Passwordless.ID is a free public identity provider allowing users to sign in/up in web apps using their fingerprint, face recognition or local authentication mechanisms like swipe pattern or PIN code. The results are no more passwords, a much smoother user experience and vastly improved security. It provides two-factor authentication using a single touch or a smile in the camera. Awesome, right? Try it now, it's a public service free forever, no account necessary!
Since a picture is worth a thousand words, here it comes... and actually, a bunch of them.
Authentication on various platforms
I used my own phone/laptop with a German locale, sorry guys. 😅
The cornerstone of this authentication service is to delegate user verification to the local platform. You may use your device's fingerprint sensor, some swipe pattern, windows hello with face recognition or even plain old passwords ...whatever is configured on your device locally.
By the way, if anybody could provide me a screenshot from a Mac or IPhone, that would be great!
Creating a new user
Creating a new user only requires a username. An e-mail address (although useful) is entirely optional. Why? Because there is no need for "I forgot my password"!
Upon clicking "Create Account" you will be prompted for local authentication. Once done your account is created. That's it. What follows is simply defining your profile ...if you want to.
Once you pick your avatar, you must prove it's you by using local authentication. Don't worry, none of the information like fingerprint or pin codes is ever sent to the server. It is used locally to sign a message using asymmetric cryptography and prove you are you.
OAuth2 / OpenID flow
That is the whole purpose of this service. So that any website on the internet can easily ask "Who are you?". Since it is public, you can use it out of the box, even without account.
One of the more unusual aspects of this kind of authentication is that it is more secure by default. Only your registered devices can sign in. As such, it is important to easily add a new device.
Once you scan the QR code, you will be able to register your other device directly.
And after a while, you may end up with several authorized devices.
If you cannot scan the QR code or open the link in the e-mail, you can also enter the OTP code manually.
Now, if you have registered only a single device, without email or phone, you might be in trouble. In that case, losing your device would make it impossible to connect to your account anymore. That's why the interface emphasizes user guidance. It is a new topic for the users too.
After a classic e-mail confirmation, it looks already much better. Alternatively, you could also have just registered another device per QR Code. Both are ways to ensure safety.
E-Mail confirmation and recovery
IMHO the screenshots do not really convey the usage and the feeling of this "service" very well. However, it might give a slight idea of it. I recommend trying out the demo if you are curious or looking at the main site.
Although it's usable and has the fundamental things working right, it is still a bit rough around the edges. It still has to be fleshed out regarding certain aspects and needs some polish too. But it's working. It is in a kind of an early preview.
That is why feedback is always welcome!