Moving towards a passwordless future: Solutions for seamless and secure authentication
If you want to log in to any website, you typically need a username (sometimes an email address) and a password. This password must be long and complex to be secure, which can often be cumbersome for users. But what if there was an alternative?
Imagine a world where your customers no longer struggle with forgotten passwords, complex security requirements, or the frustration of multiple login attempts. Passwords are a relic of the past, and the future of digital security already starts here - with public-private key cryptography.
In this blog entry, we will explore today's and future developments in authentication security and how emerging technologies could transform the way we think about logging in.
Why passwords are less secure than we think
Nowadays in 2024, when you fill in the login form with your password, the data is sent to the server to check whether the password matches what is stored in the database. For added security, the password should be as long as possible and include all sorts of extra special characters. Ideally, there is also one password per site and per user. As remembering all these unique and difficult passwords is inconvenient, password managers are quite helpful. You only need one master password to access all the others.
But herein lies a problem: By using password managers, you are relying on third parties to implement enough security to keep your username and password safe. We have also seen many data breaches, and many more are likely to come.
Passwords aren’t just a security risk; they are leading to poor user experience. Complex passwords drive frustration, abandonment, and ultimately lower conversion rates. Worse, they expose your brand to serious reputational risk when (not if) a data breach occurs. Hackers thrive on the fact that 60% of people reuse the same password across multiple sites. When one is compromised, so is their entire digital life - including your brand’s platform.
Have you been affected by a data breach? Try it out yourself: Type in your e-mail address and find it out.
Login at Miele.co.uk
Deliver frictionless and secure experiences
A private key is a big chunk of data that contains a lot of entropy. The private key can be used to generate public keys using complex mathematics, so that you cannot get or guess the private key from a public key.
This means: Your private key is something you need to keep secret, and a public key is something you can safely share with anyone on the internet. A private key can be used to sign a message or document, for example. The result can then be verified with the equivalent public key. This approach is called public-private key cryptography.
With public-private key cryptography, you can offer customers a seamless, one-step login process without the hassle of remembering passwords. Users simply authenticate using a private key they control—while a public key verifies their identity securely, without exposing any sensitive data. As a result, users profit from: No more password resets. No more third-party password managers. Just simple, elegant security.
As the private key is generated using a lot of randomness, it is often not human-readable. It contains a string of characters a-z and 0-9 and can be 32 characters or more. What makes it so secure is that it is not stored in a website's database. Therefore, you can generate this key yourself, completely offline.
But be aware that there are challenges: Firstly, there is no 'forgotten password' function. And secondly, if you copy just one character wrong, the private key is invalid, and you lose everything. However, there is no need to worry. You can translate your private key into a set of 12 or 24 words to be human-readable, and you have multiple ways to store your key.
By leveraging this approach, not only are you releasing users from the burden of remembering complex passwords, but you are also significantly reducing the risk of data breaches resulting from stolen or reused credentials. Public-private key cryptography ensures that your customers’ private keys remain with them only, eliminating the need for password databases and, in turn, the vulnerabilities associated with them.
Storing a private key
A separate and dedicated hardware device can be used to generate (with specific chips) and store the private key:
The device can also sign messages and will not be connected to the internet (being “air gapped”). This means that an offline device is used and thus hackers cannot access this device via the internet to sign or get your private key. They need to physically take the device from you.
You can also use the hardware to be “stateless”. Every time you turn on this hardware device, you need to load the private key, then sign the message and when you turn off the device, the private key is gone. If a burglar takes this device, the private key is not available and safely stored.
The best way to store such a private key is to write the 12- or 24 words on paper. However, importing these 12- or 24 words every time you need to do is cumbersome. Storing the private key as a QR-Code can be of good help then - or storing it in another way as the words are in a fixed order.
This is how translating your private key into a set of words, also called mnemonic seed phrase, could look like:
1. milk 4. world 7. illegal 10. public 2. sad 5. you 8. exchange 11. matrix 3. adult 6. unhappy 9. special 12. lizard
These words follow a standard from a wordlist representing the conversion of a private key.
For a private key used on a simple website, the private key can be stored in a password manager. They do support mnemonic seed phrases nowadays, including generating a new mnemonic seed phrase.
Why should you consider using public-private keys?
1. Secure identity
When logging in, the user will be asked to store a newly generated private key somewhere safe instead of creating a username and password.
This has a significant advantage: If the password is not stored in the database, the damage if it is stolen is small. Also, the user does not have to "change" a password on another platform to prevent being hacked there.
2. Build trust and loyalty to your brand
Data breaches undermine consumer confidence. Without passwords, you not only protect your customers' data, but also distinguish your brand as a leader in customer-centric innovation - building security, trust, loyalty and brand value.
Imagine how verification would look like if brands like Carlsberg used a digital wallet:
This process of decentralizing digital identity follows a triangle of trust:
The issuer (your government) trusts the holder (you).
The holder (you) trusts the verifier (Carlsberg).
The verifier (Carlsberg) trusts the issuer (your government).
For customers, this means that they are more likely to choose platforms where they feel their information is secure. With passwordless authentication you give them the ultimate reassurance.
3. Boost engagement and conversions
Less frustration during the login process leads to more conversions. Passwordless authentification therefore reduces login barriers, speeds up the customer journey and creates better user experiences. As a result, you may get higher engagement rates, increased sales and happier customers
This is why CMOs and CDOs should care:
- Better Customer Experience
A simpler, more intuitive login process that aligns with today’s fast-paced, mobile-first world. - Reduced Churn & Abandonment:
Passwords are a leading cause of customer drop-off. By removing this hurdle, you keep users engaged. - Stronger Security means Stronger Brand:
In an era where trust is everything, public-private key cryptography gives you a cutting-edge advantage, reducing risk and enhancing your brand’s reputation. - First-Mover Advantage:
Be a leader in digital innovation by adopting secure, passwordless solutions before your competitors do.
The European Union's vision is passwordless
The European government is actively implementing a new digital identification system based on this standard. Exactly what the differences are is still unknown. What we do know is that all government services will be connected to this system. Through a Digital ID wallet app, which is the interface to all your personal data, you can decide who can see your data and for how long. All companies will be validated by the government if they can use this system to access and process or change your data.
The EU Digital Identity wallet website by the European Commission
According to this model, all data points will be connected. The government will push this new technology and be able to link all personal data in its own system. If you can log in and use some of this personal data, a lot of processes will be much easier.
The Future is Passwordless. Are you Ready?
The old-fashioned way of logging in with a username and password will change in the future using public-private keys. A public key can be generated from a private key and not vice versa. The private key can be translated into 12 or 24 words to be human readable. You also need to store the private key somewhere safe. Dedicated signing devices will make the signing process with your private key more secure, but these are still under development. This model is a new standard and will be used by the European Union for its Digital ID.
We will slowly move to this method of logging into a system and you can too. Using public-private keys is more than just a security measure - it is a way to future-proof your brand, build lasting trust and drive growth in the digital age!
To find out how you can improve the security and processes of your website, contact us and we will talk about your individual business strategy.
Did we pique your interest?
Get in touch to discover how we can drive your digital success.
