The end of passwords as we know it: Why experts say the future of security is passwordless

Russell Kidson
Feb 15, 2023
Updated • Feb 16, 2023
Security
|
10

Over the years, passwords have posed a significant risk to enterprises. The Verizon 2022 Data Breach Investigations Report indicates that nearly 50% of data breaches are a result of stolen credentials. This widespread abuse of credentials has generated increased interest in passwordless authentication. Providers such as Google, Microsoft, and Apple have attempted to develop solutions in line with the FIDO Alliance's vision of a shared standard for passwordless sign-in.

Slavik Markovich, CEO and co-founder of Descope, has stated that "Passwords are detrimental to both security and usability." He notes that they are the primary cause of security breaches and are often the primary entry point for cybercriminals to achieve their goals. Moreover, passwords cause disruptions throughout the user journey, leading to dissatisfaction and a negative user experience, which may result in decreased user engagement or retention.

In addition, Markovich highlighted that recent advancements, such as FIDO2, WebAuthn, and passkeys, have laid the foundation for a future without passwords. However, he emphasizes that achieving this future will only be possible when app developers are equipped with the necessary tools and resources to effortlessly integrate passwordless authentication methods into their apps.

Descope aims to contribute to this "passwordless future" by simplifying the process for developers to incorporate passwordless authentication into their applications or services. It is a challenging and time-consuming task for development teams to construct these components from the ground up. Descope provides a drag-and-drop workflow editor that enables users to create authentication flows without the need for coding. These no-code workflows enable developers to establish user access controls and get their applications to market more quickly without sacrificing security.

Here’s why the future of security is passwordless

The authentication market is booming

According to researchers, the market for passwordless authentication is expected to expand from $6.6 billion in 2022 to $21.2 billion by 2027, as more organizations seek protection against social engineering, phishing, and other forms of credential theft. One of Descope's primary competitors is Stytch, a tool that enables developers to create authentication flows via an API, as well as JavaScript and Mobile SDKs. Stytch raised $90 million in series B funding in November 2021 and achieved a valuation of $1 billion.

Another major player in the market is Auth0, a Customer Identity Access Management (CIAM) vendor that empowers organizations to establish access roles for application and API end-users, resulting in dynamic access controls. In 2021, Okta purchased Auth0 for $6.5 billion.

According to Markovich, Descope's primary distinction from other vendors is its use of workflows. "These no-code workflows simplify the process of constructing authentication while still providing app builders control over their UX and UI," he concluded.

The future is passwordless, here’s why

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on February 16, 2023 at 3:12 pm
    Reply

    The problems associated with biometric identification could have been mentioned.

  2. Nebulus said on February 15, 2023 at 11:37 pm
    Reply

    How did you find out that the future is passwordless? Crystal ball? Divination? Tarot? Or maybe because the CEO of a company nobody heard about said so? Because the press/blogs say so? Not a big difference between all these methods IMO…

    1. mac said on February 16, 2023 at 7:26 am
      Reply

      Coz the fingerprint-reading device manufacturers hired ghacks writers to write articles in favour of them.

  3. yanta said on February 15, 2023 at 8:53 pm
    Reply

    That means that just over 50% are not as a result of passwords. 2FA and MFA are hype and more about tracking than they are about protection. The more data points you can gather from a user the more you can profile and target them. Biometrics is a massive privacy issue as the people that end up with that data are typically the least trustworthy of all – big tech and governments.

    1. Smdh said on February 16, 2023 at 8:47 am
      Reply

      2FA cannot be used for tracking and you do not comprehend the protocol *at all*.

      The context is *per site* and to keep your data safe it MUST be so, that ghacks cannot see your google 2FA private key and vice versa.

      If people would just read the specs and think about a protocol for a second they would see why it would be terrible if every site can see all your accounts and private keys.

  4. upp said on February 15, 2023 at 8:53 pm
    Reply

    I feel like passwordless is overhyped, it still needs your hand fingerprints, or your face to authenticate which is:

    – Not reliable because your fingerprints get thinner as you get older, my mom fingerprints are pretty much disappeared atm, and me and most of us too, same with your face.
    – Giving your fingerprint and your face to 3rd party is a huge security risk
    – People can fake everthing, including fingerprints and faces, up to this point.

    1. piomiq` said on February 15, 2023 at 10:45 pm
      Reply

      BTW. Fingerprint is very unsecure. Imagine that someone desperate to get your data (or money if we talking about bank account) just will cut your finger, or more.
      Of course You are absolutely right. Passwordless is overrated and there is not much security behind these methods.

  5. McCormacksAlgorithm said on February 15, 2023 at 6:05 pm
    Reply

    It’s not. Without an account and a password, a second factor (2FA) is useless.

    1) If I lose my hardware 2FA my account name or at least password are NOT known to whomstever may find it.

    2) If my account name and password are compromised (credential stuffing because I re-used the account name / password on a hacked service), the 2FA keeps me safe.

    In actual physical security, we call it pillars of security. Why have steel doors and locks if they can be broken anyways? Because it costs time and makes it harder.

    With hardware 2FA and the stored ECC keys on it, this is easily in the 2^128 or 2^256 range of tries.

    If you want to hear some real talk, then listen to me, the future is OPAQUE:
    https://blog.cloudflare.com/opaque-oblivious-passwords/

    Why worry about having passwords stolen from incompetent websites, if they never leave your device?

    This is the real gamechanger you guys should write about:
    https://en.wikipedia.org/wiki/Password-authenticated_key_agreement#Augmented_PAKE

    1. McCormacksAlgorithm said on February 15, 2023 at 6:21 pm
      Reply

      Addendum:
      https://github.com/cfrg/pake-selection

      The finalists of each round can be found here. The Crypto Forum Research Group is part of the Internet Engineering Taskforce. So you can expect these to become a real standard soon. It’s not what companies want. They didn’t build the net, they just commercialized it.

      When I read:
      >passwords cause disruptions throughout the user journey

      Yeah, a locked door causes a disruption as well, but it lets me sleep at night. Do these guys hear themselves talking?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.