How Passwordless X1280 Works
A complete walkthrough of the push-based passwordless authentication flow, from login to secure approval.
System Architecture
Passwordless X1280 connects three actors through the Passwordless X1280 authentication server:
Authentication Flow — Step by Step
Start Authentication
User enters their email on the login page. The server looks up their account and generates a unique challenge.
A 6-digit verification code is created and stored securely with a 5-minute expiry. No password is needed or transmitted.
Display Verification Code
The browser displays a 6-digit code. The same code appears on the mobile app for the user to verify.
The user checks that the code on their phone matches the one on screen, then taps approve. This confirms the authentication request is legitimate and prevents phishing.
Poll for Approval
The browser checks with the server every few seconds while waiting for mobile approval.
Once the user approves on their phone, the server cryptographically verifies the response to ensure it's authentic and matches the original challenge. No credentials are ever exposed.
Complete Authentication
After approval is confirmed, the server creates a secure session and signs the user in.
A secure session is established and the user is redirected to the protected area. The entire flow completes in under 3 seconds — no password was ever transmitted.
Security Levels
Passwordless X1280 supports configurable security per account and per request:
| Level | Value | Mobile Behavior | Use Case |
|---|---|---|---|
| Disabled | 0 | Simple tap to approve | Low-risk actions, internal tools |
| PIN | 1 | Enter PIN before approval | Standard login, moderate risk |
| Biometric | 2 | Fingerprint or face scan | Financial transactions, admin access |
Security level is set per account by default, and can be overridden per login request for flexible protection.