Despite all their cons, passwords remain the most popular mechanism for enforcing security to protect users’ data. Some may think that the idea of “the future without passwords” is not new. There are existing authentication techniques, like biometric sensors and hardware keys, that do not require users to enter complex passwords to sign in. However, the initial account creation still requires the use of passwords due to various reasons that will be explained in the "Existing Passwordless Options" section.
Passwords have several vulnerabilities. First of all, passwords are shared secrets. When users create new accounts, their passwords are stored in a server. The server verifies a user’s identity by comparing the stored one with what the user enters. Hackers can attack the servers and gain access to users' passwords. Even if developers implement storage of passwords with hashing and salting correctly, it is still possible that the server software leak passwords in other bugs: such as via leaving passwords in logs. Passwords are also very susceptible to different types of attacks such as phishing, MITM, etc.
In addition, it is said that a single password is used to access five accounts on average, which is a leading factor in why people are hacked. Using different passwords can also be a risk factor since people might have a hard time remembering all of them. As a result, tech giants like Apple, Google and Microsoft are working together to create a future without passwords with passkeys.
Existing Passwordless Options
There are already several passwordless options that exist. Below are some examples.
One Time Passwords (OTP)
In general, going passwordless is more secure than user-generated passwords since the credentials used for passwordless authentication are harder for hackers to replicate or spoof.
Nevertheless, the current state of passwordless authentication isn't enough for everyday use yet. Hardware keys are inconvenient to use and backup limited its popularity. You can't transfer biometric data between iOS and Android devices. Hackers can intercept OTPs sent through SMS or emails before they reach the intended users or they can get the OTPs through phishing.
Passkey: A Step Closer to a Future Without Passwords
Passkeys are the alternatives to using passwords that will actualize the future without passwords. They offer users a passwordless sign-in to websites and applications. It is more secure, reliable, and convenient than using passwords and existing passwordless solutions.
The design of the passkeys is based on the web authentication standard that uses public key cryptography, which reduces the threat from potential database breaches. When user registers with a site or app, it will generate a public-private key pair. The public one is stored on the server but it is useless to the attackers as they cannot derive the user’s private key, which is required to complete authentication, from the public key.
When logging into websites or apps, users simply have to unlock their devices using biometric authentication, like Face ID or Touch ID, to authorize the use of passkeys for authentication.
Passkeys have also made cross-device and cross-platform authentication possible. Since passkeys are based on FIDO (Fast IDentity Online) standards, they will be supported by many popular platforms and browsers such as Microsoft Windows, Microsoft Edge, MacOS, iOS, Safari, and Android. Not only will Passkeys be synchronized across devices of the same origins, users can also log into websites and apps on different platforms. For example, even if users initially create the accounts on iOS, they simply have to scan a QR code generated by other platforms, such as the Chrome browser, with the registered iOS device to log in.
Authgear allows developers to easily support the use of passkeys as a primary authenticator on your apps. After you integrate you apps with Authgear, all you have to do is click on a toggle to support passkeys on your apps. It will facilitate easy access without having to log in with passwords.
Furthermore, Authgear also comes with a set of authentication and user management features, such as pre-built signup and user profile pages, user analytics, WhatsApp OTP, social logins, etc., to help you provide better user experience, increase app conversion rate, and boost user retention rate.