Is FIDO2 Passwordless Authentication a Hype or for Real?: A Position Paper

TL;DR

This paper argues that despite advancements in FIDO2 passwordless authentication, passwords will likely persist on the web due to technical, practical, and business challenges, guiding future research directions.

Contribution

It presents a position stance on the limitations of FIDO2 passwordless authentication and outlines future research directions based on literature and experience.

Findings

Passwordless authentication is not yet capable of replacing passwords entirely.

Technical and business challenges hinder complete password elimination.

The paper proposes future research directions for user authentication.

Abstract

Operating system and browser support that comes with the FIDO2 standard and the biometric user verification options increasingly available on smart phones has excited everyone, especially big tech companies, about the passwordless future. Does a dream come true, are we finally totally getting rid of passwords? In this position paper, we argue that although passwordless authentication may be preferable in certain situations, it will be still not possible to eliminate passwords on the web in the foreseeable future. We defend our position with five main reasons, supported either by the results from the recent literature or by our own technical and business experience. We believe our discussion could also serve as a research agenda comprising promising future work directions on (passwordless) user authentication.