Would you ever consider username and MFA authenticator as a true 2-factor passwordless authentication?

Back to Blog
November 03, 2020
Dusan Vitek

We often talk about the passwordless experience. For IT and IAM professionals the term passwordless is an abbreviation for “passwordless authentication” and it frequently involves a Single Sign-On system or SSO portal. For the rest of us it’s simply “passwordless login” — a convenient way to sign into my favorite mobile app or website without any password.

The fundamental value proposition of passwordless for anyone managing user identities is the removal of the human password element, the biggest risk in the system.

But passwordless login does not mean you are eliminating authentication. You still may require several authentication factors albeit they may not be as obvious or visible as a password.

Passwordless Authentication Remove Passwords to Improve Security

Our customers often say: “It sounds great in theory, but we’re concerned about the security. If we make the SecureAuth Authenticate OTP app the primary authentication token — isn’t this really just one factor if you’re going passwordless?”

The simple answer is: “No, going passwordless with a single OTP app still meets the criteria of multiple factors.”

Connecting various visible and invisible factors into a single, adaptive authentication policy in your IAM system lets you determine which combination of two or more non-password authentication factors is acceptable for your risk tolerance. In practice, this will almost always represent multiple possible combinations – as some factors provide a low relative level of security assurance, while other factors provide a high level of security assurance.

Now let’s break this down:

1. Pre-authentication context analysis – the invisible factor “zero”

Pre-authentication context analysis is a core component. While this is technically not a factor, it serves as a critical signal in validating whether both a user and her authentication factors are behaving in an expected way.

Pre-authentication context analysis allows you to understand if the user (or a malicious actor entering the username) is initiating the login from an expected location, at an expected time, using an expected browser on an expected OS. These are critical pieces of information that your Cloud IAM system like SecureAuth can evaluate EVEN BEFORE the user provides any authentication factor.

As a result, this adaptive risk and trust assessment lets you identify a user with a high degree of probability before you ask her to enter anything, call it a password, call it MFA.

2. One-time “password” – the first factor

The most advanced OTP authenticators like SecureAuth Authenticate now provide Push-to-Accept. Push-to-Accept replaces the need for the user to retype a passcode from their smartphone screen, the passcode is sent behind the scenes.

Push-to-Accept provides the first (and often the only) authentication factor visible to the user.

For high-risk logins SecureAuth can switch to Symbol-to-Accept. The simple Accept/Deny options of Push-to-Accept are replaced with a set of four symbols (i.e. letters) and the user is required to tap the symbol that matches what she sees on the login screen. This makes the authentication step less susceptible to careless auto-accept.

3. Biometrics – the second factor

In a passwordless login flow you still may require that for the user to interact with the SecureAuth Authenticate app, the user must have biometrics enabled on their phone. With Push-to-Accept the user must first unlock the OTP app with Face Unlock, Face ID, Touch ID, or Fingerprint Unlock before she can tap Accept.

Passwordless Authentication Improve the User Experience

Even if someone stole the phone, they still wouldn’t be able to use the authenticator app without a Face ID.

As part of the request for an additional factor, you verify that the smartphone has a sufficient quality of biometrics associated with it. You won’t accept any smartphone with a fingerprint reader, the phone must reach the quality you require. This device integrity verification extends to a detection of jailbroken or cloned devices, detection if the phone is set up to require a PIN or Face ID – if these verifications fail, then you can reject all attempts coming from this phone.

True 2-factor passwordless with SecureAuth and mobile OTP app

So, with just the SecureAuth mobile authenticator app you now have passwordless authentication that relies on a combination of two types of factors:

  • Something you have: your phone – as your first factor.
  • Something you are: Face ID/Face Unlock biometrics – as your second factor.

Technically, you may also allow a PIN Unlock for the MFA app instead of biometrics – in that case “something you are” (fingerprint) would become “something you know” (PIN).

At this point, your user is using two independent factors but neither one of them have anything to do with typing a password. For us at SecureAuth entering a password is just another factor, doing passwordless means I’m using another factor instead.

In summary, two-factor passwordless login is something you can easily do with just the smartphone.

True 2-factor passwordless with SecureAuth and YubiKey

Let’s look at another authentication method that’s getting increasingly popular especially after the introduction of the FIDO2 WebAuthn standard – YubiKey.

Can you enable 2-factor passwordless with just YubiKey the same way you can with SecureAuth Authenticate? In short, yes.

One of SecureAuth’s customers in the energy sector has evolved to the point where they allow passwordless for most of their employees. The company’s IAM team standardized on YubiKey and in their passwordless login flows their users must use a YubiKey device.

Being an energy company, some of their employees are accessing critical infrastructure – interestingly, this is where we’re seeing some of these user authentication use cases cross between just digital access to digital and physical access.

Those employees – when they authenticate with YubiKey to one of the critical infrastructure systems – are additionally required to enter a YubiKey PIN (“something I have” – YubiKey, and “something I know” – YubiKey PIN). As you can see, this represents two-factor authentication in a pure passwordless setup. The two factors – the YubiKey hardware authenticator and its PIN – are the only two factors visible to a user. Behind the scenes SecureAuth is still performing its pre-authentication and real-time telemetry evaluation as part of the invisible factor zero we covered earlier.

Is passwordless secure? As long as you understand the authentication factors you need from the user, the answer is a resounding yes! Removing the password does not mean reducing security.

Continue reading
Passwordless Authentication in 10 Seconds (video)
Making passwordless possible (white paper)
Passwordless Authentication and Adaptive Authentication
Passwordless Authentication – Overview / Benefits / Challenges


Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Recorded Webinars

Analyst Reports

Innovation Labs


Support Portal

Events & Webinars



Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth