Secure interactions between a client device executing an application and a remote server associated with the application are enabled without credentials such as passwords. The application may acquire an encryption key pair, store a first key of the pair on the client device, and secure access to it by associated biometric data. The second key of the pair is stored on the remote server in association with the user's account. Responsive to a request on the application for an action that requires authentication with the remote server, the user must input biometric data which, only if verified, enables access to use the first key. The first key is then used to encrypt authentication data for submission to the remote server. The server accesses the public key and uses it to decrypt the data and verify the source of the request. If verified, the server then authorizes the requested action.