From passwords to passkeys: Enhancing security and user satisfaction

In this Help Net Security interview, Julianna Lamb, Stytch CTO, discusses the advantages of passwordless authentication. Eliminating passwords reduces data breaches and improves user experience by simplifying the login process.

Lamb also addresses the technical challenges and economic implications of passwordless authentication methods like passkeys.

In terms of user experience, what are the benefits of going passwordless?

The vast majority of data breaches today involve a human element, and the most common “way-in” for bad actors today is still via stolen or compromised credentials. This is because passwords put a huge burden on their users – either you have to remember a large number of passwords for different applications, reuse passwords (not recommended), or use a password manager service (the adoption of which remains relatively low). Passwords are, in essence, a legacy form of auth that is no longer working for companies or for users.

By going passwordless, companies can significantly reduce their risk of breaches, while making signup and login a much lighter lift for their customers. With methods like magic links, OAuth, or Passkeys, authentication can happen with one or two clicks, improving access speed and reducing delays, boosting user retention and accessibility. Passwordless auth methods also lower support costs by eliminating password reset requests and scales easily with a growing user base, while also minimizing internal threats related to password misuse.

What technical challenges might organizations face when implementing passwordless authentication?

While passwordless authentication methods like passkeys are simple on the surface for end users, there can be a lot of complexity under-the-hood for developers to handle when they’re implementing passkeys. This includes architecting for multiple platforms, adapting to every update from those platforms, addressing account recovery and lockout issues, configuring creation settings and managing user interface complexities such as autofill and syncing. These issues can then result in a disjointed user experience and can leave businesses vulnerable to security issues, which can hinder the transition to passwordless authentication to begin with.

What are the economic implications of transitioning to passwordless authentication for an organization?

Passwordless authentication flows are faster and friendlier, ultimately driving better user experiences, engagement rates and lifetime value. In fact, we’ve seen customers experience 80%+ conversion rates at onboarding after integrating passwordless authentication. Going passwordless enhances user experience by increasing security and convenience.

To boot, research suggests that each password reset flow costs upwards of $70 in lost productivity and support time. In total, the average organization stands to lose around $5.2 million each year due to the inconveniences of passwords. Going passwordless dramatically reduces or eliminates these expenses and when employees aren’t spending time logging in and managing passwords, overall productivity improves, leading to increased ROI for an organization.

Lastly, in those instances where passwords do fail to keep accounts protected, the cost is even more dire. As AI-enabled fraudsters get more sophisticated with methods like password spraying, credential stuffing, and bot-powered phishing attacks, these sorts of hacks will only become more common. Passwordless authentication methods like passkeys are more resistant to phishing and credential stuffing, saving companies substantial financial losses and reputational damage.

Although there is always an initial financial investment to be made when investing in new password authentication methods and technologies, we believe that those initial upfront costs are significantly less than the money organizations would lose as a result of a data breach or phishing attack.

What are the regulatory and compliance considerations when adopting passwordless authentication?

When adopting passwordless authentication, businesses need to be able to navigate several regulatory and compliance considerations to safeguard user data and adhere to legal requirements, across different geographies and industries. This includes ensuring compliance with data protection laws like GDPR and CCPA, particularly as it relates to the handling of biometric data and obtaining user consent.

To ensure interoperability and security, adherence to authentication standards set by organizations like the FIDO Alliance is really important. Organizations need to implement robust security measures, conduct regular assessments, and maintain transparency about data usage and protection practices.

Accessibility compliance, such as adherence to ADA and WCAG guidelines, ensures inclusivity for users with disabilities. Addressing these considerations helps mitigate legal risks, builds user trust, and enhances overall security in passwordless authentication systems.

What trends do you foresee in the future of passwordless authentication?

First and foremost, the future is passwordless. While many companies may not be ready to make the switch to passwordless today (and many aren’t for a variety of reasons), in the next ten to twenty years I’m confident we’ll see a move to passwordless across industries and use cases, simply because they are so much safer and user-friendly.

One of the reasons we think that the switch will happen faster now is passkeys. It’s a passwordless auth form that my co-founder and I are really particularly excited about. When WebAuthn (the technology that powers passkeys) was first introduced a few years ago, we were excited, but recognized there were still a few obstacles in the user experience that would stagnate widespread adoption. Namely, WebAuthn was device-constricted: either you had to keep track of a small physical piece of hardware to use your passkey on multiple devices, OR you could use something like biometrics on your smartphone but that meant you couldn’t use the passkey on say, your desktop. But so many people today live their lives on multiple devices – this was perhaps the one advantage passwords still had on WebAuthn.

But with passkeys, that public key cryptography that powers WebAuthn is now available across devices, even across operating systems (for those rare breeds who have an Android and a MacBook). This makes them a much easier drop-in replacement for passwords, without any time-consuming maintenance like updating password managers or remembering passwords manually.

Add to the ease of this technology the recent uptick in credential-caused data breaches that have been making the news, and I think users and companies alike are feeling much more willing to adopt a new authentication method. I firmly believe that passkeys will be a tipping point in helping companies and users alike make the full transition to a passwordless future. Within the next several years, my co-founder and I predict that the vast majority of applications will have passkeys as a predominant auth option.