Passwordless Authentication is not just coming; it’s here. Nowadays, you can’t log into an app, check your bank balance or even unlock your phone without a biometric scan or an email confirmation.

But before we believe all the hype, is passwordless authentication really ubiquitous enough to make a lowercase, a capital, and a special character obsolete forever? Forever is a long time, but the trend towards passwordless authentication is compelling.

What is Passwordless Authentication?

Passwordless authentication is just that; being able to access a service without using a password. Substitution authenticators can include biometrics like FaceID, Hardware tokens like YubiKey, one-time passwords (OTPs) via email, and many others.

Lines get blurred here. Sometimes passwordless authentication is used by itself, and sometimes it’s one of the methods used in MFA. So either In lieu of (or in addition to) a passphrase, going ‘passwordless’ basically implies the user is proving they are who they are by providing something physically unique (a thumbprint), something only they should possess (a phone or a key), or both (a key that requires a thumbprint).

When done right, passwordless authentication aligns with Fast Identity Online 2 (FIDO2) standards, leveraging the WebAuthn API and Client to Authenticator Protocol 2 (CTAP2).

The Growth of Passwordless

In 2021, the global passwordless authentication market was valued at $12.8 billion. However, it is projected to reach a whopping $40.2 billion by 2031, just ten years later, exhibiting a CAGR of 12.2% each year of the decade.

2023 is being dubbed “the year of passwordless authentication,” and predictions are being made that “passwords may soon be relegated to the past.” It’s easy to think; now that there’s a quicker, easier way, who would want to go back to pecking out lengthy phrases and remembering what they capitalized the last time? (You shouldn’t be pecking out lengthy phrases, anyway. Get yourself a password manager.)

A survey from Enterprise Security Group (ESG) revealed that:

• Over half (54%) of respondents have begun to transition towards passwordless
• Over a third (34%) cited passwordless as among their top three identity-related activities
• 31% said passwordless was the top identity-related activity

And among those who made the switch, two-thirds reported increased IT and security efficiency, and more than half positively responded to the reduced risk and improved UX. Across the board, all passwordless indicators seem to be strong.

Don’t Ditch Those Password Managers Just Yet

Notwithstanding the undeniable growth, passwords are still very much here to stay. At least for the next few years, and here’s why.

First, too many legacy applications still rely on passwords. There is too much inherited architecture to foresee a complete overhaul in the near future. That means using ‘best of breed’ tools to manage apps that require passwords, like password managers or Oauth. Passwords will still be relevant for a long time, and there will still be a need for good password hygiene, requirements for password length, and all the relevant cautions attached.

Second, there are some solutions that seem ‘passwordless’ but are really just passing the buck. Ever come across a site that doesn’t require a password, but instead sends a code to your known email address? They’re assuming you have access to your email, which is protected by … well, usually, a password. Maybe MFA. So, they’re trusting that whatever authentication policy is good enough for that email service is good enough for them.

When done right, passwordless authentication is not only more secure, it can be more convenient. But passwords aren’t going away any time soon. Passwordless will progress much like other security innovations: Steadily, surely, and with a lot of changes and improvements along the way.