The latest update on my quest to go passwordless with my app on IBM Cloud.
In my recent post, I discussed how I could use a FIDO2 dongle as second factor for an app on IBM Cloud. Today, I want to give you an update because I managed to go passwordless.
With the latest October update, Cloud Identity started to offer passwordless login with either FIDO2 or QR code (using the IBM Verify app). I put that to a quick test for my secure file storage app. Here is what I did to go passwordless:
What happened before
In my quest to go passwordless, I am using the secure file storage app which is part of the tutorial on end-to-end security for a cloud app. The tutorial uses IBM App ID to authenticate users. App ID can be configured with different identity providers, from social IDs like Google or Facebook to federated IDs based on SAML.
Another product is IBM Cloud Identity (CI). CI provides identity-as-a-service (IDaaS) for employees, including SSO, multifactor authentication, and user lifecycle management, and it offers FIDO2 support. I configured Cloud Identity as identity provider to App ID.
Going passwordless
With the recently added FIDO2 support in Cloud Identity and the new option to enable passwordless logins, going passwordless for the app was merely a matter of finding and activating the right options. As CI administrator, I navigated to the security settings and the new tab, Sign-in options. There, I could enable FIDO2 support for users of the integrated Cloud Directory (user management):
PIN instead of password
After enabling the support, I tested the app. There, I was offered the option to sign in without a password (see first screenshot). Next, I was prompted to insert and touch the security key. Once done, when using a device without a fingerprint scanner, I needed to enter the PIN for the USB dongle:
With that, the FIDO2 key could provide my identity and Cloud Identity prompted me to confirm my user name:
Conclusions
One more click and I was logged into my secure file storage app, all without providing any password. In summary, it was relatively easy to passwordless. It still feels unreal, but I am looking forward to see and actually use it more often—not just on my IBM Cloud app, but with more and more applications, platforms and services.
If you want to get started, I recommend the following related tutorials and blogs:
- Blog on enabling FIDO2 support for your cloud app.
- IBM Cloud solution tutorial showing you how to apply end-to-end security to your app.
- IBM Cloud solution tutorial on how to enhance security for a deployed app.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.