As cyber threats continue to rise, companies are shifting towards passwordless authentication to improve both security and customer experience. This technology uses passkeys, biometrics, and magic links to replace traditional passwords, offering stronger defenses without the need for shared secrets.
The primary reason for this shift is the limitations of passwords themselves. Stolen credentials make up about a quarter of breach cases, according to Verizon’s 2024 Data Breach Investigations Report. Passwordless authentication offers an alternative solution to these issues.
Several factors are driving the adoption of passwordless technology, including regulatory requirements, technological advancements, and user expectations. The Zero Trust recommendation from the US Cybersecurity & Infrastructure Security Agency emphasizes phishing-resistant authentication as a baseline, while threat evolution has led to industrialized phishing and credential stuffing, making passwords indefensible.
Passkeys, such as FIDO2 and WebAuthn, enable users to authenticate their identity with public-private key pairs stored on their devices. This approach provides stronger security than traditional passwords without the need for shared secrets.
Biometric security, including face and fingerprint scans, is also gaining traction. Public opinion in the UK suggests that consumers prefer biometrics over passwords for device sign-in. However, it’s essential to note that biometric security has its limitations, such as liveness detection, spoof resistance, and recovery processes.
Magic links, which use time-restricted URLs sent to users’ emails, offer a simple yet secure authentication method for low-risk consumer workflows. While there are trade-offs, including vulnerability of email inboxes and potential delays or interceptions, magic links have demonstrated persistence and suitable security when paired with behavioral analytics and device recognition.
A comprehensive passwordless security program includes modern recovery methods, such as second-device passkeys and in-person proofing, to reduce the occurrence of legacy activities that reintroduce vulnerable phishing factors. When effectively implemented, these programs can provide a security upgrade, enhance user experience, and reduce costs simultaneously.
Source: https://deloitte.wsj.com/riskandcompliance/out-with-the-old-is-ending-passwords-the-start-of-improved-identity-security-0f9a00bb