Enhancing Secure Identity Management: A Systematic Review of Passwordless Authentication Techniques

Access and identity management is currently a fundamental security concern as the digital services genre is growing like a juggernaut. The concept of password-based authentication (traditionally, a password is provided by a user to enter the system) is increasingly ineffective, with a user-provided password potentially being used to commit phishing, brute-force, credential stuffing, and reuse attacks, and introduce a usability and management burden. The secure passwordless authentication method also improves user experience and reduces costs of operations as it removes the use of traditional passwords and replaces these with cryptographic credentials, device identities, or multi-factors. In this paper, the author will analyze the recent advances in passwordless authentication, which fall under either biometrics, hardware tokens, platform authenticators, public-key cryptography, behavioral or continuous authentication. It takes into account their security capabilities, trade-off in usability, deployment issues, privacy and regulatory issues. The proposed architecture suggests a reference architecture of a passwordless authentication system that is enterprise-ready that integrates FIDO2 / WebAuthn standards, device attestation, multi-modal biometric verification and adaptive risk-based authentication controls. The system threats identified during the system analysis are the compromising of the devices, biometric spoofing, supply-chain vulnerabilities and privacy leakage. To address these risks the defensive mechanisms, that are, cryptographic attestation, use of secure enclave, decentralized key recovery and privacy-preserving biometric template storage are proposed. Such a strategy will offer a high degree of security and user-friendliness despite being in tandem with the existing security demands. In addition, the analysis contains a systematic review scheme based on such significant specifications as security, usability, interoperability, cost efficiency, and regulatory compliance. The findings indicate that passwordless authentication systems are a viable and scalable solution to the existing identity management provided they are designed and implemented correctly. However, it should be noted that in order to implement the devices, device lifecycle management, recovery mechanisms, user experience and socio-technical factors must be taken into consideration. Overall, one of the steps to more secure, strong, and convenient digital identity systems is the passwordless authentication.