If you've logged into your Google account recently on a supported device, you may have been offered the opportunity to set up passwordless login with your device being the key to enter. This isn't unique to Google, and in fact, services across the globe are starting to embrace passwordless security paradigms that instead rely on a physical "key" of sorts that you have to get in. There are quite a few things that will need to happen first before the world can switch to passwordless, though.

5 Educating users

User acceptance is key

No matter what, the first step to moving services to completely passwordless is getting users on board. It's a hard thing to shift, especially when you have people who may not be technically adept being presented with the ability to no longer use passwords. That's a pretty scary prospect, and education on why it's a good thing and worth switching to is important.

On top of that, habits can be hard to break. Passwords have worked just fine for decades at this point, and people with a password manager especially might be put out by the thought of needing to upheave all of their security for various sites so that they can switch to the newest security paradigms.

4 Improved biometrics

Make them more accurate and trustworthy

I would wager that most people at this stage who use biometrics on their smartphone know that it isn't the most accurate thing out there. It's good enough for most people, but if your phone is also the passkey to get into your Google account, Amazon, or more, then that's a whole different thing. Biometrics need to be significantly more secure and less error-prone, especially when the likes of Face ID with its focus on security can still screw up pretty badly at times.

Fingerprint sensors are generally okay, but even then, they're still not perfect. Anything that uses your face for ID won't be secure enough either, so improved biometric authentication might go a long way to convince people to switch.

3 More cross-platform standardized options

Yubikey, but more of them

If you've ever heard of YubiKey, then you already have an idea of an alternative to passwords. These use strong public-key cryptography to provide second-factor and passwordless authentication using FIDO2 and U2F. In most cases, this means that your physical key works as your second way of identifying yourself, and is required for authentication in addition to your password to login. There are different standards for two-factor authentication (2FA), and the most common (though basic) is the QR code you can scan to generate TOTP time-limited two-factor codes.

For generating TOTP 2FA codes, a YubiKey can improve the security of these significantly, either by storing the data required to generate a key on the YubiKey's hardware, which makes it far more difficult to access or by skipping the code altogether in place of a two-factor standard that requires the physical key to be plugged in (like U2F and FIDO2). You then plug the key in and press a button, and it will log you in. However, some of these are challenging to use or can be confusing, so more options on the market would better educate would-be buyers on what they are, what they're capable of, and how to use them.

2 Better security measures for identity validation

No passwords means verifying users can be harder

Without passwords, recovering an account might be significantly harder if you lose the key or damage it. Behavioral biometrics and real-world ID might help to validate you as the original account holder, but plenty of sites and services aren't equipped to deal with that in their current states. There isn't really a good alternative to recovering an account, and some sites will even tell you that there is no way to recover your account if you lose your hardware key to access it.

That's why recovery codes are important in these instances. They're basically emergency-use passwords that you need to keep somewhere safe, as they will let you regain entry to your account and disable the passwordless login method, switching you back to a regular password method. You need to look after these passwords though, as you won't be able to get into your accounts otherwise.

1 Widespread availability of recovering your account

Getting your account back can be hard

Losing a phone or security key in a passwordless world can be a nightmare if there’s no backup plan in place. Services that are going passwordless need reliable, accessible backup options to help users regain access without a password.

A promising solution would be a "trusted contacts" system, where you nominate friends or family who can verify your identity if you’re locked out. This method relies on having reliable contacts and services that support it, which could limit its practicality in many cases. Plus, some services are adding multi-device setups, where you can register multiple devices to authenticate. If one device goes missing, a backup device can get you back in.