The average person has to keep track of approximately 100 passwords and spends almost 13 minutes every week resetting those passwords. Due to this friction, password reuse is a major issue with over two-thirds of end users reusing passwords across sites, creating widespread security vulnerabilities. The Verizon Data Breach Investigations Report (DBIR) found that credential vulnerabilities are involved in more than 80% of all data breaches. Since password reuse is so common, a single compromised password can endanger multiple accounts.
Auth0 was the first IAM system to build support for passwordless authentication, and all of these reasons are as pertinent as ever:
- Passwords are insecure: users pick insecure passwords and reuse them across sites. Since data breaches are common and they frequently include password information, this creates a situation where more and more sites are vulnerable to hacking attempts.
- Passwords are expensive to manage: users forget them, and resetting passwords can be an expensive and time-consuming process.
- Passwords negatively impact customer retention: remembering and typing a password, particularly on a phone keyboard, carries friction, and can cause returning customers to abandon the login flow, therefore impacting retention.
We believe that moving away from passwords as an authentication method is key to making the internet safer while reducing friction and positively impacting user acquisition and retention.
Since our initial release, the authentication industry has been hard at work finding better ways to implement passwordless authentication. For example, the FIDO Alliance successfully led the specification and implementation of WebAuthn. In the last few years, Webauthn has been implemented in all major OS/browsers, with iOS 14 and iPadOS 14 being the latest to join the party in September 2020.
WebAuthn as an Authentication Method
WebAuthn provides the combined benefit of minimum friction with maximum security. Webauthn not only has a better completion rate (95%) than other authentication methods, but it also has a lower time to complete (5 seconds).
Together, these characteristics mean that when you use WebAuthn for passwordless sign-in, you can expect higher end-user conversion and retention.
When it comes to security, WebAuthn uses public-key cryptography instead of shared secrets, and it’s the only standard authentication method on the web today that is considered unphisable1. When using platform authenticators, given its reliance on the device’s biometric sensors, it is easy to use and familiar for end users.
WebAuthn allows users to authenticate using one of two methods:
- Roaming authenticators: These are removable and cross-platform, such as a Yubikey that can be used on multiple devices. To use a roaming authenticator, you simply connect it to the device (through USB, NFC, or Bluetooth), provide proof of presence (e.g., touching it), and optionally an additional factor like a PIN or fingerprint scan.
- Platform authenticators: This includes the MacBook’s TouchBar, Windows Hello, iOS Touch/FaceId, and Android’s fingerprint/face recognition. Since they are integrated into the device being used, these only work on that device.
Auth0 shipped support for using both Platform and Roaming authenticators as a second factor earlier this year.
One authentication method, two authentication factors
When you combine WebAuthn with biometric authentication, you are performing multi-factor authentication with a single action. You are logging in with both:
- Something you have (the device where you are logging in, which has been registered as yours)
- Something you are (fingerprint or face recognition), or something you know in case you are wearing a mask and need to use the passcode.
This means that in addition to removing the need to use a password, users can avoid being prompted for another authentication method when two authentication factors are needed. This is not only more secure but greatly enhances the user experience and removes a common friction point. If your application requires MFA, but you have been struggling with implementing it without impacting usability and conversion rates, WebAuthn is a great option.
Helping users adopt WebAuthn Biometrics
While the biometric systems market is experiencing significant growth - from 36.6 billion USD in 2020, expecting to reach 68.6 billion in 2025, millions of users still log into websites using username and password credentials. Auth0 sees this as an opportunity to develop biometric authentication workflows that ease login for end users while also simplifying implementation for developers.
If you’re already using Auth0, implementing WebAuthn does not have to be difficult for your end users. Auth0’s WebAuthn biometrics implementation enables Progressive Enrollment, which greatly simplifies enrollment for user devices by meeting them where they are. When a user authenticates with their username and password, Auth0 detects whether the device supports WebAuthn with Biometrics. If it does, it allows the user to decide whether they want to enable it. Once enabled, the next time they login with that device, it will use biometrics.
To enable this feature for your users, go to the Authentication Profile section in the Auth0 dashboard and configure the login flow to use “Identifier First + Biometrics”.
Start your passwordless journey NOW!
Given the wide availability of devices that support WebAuthn with Device Biometrics, and Auth0’s progressive enrollment implementation, you can start today to make your application more secure and your users happier, one user at a time.
About the author
Andrés Aguiar
Product Manager
I’ve been at Auth0 since 2017. I’m currently working as a Product Manager for the Auth0 FGA and OpenFGA products. Previously, I worked in the teams that owned the Login and MFA flows.
I spent my entire 20+ year career building tools for developers, wearing different hats. When I'm not doing that, I enjoy spending time with my family, singing in a choir, cooking, or trying new kinds of local cheese.