Going Passwordless on IBM Cloud Thanks to FIDO2

2 min read

By: Henrik Loeser

The latest update on my quest to go passwordless with my app on IBM Cloud.

In my recent post, I discussed how I could use a FIDO2 dongle as second factor for an app on IBM Cloud. Today, I want to give you an update because I managed to go passwordless. 

With the latest October update, Cloud Identity started to offer passwordless login with either FIDO2 or QR code (using the IBM Verify app). I put that to a quick test for my secure file storage app. Here is what I did to go passwordless:

Passwordless sign-in as preferred login option.

Passwordless sign-in as preferred login option.

What happened before

In my quest to go passwordless, I am using the secure file storage app which is part of the tutorial on end-to-end security for a cloud app. The tutorial uses IBM App ID to authenticate users. App ID can be configured with different identity providers, from social IDs like Google or Facebook to federated IDs based on SAML. 

Another product is IBM Cloud Identity (CI). CI provides identity-as-a-service (IDaaS) for employees, including SSO, multifactor authentication, and user lifecycle management, and it offers FIDO2 support. I configured Cloud Identity as identity provider to App ID.

Going passwordless

With the recently added FIDO2 support in Cloud Identity and the new option to enable passwordless logins, going passwordless for the app was merely a matter of finding and activating the right options. As CI administrator, I navigated to the security settings and the new tab, Sign-in options. There, I could enable FIDO2 support for users of the integrated Cloud Directory (user management):

Enable FIDO2 passwordless login.

Enable FIDO2 passwordless login.

PIN instead of password

After enabling the support, I tested the app. There, I was offered the option to sign in without a password (see first screenshot). Next, I was prompted to insert and touch the security key. Once done, when using a device without a fingerprint scannerI needed to enter the PIN for the USB dongle:

Unlock the security key.

Unlock the security key.

With that, the FIDO2 key could provide my identity and Cloud Identity prompted me to confirm my user name:

Confirm associated account.

Confirm associated account.

Conclusions

One more click and I was logged into my secure file storage app, all without providing any password. In summary, it was relatively easy to passwordless. It still feels unreal, but I am looking forward to see and actually use it more often—not just on my IBM Cloud app, but with more and more applications, platforms and services. 

If you want to get started, I recommend the following related tutorials and blogs:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Be the first to hear about news, product updates, and innovation from IBM Cloud