Category Report: Passwordless Authentication

Table of Contents

• Terms You Might Hear

• Other Related Terms

• Related Product Categories

• Types of Passwordless Authentication Deployments

• Methods of Passwordless Authentication

• Why It Matters

• Problem Statement

• Market Solution

• Players

• Predictions

• Opportunities

• Key Insights

• Notes

• References

Terms You Might Hear

• Customer Identity and Access Management (CIAM)

• Enterprise Identity and Access Management (IAM)

Other Related Terms

• Biometric Authentication

• Client to Authenticator Protocol (CTAP)

• FIDO (Fast Identity Online) Alliance

• Multi-Factor Authentication (MFA)

• Passkeys

• Security Keys

• Single Sign-On (SSO)

• Social Login

• Time-based One-Time Password (TOTP)

• Two-Factor Authentication (2FA)

• WebAuthn (Web Authentication)

• WebAuthz (Web Authorization)

• World Wide Web Consortium (W3C)

Related Product Categories

• Identity and Access Management (IAM)

• Identity Governance and Administration (IGA)

• Privileged Access Management (PAM)

Types of Passwordless Authentication Deployments

• Customer Identity and Access Management (CIAM) - CIAM focuses on managing customer identities to customer-facing applications and services.

• Enterprise Identity and Access Management (IAM) - Enterprise IAM focuses on managing employee identities for access to internal resources.

(These deployments are typically done on separate platforms for resiliency.)

Methods of Passwordless Authentication

Passwordless authentication can use one or all of these methods

• Biometric - FaceID, TouchID, fingerprint scans, or other forms of "something you are"

• Email - one-time use of "magic links" sent via email to authenticate without a password

• Social Login - Using social media (i.e., Twitter, Facebook, etc.) or ecosystems platforms (i.e., Apple, Google, etc.)

• Hardware-based - Using a physical key or token with Bluetooth or NFC to authenticate (i.e., Yubikeys, etc.)

Who says you have to stop at these methods? Why not also make it a fashion statement?

Why It Matters

Passwordless authentication removes the reliance on easily compromised passwords and improves user experience.

Problem Statement

• Traditional passwords are vulnerable to phishing, brute force attacks, and credential stuffing.

• More people have more online accounts than ever before. Too many accounts can lead to password reuse and single points of failure.

• Password managers have helped tremendously with password hygiene but still have user adoption problems.

Market Solution

Enter the Passwordless Authentication product market space.

• "Passwordless" shifts the concept of a password - it goes from something you know (the password itself) to something you are (biometrics), combined with something you have (a specific device). Passwordless authentication offers a more secure alternative to traditional passwords and verifying identities.

• Authentication and authorization still happen, just in a different context and on a different plane abstracted away from the user. Each player in the industry does this slightly differently, which is not ideal.

• Passwordless authentication combines multiple states of biometrics, devices, and other factors to authenticate users without typing in a password.

Players

A few of the players in this space include:

• Beyond Identity

• HYPR

• Transmit Security

• Trusona

If you want to see the full list of players in this space that I keep track of, check out this Airtable view.

This is not always an exhaustive list. If I'm missing a company that purely focuses on this category, please let me know!

Predictions

• Platform giants will drive the most adoption. Given the nature of how passwordless authentication works, Apple, Google, and Microsoft, will do more for passwordless authentication adoption and drive the industry forward than any security vendor.

• Convergence and assimilation. "Passwordless" will become as ubiquitous as the username and password did and squeeze the product category out of existence. Passwordless vendors will all be acquired or out of existence in 5-10 years. Passwordless authentication will just become "the way" you authenticate in the future.

• Privileged Access Passwordless Authentication (PAPA). Passwordless will move further into enterprises for higher-risk authentication functions. Look for integrations into privileged access management applications and workflows. Make sure you really know who that admin is when they escalate privileges. (P.S. I just made this acronym up, so you heard it here first! Feel free to use it and let me know if you do.)

Opportunities

• Make passwordless authentication a core piece of zero trust. Zero trust for employees and customers. Leverage passwordless authentication deployments to drive multi-factor authentication (MFA) adoptions

• Private and compliant. Lead with user privacy in mind for passwordless authentication deployments with the growing number of state and federal privacy regulations. Earn users' trust and keep regulators off your back.

• Standardize to win. The easier, more standardized, and more plug-and-play the solution is, the easier it will be to adopt for companies and end users alike. Users want a seamless experience (interoperability), and companies want an easy-to-implement and manage solution (supportability).

• Aggregated trust. Passwordless authentication relies on third-party services for identity verification. This incentivizes authentication aggregation, which is great for a user experience, but could create a riskier position overall for individuals. The fewer places you use to authenticate, the more devastating a compromise can become. Just look at what is happening with password managers.

• Passwordless meet Web3. The push to de-centralized, permissionless, and zero-knowledge identities and transactions with Web3 and the convergence of third-party trusted identity authentication sources will collide. Web3's decentralized identity stores can create a more privacy-focused authentication source for passwordless applications (As for the smart contract you agree to after identity verification or the exchange you connect to, that's a different challenge to solve... 🫣).

Key Insights

• Hard but worth it. Passwordless adoption is a game-changer. Integrating passwordless authentication can be challenging, but the rewards of enhanced security and improved user experience can outweigh the effort.

• It's not all or nothing. Not every customer-facing application or internal workflow may be worth the overhead. Look at your authentication pain points, support ticket volume, and customer or internal users' appetite for change.

• Working together. Passwordless authentication is to logins, as multi-factor authentication (MFA) is to account security. They are complementary technologies that, when combined, can make a powerful force. The CISA recommends moving to phishing-resistant MFA, and passwordless authentication helps with that.

• Enhance digital transformation. Passwordless authentication can bridge a user experience gap for both end-users and security teams.

• You need a strong foundation first. Companies with legacy authentication systems could benefit from going to passwordless authentication, but it's probably not the best place to start improving your overall security program. This is an advanced authentication deployment.

Notes 

What makes one of these platforms “good?”

Results may vary here. There is so much nuance and different interpretations of what "passwordless" means, and is solved in different ways by different players. Take extra care to do due diligence in this space.

• Look for solutions that can combine passwordless authentication, device authentication, and risk-based authentication.

• Look for solutions with broad industry-standard support like WebAuthn and FIDO2. This follows CISA recommendations and is the most phish resistant.

• Look for solutions with flexible and adaptable options that can accommodate various authentication methods (i.e., biometrics, security keys, etc.).

References

• https://www.w3.org/TR/webauthn/

• https://oauth.net/2/

• https://developer.apple.com/sign-in-with-apple/

• https://developers.google.com/identity

• https://oauth.net/2/

• https://passage.id/post/a-look-at-passkeys

• https://www.yubico.com/

• https://www.cisa.gov/news-events/alerts/2022/10/31/cisa-releases-guidance-phishing-resistant-and-numbers-matching

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.

If I missed something (or am just wrong), let me know!

At the time of writing this post, I have no active investments in any of the companies mentioned above.

If your company is looking to get more of a highlight, consider sponsoring.