My Passwordless App on IBM Cloud With FIDO2

DZone 's Guide to

My Passwordless App on IBM Cloud With FIDO2

In this article, we discuss how to use FIDO2 in order to eliminate passwords within a sample application.

· Security Zone ·
Free Resource


Passwords are bad. Often, they are the cause of data breaches. They are too short, too easy to guess, shared across multiple sites, and repeatedly stored. That has to change. FIDO2, with the underlying WebAuthn and CTAP2 specifications, seems to have the ability to move us to a passwordless world. 

I tried to make an existing application on IBM Cloud support passwordless login. Here is what I did and how I succeeded.

What Happened Before...

In my quest to go passwordless, I am using the secure-file-storage app, which is part of the tutorial on end-to-end security for a cloud app. The tutorial uses IBM App ID to authenticate users. App ID can be configured with different identity providers, from social IDs like Google or Facebook, to federated IDs based on SAML.

You may also enjoy:  Can We Please Drive Passwords Into Extinction Now?

Going Passwordless

With the recently added FIDO2 support in Cloud Identity and the new option to enable passwordless logins, going passwordless for the app meant merely finding and activating the right options. As a CI administrator, I navigated to the security settings and the new tab Sign-in options. There, I could enable FIDO2 support for users of the integrated into the Cloud Directory (user management):

Enable FIDO2 sign-in

Enable FIDO2 sign-in

PIN or Fingerprint Instead of Password

After enabling the support, I tested the app. There, I was offered to sign in without a password. Next, I was prompted to insert and touch the security key. Once I had done this, when using a device without a fingerprint scanner, I needed to enter the PIN for the USB dongle:

Enter PIN or touch with finger

Enter PIN or touch with finger

With that, the FIDO2 key could provide my identity, and Cloud Identity prompted me to confirm my username:

Confirming username

Confirming username

When I clicked my profile, I was logged into my secure file storage app, all without providing any password. In summary, it was relatively easy to go passwordless. It still feels unreal, but I am looking forward actually using it more often — not just on my IBM Cloud app, but with more and more applications, platforms and services.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Further Reading

passwordless ,security ,ibm cloud ,cloud security ,tutorial

Published at DZone with permission of Henrik Loeser . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}