Ranjitkumar Sivakumar is the Head of Engineering at Amazon specializing in data security, cybersecurity, and identity risk management.
We’re at a crossroads where authentication protocols and mechanisms need a complete refresh to combat the security breaches involving the exploitation of vulnerabilities, social engineering attacks and unsafe use of third-party software.
According to the Identity Theft Resource Center’s 2024 Data Breach Report, more than 1.3 billion data breach notices were issued across the U.S. in 2024—a 211% increase from 2023’s 419 million issued notices. Four of the five top data breaches in 2024 were due to stolen credentials.
Are password-based systems obsolete? Is passwordless authentication the way of the future? I’ll examine the approaches that can be adopted across industries to protect data.
Passwords: The End Of An Era
Passwords have been the primary digital authentication methodology since the early 1960s, and they grew exponentially in usage in the late ’80s and into the ’90s for anything digital, ranging from computer logins to email accounts to financial transactions.
Users are forced to memorize strings of characters and answers to security questions constantly, pushing them to take shortcuts. This leads to poor password hygiene over time—keeping passwords simple, easy to remember and weak or, even worse, repeating passwords across different accounts and websites.
This has led to fraudsters gaining access through various techniques such as credential stuffing (using stolen credentials), phishing (deceiving victims into sharing credentials), keylogging (capturing keystrokes of credentials), brute force attacks and man-in-the-middle attacks (intercepting credentials by masquerading as a different user).
Users started to adopt password manager tools to reduce their cognitive load, but these solutions aren’t foolproof, either. As the security landscape became complex and sophisticated with increasing malicious attacks over the years, passwordless authentication has become a go-to strategy.
A World Of Passwordless
In simple terms, passwordless authentication uses authentication factors that are inherently harder to crack instead of passwords.
Some authentication factors include biometrics (fingerprint, face or retina capture, etc.), digital security tokens (one-time passcode through SMS, time-based token generated through an authenticator app, etc.), physical tokens (hardware token such as Yubico key, proximity badges, etc.), digital certificates and magic links. Implementing passwordless authentication can intrinsically reduce secrets fatigue and cognitive load, improve user experiences, simplify security operations and enhance overall security posture.
FIDO Alliance was formed to reduce the world’s reliance on passwords, and its standards are based on combining biometrics and public-private key cryptographic factors to provide a strong and phishing-resistant authentication mechanism. A passkey—a “FIDO authentication credential based on FIDO standards”—is a pair of cryptographic keys designed to replace passwords; the private key is securely encrypted in the user’s device, and the public key is shared to verify the authentication signatures.
Passkeys are phishing-resistant by default, as they allow storage of only public keys (making them futile without device-specific private keys). They prevent credential reuse and reduce the risk of credential interception significantly due to localized device-bound authentication.
Technology corporations such as Apple and Google have shown interest in building their own passkey offerings using FIDO specifications and W3C standards. However, one must consider the security features offered, device support (iOS, Android, etc.), cross-platform support (synchronized passkeys), and pricing for storage and authentication calls.
Is Passwordless Truly Secure?
If the definition of secure is making it harder for fraudsters to exploit vulnerabilities or execute different cybersecurity attacks to gain sensitive data access, then passwordless authentication is secure. If we mean insusceptible to hacking or malicious attacks, then the answer is no.
No authentication mechanism is invulnerable to exploitations. While some authentication systems, which are mostly password-based, are often exploited using rudimentary techniques, others may require a higher level of sophistication and hacking experience to bypass the security defenses.
There is no one-step approach to securing systems and infrastructure. Multifactor authentication (MFA) is essentially a layered approach to verifying a user’s identity by using multiple authentication factors. These factors can still use passwords or passwordless to enhance the overall security posture. Examples include a password-based system using SMS OTP as an additional factor or a biometric Face ID combined with passkeys where both factors are passwordless.
Even though we can adopt MFA, the passwordless authentication factors can be compromised. Digital security tokens can be intercepted, hardware tokens can be stolen, and even biometrics can be spoofed. This leads us to a layered approach for verifying identity that goes beyond authentication factors.
Standard authentication methods require users to provide specific credentials to verify their identity. Adaptive authentication uses machine learning and AI algorithms to build user behavioral patterns. If the system detects an anomaly or deviation from the expected behavior, it computes a risk score that determines the likelihood of risk. Based on the riskiness of the score or observed pattern, the authentication factors can vary, making it harder for fraudsters to bypass the security measures.
Cybercriminals are always on the lookout to identify loopholes in the systems. The onus is always on us to make our systems resilient to such attacks. By combining passwordless authentication (as MFA) with adaptive authentication, we can enrich our systems with dynamic layers of protection and harder-to-exploit authentication factors—paving the way to a secure future.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
