DEV Community

Robertino
Robertino

Posted on • Edited on • Originally published at auth0.com

Debunking Common Misconceptions About Passwordless Authentication

Original post written by Mallory Sword Glenn and Salman Ladha for Auth0 blog.

Increase user security, convenience, and privacy by enabling authentication using device biometrics


A future where passwords no longer exist may be right around the corner—for real, this time.

Earlier this year, ironically, on World Password Day, Apple, Google, and Microsoft collectively announced plans to extend their support for passwordless authentication, building from the specification created by the FIDO Alliance and the World Wide Web Consortium (W3C). Through a technology called Passkey, users will be able to authenticate into compatible websites and applications by taking the same action they use to unlock their phones. This eliminates the need to remember a password.

For any consumer-facing business where digital engagement has become a crucial component of the customer experience, this announcement highlights an important technology trend for future innovation in their overall customer identity and access management (CIAM) strategies. Most consumers don't like remembering hundreds of passwords, so this is a prime opportunity to promote the adoption of passwordless authentication.

In light of that, we thought we'd break down a handful of common misconceptions associated with passwordless authentication, specifically using device biometrics. As we gear up for a future where arbitrary strings of characters will perhaps take a back seat in how we log in.

Passwordless Misconception

Misconception #1: Passwordless Is Not Secure

Since its inception in the 1960s, the username and password challenge has been the de facto experience for how we log in to applications. As a result, it's only natural to feel like anything without a password is insecure. The reality is that we've been tricked into a false sense of security.

When we look at the data, passwords consistently pose security challenges. Nordpass highlights that the average consumer must remember around 100 passwords for all their online accounts. Due to the sheer volume of credentials, we have to remember that 86% of consumers admit to reusing a password, which presents a massive opportunity for attackers.

The 2022 Verizon Data Breach Investigation Report found that almost half of all data breaches start with stolen credentials. Unfortunately, the financial and social cost of these breaches can cost a business an average of six million dollars annually. In an environment where password reuse among consumers is the norm, cybercriminals are capitalizing on poor behavior, and companies are suffering the consequences, passwords are proving to be a less than ideal form of authentication.

Passwordless authentication using WebAuthn (a specification written by W3C and FIDO) device biometrics presents a unique solution to this problem as it's effectively a two-factor authentication experience. Rather than having users authenticate based on something they know, they log in using something they have (the device) and something they are (their biometric information). This is why some sources go as far as saying passwordless authentication with WebAuthN device biometrics is the only standards-based authentication method that is unphishable.

💡 Reality: Passwordless authentication using device biometrics is actually more secure than username and password credentials because it's a 2FA experience.

Misconception #2: Passwordless Doesn't Benefit the Business

On the surface, the relationship between passwordless authentication and business value might not be obvious. The friction consumers experience is the key to debunking this myth. CIAM has evolved from being seen as a cost center line item to a revenue-generating activity due to the positive impact it can have on increasing user conversions as consumer applications have become ubiquitous and central to most aspects of everyday life, every signup and sign-in is a built-in opportunity to engage with customers.

Historically, identity was solely the responsibility of IT teams. Now that customer identity offers an opportunity to provide seamless experiences at every touchpoint in the customer journey, it has become the responsibility and consideration of sales and marketing teams as well. If a customer is frustrated by the signup process, as 83% of respondents are, according to an Auth0 survey, these customers will abandon what they're doing in search of a friction-free registration and login process.

Revenue is on the line; 88% of online shoppers, for example, report that they would not return to a website after having a bad experience. A good experience starts from the first click, and passwordless frees users from having to create yet another username and password—a source of frustration for 53% of global consumers.

Read more...

Top comments (0)