Documentation
Solutions Guide

Passwordless Authentication

Eliminate passwords entirely. Use certificates, biometrics, and hardware keys for secure, frictionless authentication.

Estimated time: 15 minutes

Authentication Methods

Certificate Authentication

Short-lived certificates eliminate shared secrets

WebAuthn/FIDO2

Hardware security keys and platform authenticators

Mobile Push

One-tap approval from your mobile device

Biometric

Face ID, Touch ID, and Windows Hello

Configuration Steps

1

Enable Passwordless Authentication

Configure the auth service for passwordless login.

tacctl create -f - <<EOF
kind: cluster_auth_preference
metadata:
  name: default
spec:
  type: passwordless
  second_factor: webauthn

  webauthn:
    rp_id: access.company.com
    allow_passwordless: true
    resident_key: required
    user_verification: required
EOF
2

Configure WebAuthn

Set up WebAuthn for biometric and hardware key authentication.

tacctl create -f - <<EOF
kind: authentication_preference
metadata:
  name: passwordless-webauthn
spec:
  webauthn:
    attestation: indirect
    authenticator_attachment: platform
    resident_key: required
    user_verification: required

  allowed_authenticators:
    - platform  # Touch ID, Face ID, Windows Hello
    - cross-platform  # YubiKey, Titan
EOF
3

Register Authenticators

Users register their biometrics or security keys.

# Register a new authenticator (user runs this)
tac auth register

# List registered authenticators
tac auth list

# Remove an authenticator
tac auth remove --name="MacBook Touch ID"

# Register via web UI
# Navigate to access.company.com/settings/authenticators
4

Configure Certificate-Based SSH

Enable passwordless SSH with certificates.

# Login and get certificate
tac login

# SSH without password
tac ssh user@server

# Configure for native SSH client
tac config --proxy=access.company.com

# Now works with native ssh
ssh [email protected]
5

Set Up Mobile Push Authentication

Enable one-tap approval from mobile devices.

tacctl create -f - <<EOF
kind: authentication_preference
metadata:
  name: mobile-push
spec:
  allowed_methods:
    - webauthn
    - push_notification

  push:
    enabled: true
    timeout: 60s
    require_biometric: true
EOF

Passwordless Enabled

With passwordless authentication configured, you have:

  • No passwords to steal, phish, or reset
  • Phishing-resistant authentication
  • Improved user experience
  • Compliance with zero trust principles

Related Guides

Multi-Factor Authentication

Additional MFA methods

Single Sign-On

SSO integration

Zero Trust Security

Complete zero trust