Passwordless authentication verifies a user's identity without a shared password. Instead, authentication relies on something the user has in their physical possession, such as a registered device or hardware security key, and something that identifies who the user is, such as a fingerprint or face. Because there is no password stored on a server or typed into a login form, there is nothing for an attacker to phish, steal in a breach, or guess. Secretless authentication takes the same idea one step further. It eliminates every shared secret, not only passwords, using verifiable identity elements such as biometrics, digital certificates, and hardware tokens. This article explains what passwordless authentication is, how it works under the hood, the methods and their trade-offs, and whether it is genuinely more secure than passwords plus multi-factor authentication. It then extends the idea from app logins to infrastructure access, where standing credentials are the real risk.
Passwordless authentication lets you prove who you are using a device you control and a biometric you can present, instead of a secret you have to remember and that an attacker can take from you.
Any method of verifying identity that does not depend on a shared secret like a password, PIN, or passphrase counts as passwordless. Instead of matching a string the user knows against a string the server stores, passwordless methods verify a possession factor (a device, a phone, a hardware token) and often an inherence factor (a biometric like a fingerprint or face scan). The distinction matters because a password is a shared secret. The user knows it, the server stores a representation of it, and anything in between, from a phishing page to a compromised database, can capture it. Passwordless authentication removes that shared secret entirely.
Passwordless authentication methods eliminate the need for users to remember and enter passwords, which removes the single most attacked credential in security and the risks that come with it: credential theft, phishing, credential stuffing, and brute-force attacks. There is no password to reuse across sites, no password to write down, and no central store of secrets to breach.
As a result, passwordless authentication creates several benefits:
It helps to separate passwordless from its close relatives. Multi-factor authentication (MFA) adds a second check on top of a password, while passwordless replaces the password outright. A passkey is a specific, standards-based form of passwordless login built on public key cryptography. The next sections cover each.
Passwordless is a category rather than a single technique, and the methods differ sharply in how phishing-resistant they are. Most modern passwordless authentication runs on public key cryptography, the same math that secures HTTPS. When you register a device, it generates a key pair: a private key that never leaves the device and a public key that the service stores. There is no shared secret, so there is nothing to phish. The standards that make this work are FIDO2 (Fast Identity Online 2) and WebAuthn (the Web Authentication API), developed by the FIDO Alliance and the W3C. Here is the flow in practice:
Because the private key never leaves the device and the server only ever holds a public key, there is no secret in transit and no secret at rest that an attacker can steal.
The category includes several technologies, which differ in assurance:
Passwordless authentication is more secure than passwords plus MFA when it is built on public key cryptography rather than codes sent over email or text. It counters modern threats such as credential stuffing, account takeover, and breaches that start with a weak or reused password by removing the credential behind most of them. As a growing public key infrastructure (PKI) use case, passwordless authentication proves identity without ever exposing the private key, and it aligns directly with the principles of zero trust by verifying every access request on true, cryptographically proven identity rather than a shared secret.
What passwordless does not solve on its own is just as important to state plainly. The security shifts to the device that holds the private key, so device trust matters, because a compromised endpoint can put the key at risk. Account recovery also needs careful design, because the "forgot my password" flow is often the weakest link, and a poorly built recovery path can reintroduce exactly the phishable shortcut you removed. Passwordless is a major upgrade, but it is part of a layered posture rather than a single switch.
[Callout box: What passwordless solves, and what it does not. It eliminates the phishable, reusable, breach-exposed password. It does not eliminate the need for device trust, strong endpoint hygiene, and a recovery flow as phishing-resistant as the primary login.]
For a deeper walkthrough of the mechanics, see how passwordless authentication works and our explainer on FIDO2 and WebAuthn.
Everything above applies to human logins for apps and websites. But the same logic of getting rid of the shared secret has a much larger payoff in infrastructure access, and this is where Teleport extends passwordless into what we call secretless. Secretless authentication is a core element of Teleport's unified identity platform, alongside cryptographic identity, zero trust, ephemeral privileges, and identity and policy governance.
When an engineer connects to a server, database, Kubernetes cluster, or cloud console, the credential in play is rarely just a password. It is an SSH key, an API token, a kubeconfig, a database password, or a long-lived cloud secret. These static credentials sit on laptops, in CI/CD pipelines, AI agents, and in config files. They are the infrastructure equivalent of a password that never expires, and they are the standing target attackers go after. Going passwordless at the login screen while these credentials persist behind it solves only half the problem.
Secretless authentication closes the rest of the gap. Instead of issuing standing keys and secrets, Teleport issues short-lived cryptographic certificates scoped to a specific identity, with zero standing privileges. The certificate is minted just in time, expires in minutes or hours, and leaves nothing durable for an attacker to steal. This is passwordless applied to every door in your infrastructure, not only the front one. For the conceptual foundation, see what cryptographic identity means and why static credentials are the weak point.
Teleport extends a single, cryptographically secured identity layer across the four kinds of identity in modern infrastructure: humans, machines, workloads, and AI agents. For human engineers, Teleport Zero Trust Access delivers passwordless, least-privileged access using device biometrics and FIDO2, including passwordless desktop access to Windows and Linux machines without a shared local password. The same model extends to SSH; see our comparison of passwordless SSH authentication methods and our take on the end of passwords in infrastructure. Teleport supports FIDO and WebAuthn so users authenticate without passwords, which also reduces the help-desk burden of password resets and account recovery. It extends beyond human access too, securing machine-to-machine communications so every entity in the infrastructure authenticates on inherent or possession factors rather than stealable credentials. Teleport Identity Security then gives security teams the immutable audit log and session recording they need to prove who accessed what, which is how passwordless stays compliant as it scales.
Passwordless removes the secret a human types. Secretless removes every standing secret behind it, including the ones machines and AI agents use to authenticate to each other. Both rest on the same idea: that identity, proven cryptographically, should be the basis of trust, not a string that can be copied.
Passwordless authentication is one of the clearest security upgrades available. By removing the shared secret, it eliminates the credential behind most breaches. The strongest forms, built on FIDO2, WebAuthn, and device biometrics, are phishing-resistant by design, while weaker methods like SMS codes only partly close the gap. The principle is to retire the password, not stack more checks on top of it.
For infrastructure, the same idea goes further. Standing keys, tokens, and secrets are passwords by another name, and they are what attackers reach for. An identity-first approach replaces them with short-lived cryptographic identity, so access is passwordless at the login and secretless everywhere behind it. That is how Teleport Zero Trust Access and Teleport Identity Security deliver passwordless access in practice, across humans, machines, workloads, and AI agents.
What is passwordless authentication?
Passwordless authentication verifies identity without a shared password, using a possession factor such as a registered device or security key and often an inherence factor such as a fingerprint or face. Because there is no password to type or store, there is nothing for an attacker to phish or steal.
How does passwordless authentication work?
Most passwordless methods use public key cryptography. Your device generates a private key that never leaves it and registers a matching public key with the service. At sign-in, the service issues a challenge, the device signs it (after a biometric or PIN unlock), and the service verifies the signature against the stored public key.
Is passwordless authentication more secure than passwords with MFA?
Yes, when built on FIDO2 and WebAuthn rather than email or SMS codes. It removes the password entirely, so phishing, credential stuffing, password spraying, and breach-based credential theft have nothing to target. MFA bolted onto a password still leaves a password to attack.
What is the difference between passwordless authentication and MFA?
MFA adds a second factor on top of a password, while passwordless replaces the password outright. A passwordless login can still be multi-factor, for example a hardware key unlocked by a fingerprint, but it never relies on a shared secret.
What is a passkey?
A passkey is a standards-based passwordless credential built on FIDO2 and public key cryptography. It stores a private key in your device's secure hardware and can sync across your devices, letting you sign in with a biometric instead of a password.
Are biometrics safe for passwordless authentication?
Yes, because the biometric typically stays on your device and only unlocks a locally stored private key rather than being transmitted. The security depends on the device protecting that key, which is why device trust matters.
Is passwordless authentication phishing-resistant?
The cryptographic methods, FIDO2 security keys and platform passkeys, are phishing-resistant because each login is cryptographically bound to the legitimate domain. Weaker "passwordless" methods like SMS codes and magic links are not fully phishing-resistant.
Can passwordless authentication be used for infrastructure and server access?
Yes. The same model extends from app logins to SSH, databases, Kubernetes, and cloud consoles. Teleport Zero Trust Access delivers passwordless, least-privileged infrastructure access and replaces standing secrets with short-lived cryptographic certificates.
What does "secretless" mean, and how is it different from passwordless?
Passwordless removes the password a human types. Secretless goes further, eliminating the standing keys, tokens, and credentials that sit behind the login, replacing them with short-lived certificates and zero standing privileges across humans, machines, workloads, and AI agents.
Why are static credentials considered insecure?
Static credentials can be reused, shared, or stolen, giving an attacker durable access. Teleport replaces them with short-lived, automatically expiring certificates tied to cryptographic identity, so there is no standing secret to leak.