BankVault Enterprise – Passwordless Authentication (IAM)

Passwordless Web Logins


Simple, Low-Cost Deployment – Hours (Not Months)

–  No infrastructure changes
–  No client software
–  No user setup

Ask to Test Drive your website






Users no longer have to remember or enter their login credentials.


Seamless access increases user engagement, creating sticky customers which drives business.


No single attach surface makes it incredibly difficult for hackers to compromise.

  • Accounting
  • HR / Payroll
  • Healthcare
  • Management
  • Insurance

Identity Theft / Account Takeovers

Every website uses passwords. When users enter login credentials through their device, the single attack surface makes intercepting passwords easy. Users further corrode their own security by using dictionary words or recycling the same password everywhere.  

2 Factor Authentication (2 step login) using a separate physical device dramatically improves security but this is still frequently defeated with social engineering (tricking a user to reveal or use their 2nd factor) or Man-in-the Browser (JavaScript injection) simply changing details such as destination bank account numbers behind the screen which the user then authenticates. 2FA is also quite clumsy for users.

Password Managers try to solve the problem but expose use credentials whenever they auto-fill web forms. The asterisks which appear in password fields are only a mask for human eyes so any software in the browser intercepts it as instantly as clear-text.

This fundamental design flaw in browser security can’t be patched by Password Managers or software on the users device. 

The solution is to handled authentication at the back-end, inside the webserver that delivers the login screen. 

Passwordless Authentication

BankVault Passwordless is a simple REST API integrated into the webserver creating a virtually cosmetic change that harnesses  user mobiles and browsers for authentication.

The system generates a security secret and projects an image of a keyboard or keypad into the users mobile browser. Onscreen actions are stored in the cloud but can only be interpreted inside the webserver when the mobile phone and browser are present. (see Webserver Encrypted Keyboard below)

When the user subsequently initiates a login their biometrics (proof-of-presence), along with their device (something they have) reconstitute the same credentials (something they know) inside the webserver which logs them in. Multiple reference points must be present together in order to reconstitute the credentials and authenticate the user.

Simple, low-cost deployments (20-lines of code in the webserver) 

  • No change to backend authentication 
  • No client software 
  • No user set up   

Multi-Factor Authentication is invisible to users with nothing to download, install or configure.  



Biometrics – WebAuthn (FIDO2)


BankVault supports biometrics and other proof-of-presence methods such as screen swipe or PIN, by incorporating the WebAuthn standard (the component of the FIDO2 standard responsible for authenticating web services).

Complexity now Zero

WebAuthn implementations are normally complex and can be very involved.

BankVault customers inherit WebAuthn capability without custom coding, eliminating weeks or months of effort. 

User Choice

End-users can select fingerprint, face scan, screen swipe, PIN, or other methods. These details never leave the users local device. 

  • Android support for WebAuthn is operational now
  • Apple support for WebAuthn is due with Safari 14

The capability depends on the capability of users hardware and operating system. When not present it defaults to requesting a PIN. 


Webserver Encrypted Keyboard

Secures user input of sensitive data such as Password, PINs, SSNs, CVV codes, etc.  

The users mobile browser is harnessed by the webserver creating a secondary input device and channel.  An image is project into the phones browser which creates the illusion of a keyboard on the device. Onscreen actions by the user are interpreted inside the webserver to generate characters.  No characters are ever present in the users devices and the webserver only echos asterisks back to the users browser, thus nothing exists that can be intercepted.
  • On mobiles the experience is seamless.
  • On workstations the user scans a QR code with their phone camera.

The dynamics of cybersecurity fundamentally change when user credentials can never be intercepted by malware on any device.

Implementation Options: 

  • Cloud 
  • On-Premise

How It Works

A shallow integration of a REST API with the webserver is virtually a cosmetic change requiring just 20-lines of code and can be done in as many minutes. 

The API simply harnesses the users mobile as a secondary input and authentication device.

No Technical Risk: If the service was to fail then users just enter their login credentials as usual. 

No Security Risk: The encryption secret is generated and known only to the webserver. Encrypted web sockets would require billions of years to decrypt and the information gleaned would be meaningless and lacks context. The user credentials can only be reconstituted inside the server when the user and their device are present. 

No Change Management:  When offered as a choice to users, adoption occurs by osmosis. 


Test Drive and Go-Live

Test drive the system with your own web service. Set up a test login page on a test web address (URL) and circulated this with staff or selected user groups. Users  can access the original against test login page for side-by-side comparison.  

Evaluation, Trial, Proof-of-Concept, Pilot and Go-Live don’t require any system changes.

The system is branded to your organization.

graph icon

Drive Business Growth

Seamless access increases user engagement creating sticky customers.

wallet icon

Build Customer Trust

Build trust by securing customers connecting with your web service..

person icon

Simple Implementation

Integration in minutes with a cosmetic change to the webserver login page.

bug shield icon

High Security Frictionless Access

Delivered seamlessly to protect customers even using compromised devices.

Ask to Test Drive your website