The end of passwords as we know it: Why experts say the future of security is passwordless
Over the years, passwords have posed a significant risk to enterprises. The Verizon 2022 Data Breach Investigations Report indicates that nearly 50% of data breaches are a result of stolen credentials. This widespread abuse of credentials has generated increased interest in passwordless authentication. Providers such as Google, Microsoft, and Apple have attempted to develop solutions in line with the FIDO Alliance's vision of a shared standard for passwordless sign-in.
Slavik Markovich, CEO and co-founder of Descope, has stated that "Passwords are detrimental to both security and usability." He notes that they are the primary cause of security breaches and are often the primary entry point for cybercriminals to achieve their goals. Moreover, passwords cause disruptions throughout the user journey, leading to dissatisfaction and a negative user experience, which may result in decreased user engagement or retention.
In addition, Markovich highlighted that recent advancements, such as FIDO2, WebAuthn, and passkeys, have laid the foundation for a future without passwords. However, he emphasizes that achieving this future will only be possible when app developers are equipped with the necessary tools and resources to effortlessly integrate passwordless authentication methods into their apps.
Descope aims to contribute to this "passwordless future" by simplifying the process for developers to incorporate passwordless authentication into their applications or services. It is a challenging and time-consuming task for development teams to construct these components from the ground up. Descope provides a drag-and-drop workflow editor that enables users to create authentication flows without the need for coding. These no-code workflows enable developers to establish user access controls and get their applications to market more quickly without sacrificing security.
The authentication market is booming
According to researchers, the market for passwordless authentication is expected to expand from $6.6 billion in 2022 to $21.2 billion by 2027, as more organizations seek protection against social engineering, phishing, and other forms of credential theft. One of Descope's primary competitors is Stytch, a tool that enables developers to create authentication flows via an API, as well as JavaScript and Mobile SDKs. Stytch raised $90 million in series B funding in November 2021 and achieved a valuation of $1 billion.
Another major player in the market is Auth0, a Customer Identity Access Management (CIAM) vendor that empowers organizations to establish access roles for application and API end-users, resulting in dynamic access controls. In 2021, Okta purchased Auth0 for $6.5 billion.
According to Markovich, Descope's primary distinction from other vendors is its use of workflows. "These no-code workflows simplify the process of constructing authentication while still providing app builders control over their UX and UI," he concluded.
Advertisement
The problems associated with biometric identification could have been mentioned.
How did you find out that the future is passwordless? Crystal ball? Divination? Tarot? Or maybe because the CEO of a company nobody heard about said so? Because the press/blogs say so? Not a big difference between all these methods IMO…
Coz the fingerprint-reading device manufacturers hired ghacks writers to write articles in favour of them.
That means that just over 50% are not as a result of passwords. 2FA and MFA are hype and more about tracking than they are about protection. The more data points you can gather from a user the more you can profile and target them. Biometrics is a massive privacy issue as the people that end up with that data are typically the least trustworthy of all – big tech and governments.
2FA cannot be used for tracking and you do not comprehend the protocol *at all*.
The context is *per site* and to keep your data safe it MUST be so, that ghacks cannot see your google 2FA private key and vice versa.
If people would just read the specs and think about a protocol for a second they would see why it would be terrible if every site can see all your accounts and private keys.
I feel like passwordless is overhyped, it still needs your hand fingerprints, or your face to authenticate which is:
– Not reliable because your fingerprints get thinner as you get older, my mom fingerprints are pretty much disappeared atm, and me and most of us too, same with your face.
– Giving your fingerprint and your face to 3rd party is a huge security risk
– People can fake everthing, including fingerprints and faces, up to this point.
BTW. Fingerprint is very unsecure. Imagine that someone desperate to get your data (or money if we talking about bank account) just will cut your finger, or more.
Of course You are absolutely right. Passwordless is overrated and there is not much security behind these methods.
Read: https://www.sciencefocus.com/the-human-body/can-fingerprints-change-during-a-lifetime/
It’s not. Without an account and a password, a second factor (2FA) is useless.
1) If I lose my hardware 2FA my account name or at least password are NOT known to whomstever may find it.
2) If my account name and password are compromised (credential stuffing because I re-used the account name / password on a hacked service), the 2FA keeps me safe.
In actual physical security, we call it pillars of security. Why have steel doors and locks if they can be broken anyways? Because it costs time and makes it harder.
With hardware 2FA and the stored ECC keys on it, this is easily in the 2^128 or 2^256 range of tries.
If you want to hear some real talk, then listen to me, the future is OPAQUE:
https://blog.cloudflare.com/opaque-oblivious-passwords/
Why worry about having passwords stolen from incompetent websites, if they never leave your device?
This is the real gamechanger you guys should write about:
https://en.wikipedia.org/wiki/Password-authenticated_key_agreement#Augmented_PAKE
Addendum:
https://github.com/cfrg/pake-selection
The finalists of each round can be found here. The Crypto Forum Research Group is part of the Internet Engineering Taskforce. So you can expect these to become a real standard soon. It’s not what companies want. They didn’t build the net, they just commercialized it.
When I read:
>passwords cause disruptions throughout the user journey
Yeah, a locked door causes a disruption as well, but it lets me sleep at night. Do these guys hear themselves talking?