Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering (and having to remember) a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token.
Passwordless authentication methods typically rely on Public-key cryptography infrastructure where the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device (PC, smartphone or an external security token) and can only be accessed by providing a biometric signature or another authentication factor which isn’t knowledge-based.
At the beginning I was somewhat skeptical but testing did change my mind! The reason for this was, I needed to use a third party app and/or software while I’m completely Microsoft minded. IDmelon developed their own Authenticator App and a physical security key. It is basically a three-in one solution!
- 1. IDmelon BLE Reader (tap and login experience)
- 2. The standalone mode of the Reader (which acts like a normal PIN-protected security key)
- 3. IDmelon Pairing Tool (Push notification/authentication on your smartphone)
IDmelon mentioned that option 3 is very easy. There is no additional hardware required to purchase, ship and/or handover to the end users. Therefor an overnight deployment might be possible with less effort for IT admins.
IDmelon Reader supports 2 different working modes:
Smartphone BLE Reader
In this mode, the hardware works as a BLE reader and can distinguish a single tap of a user’s smartphone, similar to the experience of TAP with access cards on NFC or RFID readers or Tap to Pay for iPhone and Android phone. There is no need to pair the smartphone with the reader, and only having the IDmelon app installed on the smartphone and keeping the smartphone’s Bluetooth on is enough for this mode to work.
FIDO2 USB Security Key
In this mode, IDmelon hardware works as a standalone FIDO2 USB security Key. The function is the same as other FIDO USB security keys, and the user authentication is done by a PIN. There is no need to have a smartphone in this mode, the hardware works independently as a backup FIDO security key. Each mode has different capabilities and is designed for a use case. Users can switch and choose their working mode according to their needs and use cases.
Note: On top of the reader you can see a LED light indicating the working mode. When the LED is GREEN, the reader is in FIDO2 Security Key mode. When the LED is WHITE, the reader is in Smartphone BLE mode. Switching the operating mode is simple. Press the push button on the side until you hear a “beep”. Give it a few seconds to switch the operating mode.
Smartphone BLE Reader: Install IDmelon Pairing Tool
First, we need to install the Pairing Tool into our device. The tool can be downloaded here. The process is straight forward.
Note: Silent installation is also available. Simply run setup.exe /S.
Note: The setup.exe modifies the Windows Firewall rules by running AddRules.bat. It adds several exclusions with parameters profile=any action=allow protocol=any. But soon in upcoming versions, the access will be limited.
Smartphone BLE Reader: Pair your smartphone!
- Start the IDmelon Pairing Tool and follow the steps shown on your screen. Click Start scanning and point your smartphone camera to the QR code shown in the IDmelon Pairing tool. This should be done with the IDmelon App which is available in the App Store and Play Store.
2. Enter a name for your smartphone. I named it IDmelon iPhone. Click OK.
3. That’s it! The smartphone and PC are now paired. Click Done.
Smartphone BLE Reader: Login to office.com
I’ve tested the passwordless logon method by accessing https://www.office.com. Because i paired my phone in the step before I can now use the IDmelon Authenticator App. Therefor I have to hold the phone within a short range of the IDmelon Reader. While doing so, the Authenticator App has to be approved (or denied).
FIDO2 USB Security Key
Before we can use the IDmelon reader as a Security Key, we have to switch the operating mode. Therefor we have to press the Push Button until you hear a beep. The LED light will start blinking GREEN which means the operating mode is switching. This process will take approximately 15 seconds. If the IDmelon reader stops blinking the operating mode is switched to Security Key mode.
Again, we’re going to use www.office.com as our test. I used a inprivate/incognito browser, filled in my e-mail address and clicked Sign in with a security key.
First, I have to enter my Security Key PIN, which I have configured already. This process is described here in the Microsoft docs.
Second thing to do is touching the Push Button on the IDmelon reader.
That’s it! Another logon method with the IDmelon FIDO2 Security Key. This one is probably known by most of the people. This is basically the same with all FIDO2 Security Keys as I have shown in this blog already.