This article covers the scenario where passwordless authentication is configured, but some users report still getting prompted to enter the password intermittently and reproduce it in a private window.
- Passwordless Authentication
- User Enumeration Prevention
This can happen if User Enumeration Prevention is enabled for Authentication (Admin Console > Security > General).
User Enumeration Prevention is a security feature that helps prevent attackers from discovering valid user accounts by trying various combinations of usernames. User Enumeration Prevention aims to make it more difficult for attackers to determine which usernames are associated with active accounts and reduce the risk of a successful brute-force attack.
If the user logs in without device context (new device/browser/no cookies available during authentication), they will get a username & password page displayed for their first authentication. Otherwise, if End users log in from their regular browser where a device cookie is available, the users will not be prompted to enter a password.
This setting can be disabled by following these steps:
- Log into the Admin dashboard.
- Browser to Security > General tab.
- Find the User enumeration prevention section.
- Click on Edit and uncheck the box for Authentication.
Once this is disabled, when logging in from any device, users will be presented with the options for authentication that are configured. In the case of a passwordless setup, a password box will not be presented in any context.
