For years the tech industry has promised a shift toward a passwordless future. In 2013, for example, the FIDO Alliance was created to solve the world’s password problem by replacing login technology.
Google, Paypal, and Lenovo were among the original FIDO founding members. By 2015, Microsoft joined, and in 2020, Apple followed. The road to a passwordless world has been slow, but seems to have accelerated in the past year, helped in part by Microsoft’s move to passwordless sign-on.
Apple has also promised that passwords will be a thing of the past, and passkeys will become available for iOS 16. Microsoft is already providing passwordless features to Azure Active Directory, and for Google, multi-factor authentication (MFA) has become mandatory.
While big tech phases in new authentication solutions, Dashlane — a password manager used by more than 20,000 companies and more than 15 million users — made a full switch.
Dashlane last month integrated passkeys into its cross-platform password manager. Users can now set up passkeys in Dashlane to log into sites and apps, replacing traditional passwords.
Dashlane took a different passkey approach as the one Microsoft, Google, and Apple have embarked on, which requires users to play with their phone to log in by scanning QRs or by using face or finger ID or pin codes. Dashlane claims its process is simpler because it has apps for most platforms and extensions for most browsers, requiring less action from users to authenticate their access.
But beyond these cases, how advanced is the implementation of the technology that wants to end passwords once and for all?
See the Top Password Managers
The Natural Log-in Evolution
eSecurity Planet spoke with Aarti Dhapte, senior research analyst at Market Research Future, to understand how big the passkey market is, what technical challenges it faces, and what the security, legal, and ethical implications are that affect the sector.
The senior research analyst says the industry sees passkeys as the solution to the many password problems and is heavily investing in them. The passkey market size in 2021 was $158.7 million and is expected to reach $3.4 billion by 2030 — a stunning 2,000% in less than a decade.
Dhapte explains that passkeys are a natural next step. Driven by significant tech investments — responsible for pushing the new authentication technology — the industry and users have been getting accustomed to the latest tech, first with two-factor authentication (2FA), followed by MFA and now with passkeys.
However, the challenges to making this global shift are significant. Hardware and software, devices, and websites still need to level up.
For example, the widespread use of biometrics is only possible thanks to new smartphone technology, which has the capacity to run the required neural network needed to accurately power the algorithms and sensors that read faces and fingerprints. In similar ways, companies like Apple and Google are taking further steps and changing their phone software and online browsers to support passkey technology now.
Market Research Future advises tech companies that want to join the movement to go through the natural steps of evolution and first deploy 2FA as a starting point.
“After that, progress to MFA,” said Dhapte. “It allows users to become accustomed to the passwordless experience before making the complete change.”
Dhapte said that MFA educates workers on biometrics, smart cards, and other passwordless technologies, lowering friction during future full-passwordless onboarding procedures.
See the Top Identity & Access Management tools
The Challenges of New Authentication Technologies
While the use of passwords is expected to decline over time, industry experts and vendors say that adopting new technologies will be tedious and time-consuming.
“Opinions on the future of passwords remain divided, but hope for a password-free industry continues,” Dhapte says.
passkeys are a form of a password; to some extent, users have been using them for some time
One of the main challenges is that passwords will continue to exist in older systems and legacy tech. Another challenge is users’ misconception about passkeys, often expecting completely frictionless access. However, passkeys are a form of a password; to some extent, users have been using them for some time.
“They are nothing that most people haven’t seen or used before. Many banks and financial applications, including Mint, now employ Face ID or Touch ID,” said Dhapte. “From where consumers stand, that is precisely how passkeys will work: Users will verify with their face or fingerprint.”
The technology built to make users’ lives easier has a set of problems that make its “behind-the-scenes” technical processes very complex. Compatibility is one of these problems. Passkeys, unlike passwords, are not saved on a site but on a device. But if users generate a passkey with a device, they should also be able to access the site or app, even when using another device.
Google, like Apple, assures it will guarantee compatibility. Apple solves this issue by syncing passkeys with the iCloud Keychain, making them available across Apple devices, but what if the users want to log in from a Windows-based computer? Linking access to all apps, services, and sites to one device or cloud, without a doubt, presents security and convenience issues.
Additionally, for passkeys to become a mainstream technology, most companies and organizations must adopt them, and users must buy new devices that support the tech. But without the resources and technological tools, many are left out of the movement.
“Websites will retain existing passwords. They have to since it will be decades before every user has the appropriate hardware and software,” Dhapte said. According to Dhapte, even if some consumers can afford a new device, websites will not remove all password authentication because they risk losing other users.
The account recovery element of passkey is another double-edged sword. While a consumer application will almost certainly be pleased to outsource account recovery to Apple, Google, or Microsoft, many administrators may not be.
Security, Legal and Ethical Implications
Storing all passkeys on a single device can become a security nightmare if a phone is lost, stolen, or physically accessed. Even changing phones is not a streamlined process when using 2FA and MFA, especially considering the average number of services and sites users access every week.
On the other hand, while passkeys may do much to stop email phishing, as biometrics won’t be an easy target, cyber criminals can turn to other malware to remotely hack and unlock a phone. These types of attacks are expected to increase. Biometrics is presented as the solution to this security issue. But some are not fully convinced.
A few years ago, a security hacker — Jan Krissler, alias Starbug — demonstrated this vulnerability by utilizing a high-resolution photo of German Defense Minister Ursula von der Leyen’s thumb and “reconstructing it with commercial software to demonstrate the relative simplicity of fingerprint identity theft,” Dhapte said.
Additionally, In 2020, Cisco Talos discovered that some fingerprint scanning equipment might be exploited using 3D printing.
Biometrics controls and controversies
Live checks, which are still in the process of being perfected, have since been deployed to make it more challenging for cyber criminals to breach biometrics. And how biometric data is stored, managed, and deleted has also progressed.
Today, the most advanced biometrics systems never store video, fingerprints, or other raw data. They convert the data into templates that, even if leaked or breached, cannot be used to hack an account.
The use of biometrics also comes with ethical and legal costs. The risk of misuse is significant. Identity, citizenship, and surveillance are all societal concerns.
“Biometric identity raises broader concerns about citizenship, monitoring, and human rights,” Dhapte said.
These dangers are exacerbated by a lack of standards, regulatory safeguards, ecosystem collaboration, and broad public knowledge.
“Varied legal coverage (for customers vs. workers, for example) by industry, variable recourse, and precedents all contribute to a perplexing compliance effort with various legal difficulties,” Dhapte added.
Companies that do not protect biometric data can face legal consequences, reputation damages, fines, and other penalties. The European Union General Data Protection Regulation (GDPR) considers biometric data as sensitive data that requires the informed consent of the involved person. In the U.S., several federal and state laws regulate data security and biometrics.
In 2008, Illinois became the first U.S. state to enact biometric legislation with the Biometric Information Privacy Act (BIPA). More than 25 states followed, passing biometric laws. These include Texas, Washington, California, New York, Louisiana, Oregon, and Arkansas. These state laws regulate how companies collect, retain, disclose, and destroy biometric information and other purposes.
Biometric lawsuits have already reached the U.S. Supreme Court. In Cothron v. White Castle System, Inc., employees filed a class-action lawsuit against the company for scanning their fingerprints without asking for prior consent. If the Supreme Court rules against the company, the penalties are so severe that it could lead to the company’s bankruptcy. As biometric technology continues to be adopted, a rise in related lawsuits can be expected.
In today’s technological environment, cryptography is frequently employed as a method of information security. It has been used in everyday home objects, e-commerce, email, and other internet-based services. The rising dependence on cryptographic technologies has highlighted many worldwide ethical and security concerns.
“Cryptography’s problems focus on intellectual property and copyright issues, hence a matter of information access. Indeed, encryption is the foundation for copyright and access permission in digital contexts,” Dhapte added.
Awaiting the future
Passwords will continue to evolve, and passkeys are poised to take over. Whether the ride will be gradual or abrupt is yet to be fully seen. The passwordless future is paved with serious challenges, and an honest debate about its realities and processes should unfold before its global implementation.
“We will have to wait for all the companies involved to provide their passkey implementations before we can comprehend the full effect and possible mitigations,” Dhapte said.
Read next: New Quantum-safe Cryptography Standards Arrive None Too Soon