Passwordless login removes the password from the authentication step. Cross-device authentication goes further by allowing the identity journey to begin on one device and complete on another, often with session approval on a trusted mobile device. Retail teams usually need both, because eliminating passwords alone does not solve shared-device checkout or session continuity problems.
Why This Matters for Security Teams
Passwordless login and cross-device authentication solve different problems, and confusing them creates avoidable friction in retail, support, and shared-workstation environments. Passwordless login removes the secret from the primary login step, but it does not automatically prove that a session should continue on a second device or that a human is still in control. Cross-device authentication adds that continuity layer, which is why it is often used for approving a checkout, resuming a session, or confirming a sensitive action from a trusted mobile device.
That distinction matters because identity teams are now expected to support both user convenience and stronger assurance. The operational goal is not simply to eliminate passwords, but to reduce phishing risk, session hijacking, and checkout abandonment without introducing brittle workarounds. Current guidance from NIST Cybersecurity Framework 2.0 emphasizes outcomes such as access control, authentication strength, and risk management, while Ultimate Guide to NHIs — What are Non-Human Identities shows how modern identity systems must account for device, workload, and session context rather than a single login event.
In practice, many security teams encounter checkout failures, shared-device lockouts, or approval gaps only after the first passwordless rollout has already gone live.
How It Works in Practice
Passwordless login typically starts with a credential bound to a device or authenticator, such as a passkey, platform biometric, or hardware-backed key. The user proves possession or presence without typing a password, and the server issues a session if the assertion is valid. Cross-device authentication adds a second step: the session can begin on one device and be completed or approved on another, often through a trusted phone that receives a challenge and confirms the request. That second step is what makes it useful for shared kiosks, call centers, and retail terminals.
For security teams, the practical question is where trust is anchored. A passwordless flow may be strong enough for first-factor replacement, but cross-device approval needs clear device binding, strong session timeouts, and policy that defines which actions require extra confirmation. NHI governance principles from Ultimate Guide to NHIs — What are Non-Human Identities are useful here because the same discipline applies to sessions, devices, and tokens: know what is trusted, how long it remains trusted, and when it must be revoked. In parallel, NIST Cybersecurity Framework 2.0 supports mapping these controls to authentication, authorization, and continuous risk monitoring.
- Use passwordless login to remove password capture and reuse risk.
- Use cross-device approval when the action requires a second trusted device or a continuity check.
- Bind sessions to device posture, user presence, and time-limited tokens.
- Apply step-up checks for refunds, account changes, and other high-risk actions.
These controls tend to break down when organisations allow long-lived sessions on unmanaged kiosks because the approval device and the active browser session drift apart.
Common Variations and Edge Cases
Tighter authentication often increases operational overhead, requiring organisations to balance fraud reduction against customer friction and support costs. That tradeoff is most visible in retail, where passwordless login may be ideal for low-risk account access, but cross-device authentication becomes necessary for self-checkout, curbside pickup, or employee handoff scenarios.
There is no universal standard for when cross-device approval is mandatory versus optional; current guidance suggests treating it as a risk-based control, not a blanket replacement for passwords. Some environments use it only for step-up verification, while others use it as the primary session confirmation method after a passwordless sign-in. The right choice depends on device trust, user population, and whether the journey must survive interruptions between devices.
Teams should also remember that passwordless is not the same as phishing-proof in every implementation. A weak recovery process, poorly protected backup channel, or permissive session lifetime can still undermine the whole flow. For that reason, identity design should align with broader assurance models such as NIST Cybersecurity Framework 2.0 and the lifecycle controls described in Ultimate Guide to NHIs — What are Non-Human Identities. The practical answer is to treat passwordless as the login method and cross-device authentication as the session assurance method, then decide per workflow which one is enough.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Cross-device approval depends on verifying identity before session continuation. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Session trust and device binding mirror identity lifecycle and credential handling concerns. |
| NIST AI RMF | Risk-based access decisions map well to evolving authentication assurance. |
Use AI RMF risk thinking to evaluate when passwordless is enough and when step-up approval is needed.
Related resources from NHI Mgmt Group
- What is the difference between passwordless authentication and traditional MFA?
- What is the difference between traditional MFA and passwordless authentication?
- What is the difference between passwordless authentication and zero trust?
- What is the difference between passwordless authentication and full ransomware resistance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
