1Kosmos Design1
1Kosmos Design2
1Kosmos Design3

Identity 101: From Passwords to Passwordless Authentication

Authentication solutions have primarily relied on knowledge-based, single-factor (password) with dramatic consequences: Identity compromises, data breaches, eroded reputation. To mitigate risks and create a frictionless experience, moving beyond passwords means adopting a passwordless solution.



Password management in a few (staggering) stats.


  • About 80% of data breaches in 2019 were caused by password compromise.
  • Top-5 most popular passwords across the globe: 123456, Password, 12345678, qwerty, 123456789.
  • At least 65% of people reuse passwords across multiple sites.
  • 13% of people use the same password for all passworded accounts and devices.
  • Although 91% of participants in a recent survey understand the risk of password reuse, 59% admitted to doing it anyway.
  • In 2019, 42% of companies were breached by a bad password.
  • 48% of workers use the same passwords in both their personal and work accounts.
  • Compromised passwords are responsible for 81% of hacking-related breaches.
  • The average person reuses each password 14 times.
  • 49% of employees only add a digit or change a character in their password when required to update it.
  • Passwords were leaked in about 65% of the breaches that happened in 2019.
  • 43% of employees have shared their password with someone.
  • 42% of organizations rely on sticky notes for password management.

Top of the page


Authentication: a story about passwords for centuries.


The definition of authentication in the digital world is authentication is “the process or action of verifying the identity of a user or process.”

The verification of a user’s identity is performed through a process called “identity proofing,” which ultimately verifies and validates attributes that belong to the user, like first and last name, date of birth. In the recent years, biometrics have been added to the mix to further prove the individual’s identity.

Did you know that in the second century BC, Roman guards used to shared a secret, watchword, when changing shifts? And even more fascinating, back then they were already using the three types of authentication factors that are still leveraged by authentication solutions today:

  • Something one knows: watchword, password, PIN.
  • Something one has: Uniform, credit card, mobile phone.
  • Something one is: Height, face, fingerprints.

There is not just one recipe for authentication. Different groups of user attributes can be combined to authenticate. 

Naturally over the centuries and more precisely in the recent years, the authentication process has shifted to become increasingly complexity. Technology changed constantly, and authentication solutions have had to follow as well as possible to mitigate risks of cyber attacks. Hence the need to combine multiple types of authentication factors in an attempt to make cybercriminals' lives more difficult. Look at online payment systems that now require a password and a temporary code sent by SMS. This is a prime example of a 2FA solution: the password is the first authentication factor and the SMS is the second authentication factor, as long as the latter is received by the cellular phone that belongs to the person, who needs to authenticate...

The reality is that password have become obsolete. The reason essentially lies in the fact that hackers have developed tools that can easily compromise them. 81% of data breaches are caused by poor password management. And the increase in sophistication with which hackers are now able to compromise credentials has made the problem much worse.   


Top of the page


The History of Passwords.




Top of the page


A closer look at passwords vulnerability.


Passwords represent the authentication mechanism of choice for just about anything.  But, a password is highly insecure for four main reasons:

  • Weak knowledge factor: With 2FA and MFA solutions, the first authentication factor (the password) is a knowledge factor. And the latter is highly precarious in terms of security, simply because a password is based on information that someone else may know, guess, or infer.
  • User mindlessness: Here is a harsh fact. Most users cannot be trusted with password management. They either create simple passwords, which are way too easy to guess, or they write them down for everyone (co-workers, family) to see, if they just don't share them.
  • Password-cracking software: Go online and for about $40, you can buy an entry-level password-cracking solution. For a bit more money and this time available on the Dark Web, you can purchase a solution that can leverage cheap processor power to cycle through thousands of hash permutations and open an account in minutes through brute-force efforts.
  • Centralized password repositories: An overwhelming majority of businesses store user data unencrypted in centralized systems that offer a single point of failure. What a cyber criminal requires is compromising the credentials of an employee who has access to the centralized password repository. And given the level of passwords mismanagement, little efforts are oftentimes required. 


The rise of passwordless authentication.


For businesses, the transition to passwordless authentication has become ineluctable, given the flawed security passwords and authentication solutions leveraging them offer.

Passwordless authentication offer four major advantages over knowledge-based, password-based, authentication:

Increased revenues, lower costs. 

Passwordless authentication. decreases the costs inherent to password management and, ultimately, data breaches, while improving revenues thanks to enhanced productivity and customer loyalty and trust.

A few staggering statistics:

  • 11 hours: That's the time employees around the world spend on average per year entering or resetting their password. For a company of 15,000 employees, this represents a direct productivity loss of $5.2 million.
  • 80 percent: Percentage of all data breaches involving password mismanagement. 
  • 29 percent: Percentage of attacks that leverage password mismanagement. 
  • $3.92Mil: Average global cost of a data brach in 2019. 
  • 20%-50%: Calls to the IT helpdesk about password resets.
  • $30-$70: Cost of a single password reset.

By going passwordless:

  • Employees increase their productivity, help desks staff can be assigned to more meaningful, revenue-generating, tasks. 
  • Organizations decrease drastically their budgets associated with their breach risk exposure (often by 80 percent), which means lower cyber insurance premiums.
  • Dramatic savings on password reset overheads.

Enhanced user experience.

86% of customers are ready to pay a premium for more user-friendly experience, which infers that if a platform’s authentication experience is not satisfactory, then customers will take theirbusiness elsewhere. With passwordless authentication, the user having to manage passwords disappears. And let's face it, having to remember dozens of different usernames and passwords, prompts many people to re-use passwords, choose weak ones, or note them down on their phone, email account or with sticky notes on their computer monitor. Finally, passwordless authentication solutions leverage a user's smartphone, which adds a lot of convenience.   

Standards and compliance.

The FIDO Alliance is an open industry association and a major proponent of passwordless authentication, to the point of having created open standards for passwordless authentication to online and mobile services.

The FIDO Alliance has developed FIDO2 in collaboration with the World Wide Web Consortium (W3C). FIDO2 became a web standard in March 2019.

In a nutshell, when users authenticate to a site that supports FIDO, their identity is verified with a simple action, such as scanning a fingerprint or touching a security device. The website and the user’s authenticator conduct a challenge- response to verify that the user is in possession of the correct private key. Each service uses a unique key pair, and the private key never leaves the user’s device.  FIDO2 is supported by all leading web browsers, making its reach nearly ubiquitous on modern devices.

Eliminating passwords means enhanced security.

To go passwordless dramatically decreases a company's exposure to data breaches, simply because the organization doesn't need to store users' passwords on its servers anymore. At the end of the day, passwordless solutions do not require that personal information be stored for authentication purposes. To put it simply, there are no passwords to steal. Moreover, when the authentication is performed on the user side, no personal information is transmitted over the internet, which makes man-in-the-middle attacks virtually impossible. Lastly, the biometrics users leverage to authenticate are kept on the user's device. Consequently, the risk of online fraud and identity theft is greatly reduced. 


Top of the page


Technologies that replace passwords.


Authentication with facial biometric technology

Recent technological advances in smartphone cameras and machine-learning models mean facial recognition and document scanning can now be used to verify people remotely and at scale. In short, when creating a new account on an online service, users take a picture of their government ID and the application compares the picture with that of the person taking the picture. By using facial biometric authentication, users no longer need to associate a password with their account.

Extra security with hardware keys

In a recent research assessment, Google compared the standard baseline of password authentication with security keys, smartphone- based one-time password (OTP) generators, and two-step verification (2SV) over SMS. While no option is perfect and any form of 2SV is better than none, Google found that security keys provide the strongest security while also offering the best mix of usability and deployability.

Security keys come in a variety of form factors ranging from a small USB, NFC or Bluetooth device that can live on a user’s keychain to something built into a user’s mobile phone that can securely authenticate when they need to sign into a new device. The common factor here is that the device must be physically and locally present when authentication happens.

User experience first with QR code authentication

Complex animated QR codes can also be used to authenticate without passwords. Users logging in scan a QR code with a smart device to bind the session to their user identity. A confirmation message is then displayed in an app on the device verifying the authentication which triggers a biometric scan confirming that the users are who they say they are. Then, an authenticated session is passed to the relying party and the user is logged in.

The dynamic QR code scan has many advantages such as preventing session hijacking or session replay attacks. Since the code is animated, unique and has a very short life span, it provides a secure way for binding sessions to identities while at the same time providing a seamless experience that doesn’t require complex pairing between devices.

Seamless authentication with behavioural analysis

Behavioral authentication uses non-identifiable but individually unique factors to confirm identity. Users may not see a password login, but their identity will be authenticated in the background using factors such as non-identifiable behavior attributes from mouse movements to typing speed and habits, login history, network details like IP address, browser used, etc. While each of these non-identifiable factors is not enough on its own, when they combine as a single-security mesh, authentication becomes both secure and invisible.

All these factors can be brought together in a big data set and apply artificial intelligence and machine learning to analyze and accurately differentiate legitimate users from criminals and fraudulent authentication – regardless of the credentials presented.

Fewer passwords with zero-knowledge proofs

Zero-knowledge proofs (ZKP) are a challenge/ response authentication protocol in which parties are required to provide the correctness of their secrets, without revealing these secrets.

It allows authentication of users in such a way that a password never leaves the user’s device or browser. In simple terms, a ZKP authentication process can transform a password into a complex and unique abstract string, like a Rubik’s cube with a completely random pattern. The abstraction is transferred to a server and stored. The challenge is to prove that the Rubik’s cube pattern on the client is the same as the one on the server by generating a series of random permutations that match both the Rubik’s patterns. In this way, the entire pattern is never transferred but you can still prove, to a very high probability, that the two patterns are the same. One of the main advantages is that the verifier cannot learn anything from the authentication procedure.

ZKP technology can eliminate the exposure of private user data during authentication or identity verification. It can even be used beyond authentication, allowing users to reclaim and control the use of their digital identity.


Top of the page