device certificates with biometric verification, these methods create a strong, layered approach that significantly reduces the risk of compromise. Over the past decade, breaches involving compromised passwords have been widespread. In contrast, incidents involving breaches through passwordless authentication methods are exceedingly rare.

How digital certificates work in passwordless authentication

In this section, you will learn what digital certificates are, why they provide stronger security than passwords, how they are issued and managed, and how they enable secure, passwordless authentication for devices and users.

Digital certificates for authenticating users and devices aren’t a recent innovation. They have been integral to secure communications since the 1990s, notably in SSH (Secure Shell) protocols, which began supporting them as an extension to address key distribution challenges.

Major operating systems like Windows and macOS have incorporated certificate-based authentication for years. Windows introduced support for X.509 certificates with its Certificate Services in Windows 2000, while macOS has utilized certificates within its Keychain Access system since at least macOS 10.4 Tiger, released in 2005.

Although digital certificates have been around for a long time, many security solutions continue to rely on less secure authentication methods. Portnox Cloud fully supports certificate-based authentication and recommends it as a more secure alternative to traditional credential-based approaches.

  • A certificate is issued and installed directly on a device, and the operating system prevents it from being copied or moved to another device. This ensures that only the specific device, or the authorized user on that device, holds that unique certificate, helping to tightly control access.

  • If a device with an installed certificate is lost, stolen, or compromised, the certificate can be revoked by the organization. Revoking the certificate means it will no longer be accepted for authentication, and a new certificate must be issued before the device can regain access once it is recovered.

  • Certificates use strong cryptographic algorithms that make them practically impossible to forge or hack. This high level of security prevents attackers from creating fake certificates or impersonating authorized devices.

  • Organizations can issue certificates internally and distribute them to devices using various methods such as UEM/MDM tools, dedicated agents, or secure web portals. This flexible approach allows certificates to be used on many device types, including laptops, mobile devices, and certain IoT equipment, not just traditional computers and smartphones.

  • While certificates verify that the device itself is trusted and a specific user account is logged in, they do not confirm the identity of the person using it. Because of this, certificates should be combined with local device authentication methods – preferably secure, passwordless options like biometrics – to confirm that the authorized user is the one accessing the device.

Securing networks with certificates, 802.1X, and RADIUS

In this section, you will learn how 802.1X and RADIUS work seamlessly with digital certificates to provide strong network security, and how all major operating systems across various devices support these standards, enabling nearly all computers and mobile devices to connect to networks using passwordless authentication.

The 802.1X protocol (see: Secure networks) was specifically designed to support passwordless authentication using digital certificates, enabling secure verification of both users and devices. Through the Extensible Authentication Protocol (EAP) and its communication with RADIUS servers, the network can authenticate devices based on their unique certificates, ensuring trusted access without relying on passwords.

Certificates must first be installed on devices before they can be used for network authentication:

  1. The organization uses Portnox Cloud to issue a certificate to the device or its user. Alternatively, certificates can be issued using the organization’s own certificate authority.

  2. Certificates are delivered and installed using UEM/MDM tools, the optional Portnox agent software (AgentP), or through the self-onboarding portal (recommended for IoT devices such as printers).

  3. The certificate is securely stored on the device and is bound to that specific device or user. It can now be used for various authentication purposes.

Once installed, the certificate is used to authenticate the device on the network:

  1. The user device (often referred to as the supplicant) requests network access using 802.1X by communicating with the NAS device, such as a switch or access point, which enforces 802.1X on a specific port (Ethernet) or SSID (Wi-Fi). The device then presents its certificate via EAP to the NAS device.

  2. The NAS device contacts the Portnox Cloud RADIUS server and forwards the certificate for authentication. Portnox Cloud verifies the certificate’s validity, confirms the user’s or device’s identity against the authentication repository, checks for revocation, and then responds to the NAS device with a recommendation to either allow or deny access.

  3. The NAS device enforces the decision based on the response from the RADIUS server.

Passwordless access to cloud and on-prem applications and resources

In this section, you will learn how digital certificates can be used not only for network authentication, but also to control access to internal and cloud-based applications and resources.

While securing access to the network is essential, the real goal is to protect the applications and resources that are part of that network, whether they’re hosted in the cloud or on-premises. Most cloud-based applications rely on identity providers like Entra ID, Google Workspace, or Okta Workforce Identity, while internal applications often require remote access through complex VPN setups that provide limited security control and visibility.

  1. Single Sign-On (SSO) services like those from Microsoft, Google, or Okta allow users to access cloud-based applications without re-entering passwords, which improves user experience and reduces reliance on weak credentials. However, SSO alone doesn’t evaluate the device being used — meaning an untrusted, outdated, or compromised device can still access sensitive data.

    Portnox ZTNA extends this model by requiring the same certificate used for secure network access to also be presented by the browser during application access. This adds a strong device-based verification step before granting access, ensuring the device is recognized and trusted.

  2. Traditional VPNs are often the only way for users to reach internal applications or private cloud applications, but they come with downsides: they’re expensive, difficult to configure and maintain, and they provide broad access to the internal network once connected. This all-or-nothing approach means users who need access to just one internal service may end up with visibility into the entire network.

    Portnox ZTNA avoids this by authenticating access to specific applications using the same certificate used for Wi-Fi, wired networks, and SSO-based applications — allowing precise, certificate-based access to internal resources without exposing the rest of the network.

One certificate, issued and managed by Portnox or the organization, serves as a secure passport granting access not only to the network but also as an additional layer of security for SSO applications. It enables controlled access to on-premises and private cloud applications without exposing the entire internal network. Beyond simple authentication, this infrastructure also performs risk assessment, ensuring that devices are not just trusted but also free from compromise that could undermine security.