FAQ

Passwordless Alliance is a non-profit organization established in Geneva, Switzerland by Chaesup Lee, former director of ITU, and an international technology standardization organization, and Jonghyun Woo(aka. John Woo), who developed the ITU-T X.1280 standard technology. This is an organization established to fundamentally solve password problems through the participation of online service users, online service providers, and related authorities to resolve international social problems with passwords quickly.

Above all, to become a practical organization, the Passwordless Alliance distributes free software targeting B2C online services. While other standards associations or alliances have focused on securing compatibility by creating technical standards centered on technology suppliers, the Passwordless Alliance is distributing the Passwordless X1280 software free of charge to online services. Besides providing software, we also share online advertising revenue generated from the Passwordless X1280 mobile app with online service providers for quick adoption in online services.

Passwordless X1280 is software available for free in B2C online services. The Passwordless Alliance provides Passwordless X1280 software for free to B2C online services worldwide.

The Passwordless X1280 mobile app used by users includes Google display ads. We aim to provide passwordless software based on ad revenue generated from user engagement.

Passwordless X1280 is free software available for B2C online services. The Passwordless Alliance aims to protect the end users (consumers) of online services worldwide. By promoting passwordless technology in B2C online services, we strive to protect the personal and financial information of service users (consumers). The Passwordless Alliance does not supply cybersecurity software to businesses or institutions. If an online service is operated for internal employees, please contact a cybersecurity software provider for implementation. (Note: Passwordless X1280 should not be used if the users of the online service are employees, consultants, agents, or contractors of the service operating entity.)

User passwords are a widely used authentication method that allows users to prove they are legitimate users to online services. However, this method has significant drawbacks: users might enter their passwords without verifying if the online service is genuine or fraudulent, or their passwords could be phished during the input process. Additionally, due to the limits of human memory, users often reuse the same password across multiple online services. If one service is compromised, users are burdened with changing their passwords for all other services. In contrast, the Passwordless X1280 method shifts the responsibility of password verification to the online service, freeing users from the need to remember, enter, or change passwords. Even if the online service is compromised and user passwords are leaked, these passwords are automatically changed each time the user logs in using the passwordless method, thus not affecting the user’s other online services. With Passwordless X1280, the online service first presents an automatic password to the user, who then verifies it on their smartphone. This allows users to confirm the legitimacy of the service provider, making it more than twice as secure as traditional user-only authentication methods. Additionally, it is convenient for users, as they no longer need to remember, change, or enter passwords; they simply approve the automatic password provided by the online service via the mobile app.

Passwordless X1280 does not eliminate the user password function of online services. Instead, it automatically changes the user password to a complex string after the passwordless setting is enabled, meaning that the user password still exists internally.

When a user enables Passwordless X1280 for a specific online service account, the password for that account is automatically changed to a complex, random password. Each time the user logs in with Passwordless X1280, the user password is automatically changed.

Therefore, users no longer need to change or remember their passwords. They simply need to verify the automatic password provided by the online service on their smartphone.

Passwordless X1280 does not eliminate the user password function of online services. Instead, it automatically changes the user password to a complex string after the passwordless setting is enabled, meaning that the user password still exists internally.

If you temporarily lose your phone, you can log in temporarily using the “Forgot Password” menu on the login screen. However, even if you log in temporarily through the “Forgot Password” process, the user password will be automatically changed to a complex password the next time you log in with the Passwordless X1280 app.

If you replace your phone rather than temporarily losing it, you should first log in using the “Forgot Password” option. After logging in, go to the passwordless settings menu in the online service, disable the passwordless setting, and then follow the re-registration process with your new smartphone.

The existing OTP is an excellent user authentication technology, but it has a vulnerability that can be stolen if the user enters the OTP code without verifying whether the online service accessed is real or fake. However, Passwordless X1280 allows users to check whether the service provider is real or fake because the online service first presents the user with an automatic password and the user checks it on the smartphone. Therefore, it is more than twice as secure as existing OTP technology that authenticates only the user. In addition, it is much more convenient to use because the mobile app approves the automatic password presented by the online service rather than the user having to inconveniently read the OTP code and enter it by hand.

Biometric authentication technology is a great technology that can eliminate passwords, but biometric authentication technology is an in-band authentication technology that is only valid within devices equipped with a biometric authentication sensor. Therefore, the biometric authentication sensor mounted on a smartphone can be used as an excellent authentication method within the smartphone, but it cannot be used on user devices such as PCs, smart TVs, AI speakers, and ATMs that do not have a biometric authentication sensor. If you want to perform biometric authentication for each user device, you must attach a separate authentication sensor for each device.

However, Passwordless It is economical and convenient. In other words, you can first check which online service you are submitting your biometric authentication information to before submitting it.

Additionally, if each user device has a biometric authentication sensor, it would be cumbersome to register biometric information separately for each device. However, because the Passwordless X1280 performs biometric authentication only on smartphones, you only need to register biometric information on your smartphone.

PasswordlessX1280 and mobile push-based authentication technology seem to work similarly, but there is a fundamental difference. Push-based authentication technology is a technology that verifies whether the user has a legitimate user authenticator when a push message is received on a smartphone. In other words, push authentication can be stolen if the service the user first accesses is a fake service, as it is a technology that authenticates only the user. If a user receives a push message while connected to a fake service, he or she may approve the push message without verifying where it originated. In other words, the user did not approve his own access, but instead approved the attacker’s access.

In contrast, PasswordlessX1280 includes a technology that allows an online service to submit an automatic password to the user, compares it with the automatic password generated by the user in the PasswordlessX1280 app, and if it matches, approves whether the online service is a legitimate online service, making it clear where the authentication originated. You can check it with . Therefore, it seems that push messages are received equally, but while push-based user authentication technology only performs user authentication, PasswordlessX1280 authenticates both online service providers and users at the same time.