What’s Next For User Authentication? Passkeys, Passwordless & More

Passwordless auth, passkeys, and shadow IT are just some of the trends that experts are following in the user authentication space – here are 5 key trends to watch.

1) Increasing adoption of MFA

There is an increasing awareness about the importance of multi-factor authentication (MFA), writes Jason Keenaghan, Director of Product Management & UX, for Identity & Access Management at Thales.

• “In one of our recent surveys, 81% of the respondents said that they expect service providers to offer MFA. While this is great for adoption, organizations still struggle to address the very broad spectrum of MFA needs,” he says.

The challenge: There is no standardized approach for deploying multi-factor authentication and not all deployment methods are equally secure. Often, the account recovery process for MFA will involve falling back on SMS recovery codes. This essentially reduces MFA to a single factor.

• “FIDO Passkeys, for example, have great mass-market appeal and [we are] likely to see a surge in adoption due to their ease of deployment. But you still need more phishing-resistant mechanisms like device-bound passkeys or CBA (certificate-based authentication) to address high-assurance use cases, such as in banking & financial services or other regulated sectors.”

The bottom line: “Organizations must be prepared to support flexible deployment options and have a good grasp of the different MFA options in order to address these disparate needs”.

2) Passkeys are the future, but security must come first

Enterprises are finally starting to shift towards passwordless authentication with the increasing popularity of Passkeys, writes Jim Taylor, Chief Product and Technology Officer at RSA.

• “I think the most significant trend in user authentication over the next year will be that enterprises finally shift toward passwordless. They’ve been hesitant for some time—and with good reason—but passwordless standards are finally rigorous enough for enterprise use.”

What are Passkeys? Passkeys are a method of passwordless authentication that replace passwords. They were developed by the FIDO Alliance and are based on public-key cryptography, in which two keys are generated, a public key kept on a server, and a private key stored on your device. 

The challenge: Passkeys are phishing-resistant, because the keys cannot be stolen via social engineering. But there are different kinds of Passkeys available. Device bound Passkeys can only be used on one device. Synced Passkeys are – you guessed it – synced across all your devices.

• “While different passwordless technologies sound similar to one another, not all passwordless is created equal…I expect we’re about to see some very public demonstrations on why synched passkeys aren’t right for organizations, and instead why they need to use device-bound passkeys,” Taylor explains.

The bottom line: “Organizations must prioritize secure passwordless solutions.”

3) Shadow IT remains a key concern

A critical challenge for user authentication is unmanaged devices and shadow IT, writes Ashley Leonard, founder and CEO at Syxsense.

• “Unauthorized software and devices don’t have the same enforcement policies, which create openings in what would be an otherwise secure environment. Visibility into these components becomes much more difficult, yet critical, because you cannot protect what you aren’t managing.”

The challenge: Enterprise-wide user authentication deployments can only secure applications known to IT admins. Shadow IT can therefore put unprotected business data at risk.

• “Organizations need to enforce strong authentication through a continuous endpoint management strategy, even going so far as implementing zero trust endpoint validation,” Leonard argues.

The bottom line: “A degree of education is needed so that members of an organization know the dangers of unmanaged devices. And, as always, continuing to implement multifactor authentication on all devices goes a long way in adding an extra degree of security in authenticating users.”

4) Investment in identity analytics

Organizations must prioritize analytics and continuous authentication when investing in a user authentication solution.

• Modern authentication solutions can collect hundreds of data points related to user behavior, such as where login attempts take place, what applications a user typically accesses, and device health information. 

Often, security teams collect data that can detect account takeover, such as superman logins. But it’s just not being surfaced.

Unlocking this data can help admins to better secure accounts and improve the end user experience by enforcing policies to enable continuous authentication unless a suspicious login event is detected.

• Adaptive authentication uses risk and behavior signals collected throughout the use journey to enforce additional security factors for high-risk login attempts, without impacting the user experience.

The bottom line: Analytics and context-aware adaptive authentication policies are key to improving account security without impacting end-user productivity.

5) Keeping pace with innovation

A key challenge is simply that the pace of change in the user authentication space means admins and users may not be able to keep up, writes Carter Francis, IT Solutions Consultant at Rippling IT.

• “In my opinion the biggest challenge could be simply that the space is going through another evolution… Admins who aren’t keeping up with modern choices are potentially preventing their shops from being as secure as they could be, because they’re ignorant of new options or possibilities,” Francis writes.

The big picture: The complexities around technologies like passwordless and passkeys pose a challenge particularly for small and mid-sized businesses without strong security resources. Users too are voicing frustration about the adoption of multi-factor authentication, especially when the user experience is clunky across application.

The bottom line: Take a first step by making sure that you do enforce multi-factor authentication for all users when accessing critical applications and services. Make sure to prioritize the user experience which will improve adoption and productivity.