Authentication without a password does not mean that you do not have a password.
I take it it it's not clear, what's the difference and what's new with this technology?
What's new here is that you only use a password once when you register on a site (like a site).
Password, of any complexity - for a site always looks different for you, it looks like a digital code. And the numerical code - by appearance of which it is impossible to find out your password.
I still don't see how is this better than 2FA.
The secret password/seed is needed and one more "derivation" component based on time is necessary.
The problem of 2FA is
the way it's usually implemented and used, favoring the secret password/seed being stored on vulnerable devices. But nowadays there are hardware devices handling that too.
--------------------------------
About 2FA - I described in detail in the post of March 09 = 13 ways to bypass this technology. The more factors, 2FA is more than 1FA, the harder it is to bypass 2 levels of protection when the technology first appears. But with time, when cheaters start to study it, they find ways to hack, and their methods of hacking concern each of the factors. It's all described above.
If it's 3FA, 4FA... it's going to be the top at first! And at the end, as soon as you get used to it, you get even more hacking than with a 1-PhA than with a normal password.
If I were to suggest one more factor, time:
1. I would not offer anything new, this idea is many years old and it was useless;
2. I'd introduce a third factor that would only weaken, in the end, not strengthen the defense.
For now, I'm stopping myself from being so stupid...
The basis for passwordless authentication is that as a client and server, you need to identify every packet of data.
A data packet is a bit sequence of a predetermined length.
You need to recognize your bitmap sequence from an outsider.
In addition, this identification only works simultaneously in 2 directions. And only continuously, for each data packet - the same check.
But how can we do this if we do not know in advance what information is transmitted in the next data packet?
No way. With this data packet you will do nothing, accept, decipher. And put it on hold for inspection... the user won't get it yet, even though it's decrypted.
But then you need to form your data packet and send it.
And how do you form it if you don't have the key?
That means, you need to use all events in the system - as arguments for irreversible functions (hash functions) to get a result - which will set up a new encryption scheme for a new data packet.
Recall that we are talking about a geometric encryption model (who has not read above - read).
And what new encryption scheme will I get?
If I decrypted every bit of it correctly (and in all rounds, not just in the end) - it will be exactly the same as it was prepared to receive my data packet - my companion. In other words, me and my conversation partner, the new encryption and decryption scheme will match! It's a symmetrical encryption system.
And in the end what?
I "correctly", understandably for my interlocutor, encrypt my data, and he will take it and decipher it correctly.
And if I decrypted the received data packet incorrectly, at least by 1 bit - my encryption scheme will be cardinally, thoroughly, very much different from the scheme prepared by my conversation partner.
And what will happen?
He will decrypt my data incorrectly and prepare another encryption scheme for his new data packet. The situation will become avalanche-like - we will no longer understand each other, which means that the data packet that I decrypted, postponed, and did not give to the user - will be found to be erroneous:
1. or erroneously decrypted due to interference in the communication channel or no matter what else;
2. or it's not our data packet at all, it's an attack, modification, misinformation - no matter what, it's fictitious.
So what do we do? Let's not cry.
Let's ask for a repeat of exactly this data packet and start building a new encryption scheme - exactly the same scheme as the wrong data packet came in and failed to check.
Let's do it again.
Until we get and correctly decrypt the new, repeated data packet, until the data packet is unambiguously authenticated as "its" by the new data packet - we do not use the information encrypted in it, it is recognized by the system as misinformation.
It is clear that the data packet, apart from the information, has a sufficient set of service bits to make a preliminary check of the package - in advance, until its full decryption.
It is clear that the geometrical space has not only elements filled with information, but also a lot of empty cells, and if the information is not true, then the decryption will be built a vector on an empty cell and the system will understand in advance - that somewhere there is an error (see the following). Vector-geometric encryption scheme from December 7, 2019 in this topic), but it's all the nuances of the technology, they are not needed to understand the principle of identification and 100% authentication of the sender of ALL ONE DATA PACKAGE and the same EVERYTHING DATA PACKAGE!
With normal authentication - the server recognized you (you server usually only recognize by the appearance of the site - and this is in our 21st century!!!!), and then works with you without checking each data packet, your he or Eve (attack man in the middle and other nasty things).
That's what all phishing is based on - you've had your passwords, every security factor taken away once, and everyone is using it without fear that the server will notice a spoof.
One theft is a bunch of problems. It's now.
We have nothing to steal because the encryption scheme (like key) for each data packet is different (like key). If this non-existent key, this encryption scheme - the cheater steals it, he will not be able to use it for the following data packet - he can not until he steals your entire device.
This is real security and real authentication, not a password template.