ABSTRACT Passwords have always been inherently insecure, but their continued use and ubiquitous nature raises significant security concerns in today’s ever-evolving digital landscape. This academic endeavour aims to explore the feasibility of a novel Adaptive Risk-based Pass wordless Authentication (ARPA) scheme that combines the strengths of FIDO2 authentication and adaptive risk-based authentication. ARPA aims to tackle the growing need for a robust, secure, and user-friendly passwordless authentication solution by leveraging FIDO2’s secure authentication protocols and dynamically adjusting security measures based on real-time risk analysis. The idea is to let an intended user access their account with little-to-no hindrance whilst a fraudulent user will either be challenged further or completely denied access to deter them from continuing with their malicious agenda. In the event that a non-negligible but not high enough risk is detected, users will be requested to re-authenticate themselves using a biometric or possession-based factor. This thesis presents the design rationale behind the ARPA scheme by focusing on the challenges and opportunities of implementing such a scheme, particularly its technical and practical considerations as well as its demonstrable benefits and potential limitations in real-world applications. To assess its practical viability, a basic proof-of-concept version of the scheme was developed and tested with a group of volunteers. User feedback and data collected through close-ended survey questions provided valuable insights into the perceived usability, security, and effectiveness of the proposed user authentication scheme. The findings herein demonstrate a promising passwordless authentication solution. The inherent 2FA/MFA nature of the scheme, coupled with its adaptive risk assessment capabilities that dynamically adjust security measures based on real-time user behaviour and contextual factors, offers a compelling approach to enhancing security and privacy without compromising user convenience as they can simply use their preferred biometric or possession-based sign-in method to access their favourite website without having to worry about account takeovers, password leaks or thefts, and data breaches. Users have the choice of using platform or external (roaming) authenticators to sign in, both of which can easily be the smartphone in their pocket without having to install any additional application. The paper concludes by outlining a comprehensive scope of future work, including fur-ther refinement of the prototype, large-scale testing, and integration with real-world environments. This thesis paves the way for further exploration of ARPA as a viable, secure, and user-centric alternative to traditional password-based authentication methods that is well-suited for organisations of all sizes.