How would you implement passwordless authentication in an enterprise environment?

Passwordless authentication in an enterprise hinges on using phishing-resistant methods that verify identity without relying on a password, and on tying those methods to centralized identity management. The best approach combines FIDO2/WebAuthn devices or trusted delivery methods with single sign-on connected to an identity provider. FIDO2/WebAuthn uses public-key cryptography: a private credential stays on the user’s device, while a public key is stored by the service. The challenge-response flow proves you possess the credential and the user’s consent, making credential theft or phishing far harder. When this is paired with an identity provider and SSO, organizations can enforce access policies, manage user lifecycle, and audit access across many apps from a single control plane. It also simplifies onboarding, offboarding, and policy enforcement, since the IdP handles authentication and authorization decisions for all connected applications. Requiring usernames with no passwords and no IDs leaves no reliable way to prove who is logging in. SMS-based codes alone are vulnerable to SIM swapping and interception and aren’t truly passwordless or phishing-resistant enough for enterprise hardening. Desktop-only login prompts without identity provider integration lose centralized control, visibility, and policy enforcement across devices and services, making it hard to scale securely.