A future where passwords no longer exist may be right around the corner—for real, this time.
Earlier this year, ironically, on World Password Day, Apple, Google, and Microsoft collectively announced plans to extend their support for passwordless authentication, building from the specification created by the FIDO Alliance and the World Wide Web Consortium (W3C). Through a technology called Passkey, users will be able to authenticate into compatible websites and applications by taking the same action they use to unlock their phones. This eliminates the need to remember a password.
For any consumer-facing business where digital engagement has become a crucial component of the customer experience, this announcement highlights an important technology trend for future innovation in their overall customer identity and access management (CIAM) strategies. Most consumers don't like remembering hundreds of passwords, so this is a prime opportunity to promote the adoption of passwordless authentication.
In light of that, we thought we’d break down a handful of common misconceptions associated with passwordless authentication, specifically using device biometrics, as we gear up for a future where arbitrary strings of characters will perhaps take a back seat in how we log in.
Misconception #1: Passwordless Is Not Secure
Since its inception in the 1960s, the username and password challenge has been the de facto experience for how we log in to applications. As a result, it's only natural to feel like anything without a password is insecure. The reality is that we've been tricked into a false sense of security.
When we look at the data, passwords consistently pose security challenges. Nordpass highlights that the average consumer must remember around 100 passwords for all their online accounts. Due to the sheer volume of credentials, we have to remember that 86% of consumers admit to reusing a password, which presents a massive opportunity for attackers.
The 2022 Verizon Data Breach Investigation Report found that almost half of all data breaches start with stolen credentials. Unfortunately, the financial and social cost of these breaches can cost a business an average of six million dollars annually. In an environment where password reuse among consumers is the norm, cybercriminals are capitalizing on poor behavior, and companies are suffering the consequences, passwords are proving to be a less than ideal form of authentication.
Passwordless authentication using WebAuthn (a specification written by W3C and FIDO) device biometrics presents a unique solution to this problem as it's effectively a two-factor authentication experience. Rather than having users authenticate based on something they know, they log in using something they have (the device) and something they are (their biometric information). This is why some sources go as far as saying passwordless authentication with WebAuthN device biometrics is the only standards-based authentication method that is unphishable.
💡 Reality: Passwordless authentication using device biometrics is actually more secure than username and password credentials because it's a 2FA experience.
Misconception #2: Passwordless Doesn't Benefit the Business
On the surface, the relationship between passwordless authentication and business value might not be obvious. The friction consumers experience is the key to debunking this myth. CIAM has evolved from being seen as a cost center line item to a revenue-generating activity due to the positive impact it can have on increasing user conversions as consumer applications have become ubiquitous and central to most aspects of everyday life, every signup and sign-in is a built-in opportunity to engage with customers.
Historically, identity was solely the responsibility of IT teams. Now that customer identity offers an opportunity to provide seamless experiences at every touchpoint in the customer journey, it has become the responsibility and consideration of sales and marketing teams as well. If a customer is frustrated by the signup process, as 83% of respondents are, according to an Auth0 survey, these customers will abandon what they're doing in search of a friction-free registration and login process.
Revenue is on the line; 88% of online shoppers, for example, report that they would not return to a website after having a bad experience. A good experience starts from the first click, and passwordless frees users from having to create yet another username and password—a source of frustration for 53% of global consumers.
💡 Reality: Passwordless authentication can help grow top-line revenue by offering a superior customer experience.
Misconception #3: Passwordless Introduces Data Privacy Concerns
From both a financial and brand reputation perspective, businesses need to be sure that they meet the ever-changing and demanding requirements of data privacy laws. Google Trends data shows that search inquiries for "data privacy" have climbed 53% in the past decade. This aligns with heightened consumer and government concerns about how businesses collect and monetize personal data. Sixty-nine percent of consumers are worried about how their personal information is used by organizations. At the same time, governments around the world continue to introduce new laws and regulations designed to protect citizens' personal information, increasing globally from 10 to 144 in 2021—the California Consumer Privacy Act (CCPA) and the European Union's General Data Protection Regulation (GDPR) are two examples.
Given the rapidly evolving nature of this area—and the steep financial consequences for infringing on the law—there might be some apprehension about adopting passwordless authentication using device biometrics. The concern revolves around how organizations handle (e.g., store and secure) biometric data. Fortunately, the WebAuthn specification forces all biometric data to be used as a private key to be contained within the device. Users never hand over their biometric information to the application they're accessing. From a hardware perspective, some companies take it a step further by employing dedicated subsystems to segregate sensitive data.
💡 Reality: Using WebAuthn, businesses do not have to worry about handling biometric data. The specification demands that biometric data be contained within the device being used.
Misconception #4 - It's Difficult to Encourage Users to Use Passwordless
Humans are hard-wired to resist change, especially when that change threatens our security. Though the adoption of passwordless is a long way away from being ubiquitous with authentication, businesses can take a few steps to gradually prime and convert users to authenticate into applications using their biometric information.
From a design perspective, changing the way you look at the login flow can have a strong impact. Instead of the usual username and password challenge, opt for an identifier-first flow to slowly change user behavior. With an identifier-first approach, users are first asked for an identifier, such as email address, phone number, or member ID. From there, they can select an authentication option that works best for them, such as biometrics, a magic link, or even a password. It's a slight change but one where users are actually empowered to choose an option they feel comfortable with.
From an education perspective, communicating the value of passwordless authentication for what it is—minimum friction with maximum security—is also a great start. Not only does it offer a seamless two-factor authentication experience, it's also more convenient. Our own data shows that WebAuthn has a better completion rate (95%) than other authentication methods, but it also has a lower time to complete (5 seconds).
💡 Reality: Product design and education are two avenues to promote the adoption of passwordless authentication with users.
Misconception #5 - It's Too Hard to Go Passwordless
Because passwordless authentication is contingent on getting CIAM right in the first place, there is some truth to this misconception. Identity is inherently complex. Burdening your developers with this additional responsibility that draws their focus away from core product innovation might be met with frustration—especially if you've built an identity system in-house. Working with a CIAM provider who solely focuses on identity is one way to get started with passwordless authentication today.
💡 Reality: Partnering with an Identity-as-a-Service (IdaaS) provider dedicated to CIAM can accelerate your journey to going passwordless.
Get Started with Passwordless
At Auth0, we work with companies around the world to deliver seamless yet secure login experiences. Our platform is a developer-friendly authentication and authorization solution. Built on a set of composable building blocks, exposed through APIs and protocols, the Auth0 Identity Platform provides the creators within your business to tackle any customer identity use case.
Importantly, you'll be able to implement the latest, most innovative identity capabilities into your applications to the benefit of your customers without burdening your developers. Whether it's Adaptive MFA, WebAuthn, or Social Login, you can provide the identity experience that makes sense for your customers with the flip of a switch—it's actually a radio toggle, but you get the idea.
With the right identity solution, you can make incremental changes to your customer's login experience and rack up wins with passwordless authentication.
If you're interested in learning more about how Auth0 can help your organization on its way to a passwordless future, reach out to our team.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.