Passwordless Authentication

Enable users to log in via your Identity Provider without entering a username/password

  • Updated on Sep 28, 2022

This article describes features that are only available in the Banyan Enterprise edition.

How It Works

The diagram below provides a conceptual overview of how Banyan’s Passwordless Authentication Flow works.

Normal Authentication

In the Normal Authentication Flow, Banyan’s TrustProvider component federates to your organization’s Identity Provider (IdP). The user enters their SSO username and password (and Multi-factor Authentication (MFA), if applicable) at your IdP. Once the credentials (and MFA) are verified, the TrustProvider IDToken is issued.

Passwordless Authentication

In the Passwordless Authentication Flow, Banyan leverages the fact that the trusted Device Certificate includes the user’s email address in the UserPrincipalName SAN extension field. To enable Passwordless Authentication, register the Banyan-provided “App Client for Passwordless Authentication” as an External OpenID Connect IDP in your organization’s Identity Provider.

When passwordless is enabled, the device certificate that is presented during device trust will be used to extract the user who is attempting to authenticate. The identified user will be issued a TrustToken without requiring username and password. Instead, they only need to perform an MFA step if configured by the IDP.

Passwordless and Zero Touch Installation

With Banyan App 2.1+, Passwordless is supported for devices registered via Zero Touch Installation.

Devices registered via Zero Touch installation can be registered to either a specific user or the default “Staged User”. When a device is registered to the default “Staged User”, the issued device certificate will not have the UserPrincipalName SAN extension field set. For Passwordless to work, Banyan will silently swap the certificate with no UPN information to a certificate with the user’s UPN during the first authentication flow. From then on, the Banyan Passwordless flow will be enabled.

Identity Provider Setup Guides

Okta
Onelogin
Azure AD