Is the era of the passswordless web near?

We live in a connected world. In this world, we are constantly interacting with a myriad of services, including work-related services, financial institutions, government agencies, social sites, entertainment services, health providers, and more. With each one of these services, more often than not we're required to generate, remember, and use usernames and passwords to gain access to the services' websites and apps.

The username and password method used to authenticate people so that they can access websites and apps has served us well for decades, and for most services, will continue to do so for years to come; however, there is a problem with this method. Usernames and passwords really don't keep people's accounts safe. They can be shared, guessed, stolen, and breached, which leaves accounts and data vulnerable to theft and misuse.

To protect an account, industry experts recommend that people create unique usernames and passwords for each and every account they have. The reason for this is that breached credentials on one service can not be used to hack into another service.

Most people do not head this recommendation though since remembering a cacophony of credentials proves too difficult, if not impossible. To prove the point, according to the 2018 MEF consumer trust study the average person reuses three usernames and password combinations across their accounts.

Using a password manager to overcome username and password chaos is an important step that people should take to protect their accounts. There are numerous password managers to choose from, some are very good and others are not (more on these later).

Industry experts, however, don't see a future in password managers. They are looking beyond the password to an era where people securely and conveniently log in to any web service with passwordless access.

Earlier this month (March 4, 2019), with the release of the Web Authentication (WebAuthn) specification, the Worldwide Web Consortium and the FIDO Alliance took a step towards making a passwordless world a reality.

The WebAuthen specification details interoperable technical standards that companies can build into their sites and apps so that people can use their biometrics, connected devices, and related authenticators to gain access to their services rather than having to rely on usernames and passwords.

Publishing the specification is a huge first step toward achieving a passwordless world. And, there is every reason to believe that one day the passwordless world will take hold as the specification already has support from Google, Microsoft, Mozilla, Nok Nok Labs, Yubico, PayPal, Qualcomm, and other industry leaders. However, if history holds true, organizations have time to evaluate and implement this new standard. Not only will it take time to refine the standard and for its deployment to achieve critical mass throughout the millions of sites and apps within the datasphere, but it will also take time for people to understand, trust, and adopt the new behaviors that will be required of them to use WebAuthn powered services.