Digital Identity:
Where is the world of passwordless heading 

Passwords are easy to use and familiar to most users. As such, they remain the most popular choice for authentication. However, countless studies have shown that passwords are far from secure.

Passwords are unsafe

Passwords can easily be stolen, guessed, or brute-forced by hackers. Best practices like using long, random strings and regularly changing passwords can help improve security. The problem is that these measures are not widely followed.

In fact, 53% of people rely on memory for their passwords, meaning they are simple enough to remember. Most are not secure enough to protect against malicious actors. Additionally, the reuse of passwords is rampant. One study found that 78% of Gen-Z use the same password for multiple accounts. This means that if one account is compromised, all other accounts with the same password are also at risk.

With phishing scams, keyloggers, and other malicious attacks on the rise, passwords can no longer be trusted as a reliable security measure. The recent “RockYou2021” data breach was a stark reminder of just how vulnerable passwords can be. This massive leak exposed 8.4 billion unique passwords, compiled into a single list and made available online. It was the biggest data breach of all time and served as an example of why organisations need to move away from traditional passwords for authentication.

Passwords protect vital information

Additionally, passwords are used to protect highly sensitive information, such as professional and medical records. Passwords can also access websites and services that require authentication, such as banking sites or social media accounts. Given the potential risks associated with compromised passwords, it is clear that a more secure authentication system is needed.

In recent years a host of technologies have been developed to address these issues. Among the first was Multi-Factor Authentication (MFA). MFA requires users to provide two or more forms of authentication to verify their identity and access an account.

These forms of authentication can be something the user knows, such as a password or PIN, something the user has, like a security token or physical device, or something the user is, such as a biometric. This type of authentication requires the user to provide multiple pieces of evidence that they are who they say they are, making it much harder for malicious actors to gain access.

When Apple added "Touch ID" and "Face ID" to its iPhones in 2013 and 2017, respectively, this too was a form of biometric authentication. This technology uses the user's fingerprints or face to authenticate their identity. Although it was initially only used for device unlocking, it quickly spread to other areas, such as banking apps and online logins.

It marked a shift away from passwords and towards more secure authentication methods. As the technology became more commonplace, other organisations also began to develop their own biometric authentication systems.

However, it's worth noting that MFA is not synonymous with passwordless authentication. It is an additional layer of security, which typically still includes a username and password. In order to truly be "passwordless," biometrics must be used as the sole form of authentication — no passwords are allowed.

About Cryptographic Keys

One of the more promising developments in passwordless authentication is using cryptographic keys. These keys are generated using a mathematical algorithm and can be an alternative to traditional passwords. A pair of keys is generated — a private key known only to the user and a public key shared with other users who wish to communicate securely.

The private and public keys are linked together, making the system incredibly secure as the two keys must be used in tandem for authentication. Every passkey generated is unique to the user, making it virtually impossible for someone to guess or brute force their way into an account. Using the cloud, these keys can be stored remotely and accessed from anywhere with an internet connection.

Cryptographic keys are becoming increasingly popular, particularly in finance, healthcare, and government industries, where security is paramount. It's also gaining steam in the consumer market as companies look for ways to make authentication easier and more secure for their customers.

The FIDO Alliance

As for the near future, all eyes are on the Fast IDentity Online (FIDO) Alliance. FIDO is an open industry consortium that was founded in 2013 with the aim of improving online authentication standards. In 2017, they released their first standard — the FIDO2 specification. It aims to allow users to access accounts using a username and biometric or hardware-based authenticator such as a USB key.

The FIDO2 specification combines public-key cryptography and biometric authentication to create strong, user-friendly authentication systems. It allows users to securely log into accounts without remembering passwords, making it much more convenient than traditional methods.

In 2022, three tech giants came to an agreement to allow users to log into their services with FIDO2-compliant hardware or biometric authenticator. Apple, Microsoft, and Google are all in the process of implementing FIDO2 into their services, paving the way for passwordless authentication.

Users will be able to log in seamlessly to their online accounts, whether from Apple's iOS devices, Microsoft's Windows, or Google's Android devices. All three will share the same authentication standards, making life much easier for the end user. This feat will be possible thanks to a digital identity stored on the user's device, meaning that a single set of credentials can be used across multiple services.

This unified authentication system promises to make online transactions easier for the user. For example, an iPhone user should be able to log in to a Windows 10 PC using their Face ID. Likewise, a Gmail user should be able to log in using their Android phone. Now that the giants got the ball rolling, smaller companies are expected to follow suit and implement FIDO2 into their own services.

Near-Field Communication

Another promising technology for passwordless authentication is near-field communication (NFC). NFC allows two devices that are close together to communicate without needing a physical connection. Users can securely log into their accounts by tapping their phone or another device on an NFC reader.

The same technology used for contactless payments, NFC, can be used for authentication without passwords or pin codes. All the user has to do is tap their phone on an NFC reader, and they will be securely logged into their account. In the professional setting, NFC can also be used for secure access control and authentication in physical locations.

NFC is gaining traction as more businesses look to implement it into their everyday operations. For example, several banks now offer contactless payment cards that use NFC technology to make transactions more seamless and secure. Hotels also take advantage of NFC by allowing guests to use their phones to check in and open their room doors.