Passwords have been the default authentication method ever since the start of computing. But of late, passwords have become insecure and complex, no longer fitting the needs of today’s digital world. New passwordless options, such as biometrics and passkeys, are killing the password.
Why are Passwords Falling Out of Favour?
The reasons for passwords falling short are many.
Passwords are a big security threat. Most users create weak passwords or reuse passwords. They even retain default passwords. Cyber attackers crack most passwords using brute force, phishing, or credential-stuffing attacks. A 2023 Verizon study reports stolen passwords as the cause of 86% of web application breaches.
The relentless attempts by threat actors make password requirements more complex. Users find it difficult to remember complex passwords. Frequent password resets become a hassle and overwhen enterprise IT. Pew Research reports seven out of ten consumers in the US are overwhelmed with the number of passwords they must remember. They also feel anxious about their passwords being strong enough.
Complex passwords and the mandate to change passwords frequently make account lockouts due to forgotten passwords commonplace. For a typical user, the situation leads to frustration, productivity loss, and security fatigue. The degraded productivity and employee frustration increase costs for businesses.
With passwords out of favour, here are the trends and new technologies gaining popularity in passwordless authentication.
The Decreasing Popularity of OTPs and MFAs
One-time-passwords (OTP), and multi-factor authentication (MFAs) are also out of favour. These options add friction to the login process and degrade the user experience.
The extra steps to login, the complexity of setting up MFA systems, and the heavy dependence on devices make MFAs unpopular.
OTP forces users to switch between apps to verify transactions, further degrading the experience. Moreover, the delivery of OTP depends on the network, and network latency can delay OTP delivery. OTPs also incur costs for the business.
Also, OTPs are not very secure either. Hackers stealing OTP through phishing and SIM swapping are commonplace.
Most MFAs co-opt passwords and OTP as the two authentication mechanisms, making the entire process a hassle for users.
The Emergence of Magic Link as an Alternative
Many companies, especially e-commerce companies, use magic links as an alternative to passwords. When the user requests a login, the system sends a unique one-time, time-limited link to their registered email or mobile phone. These links spare users from remembering complex passwords. They do not have to go through a lengthy authentication process either
But magic links, while increasing convenience, are only as safe as the user’s email account. Hackers could steal the links by compromising the email account. And hackers compromising email accounts through phishing and credential stuffing attacks remain commonplace.
Developers have been toying with blockchain to make magic links more secure. Blockchain provides decentralised and tamper-proof records of users with access to an account. Such a list eliminates hacking.
The Growing Popularity of Passkeys
Passkeys are cryptographically secure keys. These keys, stored on the user’s device and synced across accounts, use public-key cryptography. When the user registers on a website, the device creates a unique key pair. The device retains the private key and shares the public key with the website. The private key stored in the device remains safe even when the website gets compromised. Passkeys limit the credentials to a specific website. Since these keys are not reusable, they foil traditional attacks such as phishing and man-in-the-middle.
The rise of FIDO standards has made passkeys viable and popular. Fast IDentity Online (FIDO) is an open industry association to develop authentication standards. The alliance includes tech biggies such as Apple, Google, and Microsoft.
The latest FIDO2 standards allow interoperability and simplify passwordless implementation. It is W3C compliant and works across web browsers to deliver a smooth user experience.
WebAuthn, a framework based on FIDO2 specifications, facilitates integrating biometrics with security keys. It supports built-in platform authenticators such as Apple Touch ID or Windows Hello.
Passkeys, like most MFA options, are device-dependent. But passkeys deliver the MFA experience in a single step. Users get complete control over the authentication mechanism. They do not have to rely on third-party providers such as mobile carriers for OTP.
The Rise of Biometrics
Biometrics is fast replacing passwords as the default and more secure way to access online resources. Smartphones with fingerprint and facial recognition capabilities make biometric authentication viable and easy.
FIDO standards integrate biometrics with passkeys and help businesses eliminate passwords. Only the correct fingerprint or face unlocks the passkey and gives access to the application. Services such as Mastercard Biometric Authentication Service use this to do away with passwords.
Many apps and websites co-opt biometrics as part of multi-factor authentication. But hardware costs and privacy concerns remain significant restraints.
Hardware Tokens Become Viable Options
Hardware tokens use devices, such as a smart card or USB, as the authentication mechanism. These physical tokens contain a unique identifier or generate an OTP when triggered.
All popular frameworks, such as FIOD2, OAuth and OpenID Connect support hardware tokens. OpenID verifies the user credential and actualises a single sign-on process through the hardware token. OAuth generates a one-time token that grants authorisation for the user to access a specific resource. FIDO2 delivers the passkeys through the hardware token, reducing the chances of credential theft.
Hardware tokens eliminate the risks associated with delivering OTP or links through emails or SMS. Hackers cannot steal or duplicate the hardware tokens without committing physical theft.
The Increasing Prevalence of Zero Trust
Passwordless authentication aligns with the latest security approaches, such as Zero Trust. Zero Trust verifies users at every access point.
The Zero Trust model verifies users based on device health, user behaviour, and contextual information.
Of late, there is an increasing reliance on machine learning models to create unique behavioural profiles. These models consider user behaviour, location, device type, roles and permissions. The algorithms track user interactions and raise red flags when users deviate from their typical behaviour. For instance, if a user logs in from a new device or a location far away from his home or office, it triggers a concern. The system then mandates additional authentication.
The global passwordless authentication market size will rise from USD USD 18.82 billion in 2024 to USD 60.34 billion by 2032, with a CAGR of 15.7%. And this is by no means a surprising trend. Passwordless security strengthens security and improves the user experience. It also reduces operational costs for the business.
