back arrowBack to Blog

Auth Thoughts

2023 Predictions: The Passwordless Train Gathers Steam

2023 Predictions Blog Thumbnail

This blog was originally published on VMBlog.

Making and reading annual predictions are well-trodden paths for technology leaders and practitioners. In a world where opinions sway one way and then the other, headwinds become tailwinds, and one person’s trends become another person’s tea leaves, predictions are our way of imparting some control and predictability on the year to come.

At Descope, we have been speaking with several application developers and studying the evolution of the identity and authentication market in 2022. With this knowledge at hand, here are some of our predictions for 2023.

Focus on core activities

With every company being a software company in some form today, engineering teams have a heavy weight on their shoulders. They have to deal with an ever-growing bucket list of activities to complete that, while important, are outside the scope of the core product or service they were hired to work on.

A persistent bear market will lead to renewed focus by app development teams (especially at early stage startups) towards their core initiatives. Shipping product features and getting apps to market in a fast, safe, and performant manner will take precedence over other activities. 

Critical developer-oriented tasks outside the scope of the core product such as payments, user authentication, and website development will be outsourced to specialized service providers. Non-critical tasks will be taken off sprints altogether. Resilience is key for surviving in downward trending markets, and that will come only when businesses hone in on their core competencies.  

Reducing user friction

Tough economic conditions usually bring with them talks of cost cutting, but generating revenue and providing a delightful user experience also become more critical during down markets. Customers will be more discerning with their wallets in 2023 and will vote with their feet if they face any undue friction while using a product or service.

Creating frictionless onboarding and user journeys will become a top priority for businesses, especially in crowded markets with non-trivial acquisition costs. Reducing sources of churn – from simplifying the login process to enabling easy checkouts – will be as important for businesses as rolling out new product enhancements. 

After all, a shiny new product feature isn’t of much use if your app’s users can’t log in.

Passkeys adoption and enablement

2022 was the year in which passkeys came to the fore as first Apple and then Google announced their plans to remove the need for passwords in user authentication. Passkeys, which are based on open standards such as FIDO2 and WebAuthn, allow consumers to use their devices as proof of their identity rather than creating yet another password.

The advent of passkeys is amazing news and has the potential to pave the way to a passwordless future where an average user will be able to use passkeys as easily as they use social logins like Google or GitHub today. Passkeys also offer better privacy for users than other authentication methods, since passkeys are tied to a user's account and do not share private data across services.

However, if passkeys are to be a cornerstone of passwordless authentication for all, then every application (not just Google, Apple, and other big tech companies) needs an easy way to adopt passkeys and weave them into current user authentication flows. Making the Internet passwordless will take a village, and the more resources developers have to adopt passkeys for their application, the larger the impact of passkeys will be.

Expect passkeys enablement to take center stage in 2023.

Identity remains key

In 2023, compromising victims’ identities will continue to be the preferred modus operandi for cybercriminals. This is in keeping with 2022, with the Verizon Data Breach Investigations Report (DBIR) finding that 80% of basic web application attacks used stolen credentials like passwords. Security incidents aren’t typically caused by any one thing and instead run the gamut from phishing to exploiting third-party dependencies. That said, most major breaches in 2022 began with adversaries compromising someone’s identity and enacting account takeover.

Businesses must realize that their applications are only as secure as the identity safeguards built for them. With scores of leaked passwords available on the dark web and credential stuffing attacks as popular as ever, security teams should continue to prioritize user authentication and access control.

For more auth thoughts, you can subscribe to our blog, or follow us on LinkedIn and Twitter.