Beyond Passkeys: The Future of Authentication is Usernameless and Passwordless

Let's explore why a passwordless and usernameless future is the next logical step in authentication and how it can be achieved.

Did you know that the first digital password was invented in 1961? It was created by MIT computer science professor Fernando Corbato simply to allow multiple users to share the same computer. Over the years, passwords have become an integral part of our digital lives, and we use them almost every day. 

Passwords and usernames have been the standard method of authentication for many years. But these days, they are no longer enough to protect our sensitive information from cyberattacks. Passwords can be guessed, phished or otherwise stolen. 

In this article, we will explore why a passwordless and usernameless future is the next logical step in authentication and how it can be achieved. 

Usernameless authentication allows users to access systems and applications without needing a username. Less to remember means fewer opportunities for user error, making life more convenient while boosting security.  

Passwordless authentication, on the other hand, skips passwords altogether, opting for alternative secure methods such as mobile push notifications, biometrics, or even QR codes. Once you’ve verified your identity via one of these methods, you’re in. It’s like skipping the line at a popular restaurant — feels good and is efficient.  


Why We Need a Usernameless and Passwordless Future  

A credential-less future that is both usernameless and passwordless means that users would not need to remember any passwords or usernames. Instead, their identity would be verified through other means, such as biometrics or multi-factor authentication.  

This approach has several advantages, including: 

  1. Increased Security: A usernameless and passwordless future would make it much harder for hackers to gain unauthorised access to user accounts. Biometrics and multi-factor authentication provide an extra layer of security that can significantly reduce the risk of cyberattacks. 
  2. Enhanced Convenience: Remembering multiple usernames and passwords can be challenging, especially for users with multiple online accounts. Eliminating the need for usernames and passwords would make the authentication process much more convenient and user-friendly. 
  3. Cost-Effective: Password management systems can be costly for businesses, especially when dealing with a large number of employees. A usernameless and passwordless future would reduce the need for expensive password management systems, making it more cost-effective for businesses to manage their authentication processes.  

If a future without usernames and passwords sounds like science fiction, you’re in for a treat: it’s closer than you think, and it’s the direction we should be heading. But let’s not stop at just imagining. Let’s also talk about how we transition from here to there.   

To better understand the journey toward a more secure future, let’s explore the Consumer Authentication Strength Maturity Model, a framework that can help us evaluate the robustness of various authentication methods. 

The Consumer Authentication Strength Maturity Model 

Daniel Miessler’s CASMM (Consumer Authentication Strength Maturity Model) serves as a roadmap for internet users to gauge and elevate their authentication practices. It’s not just a measure of your current security posture; it’s a guide to better habits. 

By setting a new standard for what’s considered “secure,” CASMM can shift the collective mindset toward more robust authentication methods. 

8 – Passwordless 
Imagine never having to remember a password again. With Passwordless authentication, your second factor of authentication (2FA) comes from a physical token or your device’s built-in trust centre. 
Vulnerable to: Hardware compromise and force 
Examples: WebAuthN, FIDO2 

7 – App-Based Codeless 2FA 
No more scrambling for codes. In addition to managed passwords, this level uses an app that simply asks you to approve or deny an authentication attempt. 
Vulnerable to: Malware and force 
Examples: Some Microsoft Authenticators 

6 – App-Based 2FA Codes 
In addition to managed passwords, a dedicated app generates Multi-Factor Authentication (MFA) codes for you, adding an extra layer of security. 
Vulnerable to: Phishing and malware 
Examples: Authenticator, Authy 

5 – SMS-based 2FA Codes 
In addition to managed passwords, MFA codes are also sent directly to your mobile phone via text message. 
Vulnerable to: Phishing and sim-swapping  
Examples: Any SMS-based authentication 

4 – Passwords Manager 
You’re not just using unique passwords; you’re storing them in a digital vault, encrypted and secure. 
Vulnerable to: Account reset or takeover 
Examples: 1Password, LastPass 

3 – Quality Passwords 
Your passwords are not just unique, but they are long, random, and they include special characters 
Vulnerable to: Password dumps or cracking 

2 – Unique Passwords 
Your passwords are unique but could be stronger. They might be too short or contain easily guessable information. 
Vulnerable to: Live password guessing 
Examples: password123!, qwerty123 

1 – Shared Passwords 
You’re using the same password across multiple platforms. It’s like having one key for every lock in your life. 
Vulnerable to: Credential stuffing 
Examples: Using the same password for personal email, work email, and online banking.


Passwordless authentication sits at the pinnacle of CASMM, offering the least vulnerability exposure. 

On the other hand, SMS-based 2FA sits at a maturity level of 5, susceptible to a range of attacks like phishing and SIM-swapping. The goal isn’t just to avoid bad habits; it’s to adopt methods that are as frictionless as they are secure. 

After all, what’s the point of a lock if it’s too complicated to use? So, as we move toward a passwordless future, remember: it’s not just about eliminating passwords but about making security effortless and robust. 

Now that we’ve explored the landscape of authentication methods, let’s take a closer look at one of the emerging technologies that align well with the highest levels of CASMM: Passkeys.


What Are Passkeys? 

Passkeys are a modern and secure authentication mechanism designed to replace traditional passwords. They allow users to sign in to websites and apps without having to remember and manage complex passwords.  

A passkey is a unique digital credential that is tied to a user account and a specific website or application. 

Unlike passwords, which can be easily forgotten or hacked, passkeys provide robust protection against phishing attacks. A passkey can be generated using voice, a biometric sensor, such as a fingerprint, iris scan, or facial recognition, a PIN, or a pattern, making them more secure than traditional passwords. 

When a user wants to sign into a website or app that uses passkeys, their browser or operating system will prompt them to select the correct passkey. The process is similar to how saved passwords work today, but with an added layer of security. To ensure that only the rightful owner can access the passkey, the system may require the user to unlock their device using a biometric sensor, a PIN, or a pattern. 

Passkeys provide a passwordless experience across different browsers and operating systems, making them a convenient and secure authentication mechanism. They can be stored securely in the cloud with the user’s other data, which can be restored to a new device if necessary. 


The Limitations of Passkeys  

They may be a step forward in authentication, but they still require users to remember a unique passkey for each account, which can be challenging.  

Furthermore, while they are more secure than traditional passwords, they are not entirely foolproof. A hacker can still gain access to a user’s passkey if they compromise the user’s device.


Alternative Authentication Methods  

Several alternative authentication methods can be used to achieve a usernameless and passwordless future, including: 

  1. Biometrics. Biometric authentication, such as facial recognition or fingerprint scanning, can be used to identify individuals accurately. Biometric data is unique to each individual and cannot be easily replicated, making it an excellent authentication method. 
  2. Multi-Factor Authentication. Multi-factor authentication requires users to provide two or more forms of verification to gain access to their accounts. This approach adds an extra layer of security to the authentication process. 
  3. Intelligent Authentication Methods. Advances in artificial intelligence and machine learning are making it possible to develop more sophisticated and intelligent authentication methods that can learn from a user’s behavior and preferences. For example, location-based authentication or behavioral biometrics. 


In navigating cybersecurity, it’s becoming abundantly clear that the traditional duo of usernames and passwords is like an aging rock band — still around but no longer the main act. 
From the dawn of passkeys to the promise of biometrics and multi-factor authentication, we’re on the brink of an authentication revolution. It’s a shift geared toward enhancing security, simplifying user experience, and making life easier for businesses. As we’ve seen with the Consumer Authentication Strength Maturity Model, the future of authentication is not just about eliminating old methods but adopting new, more secure, and convenient ones. 
The next chapter in authentication is being written now. ThunderLabs is at the forefront, helping businesses transition to a usernameless and passwordless future. So the question isn’t if you’ll make the switch — it’s when. 
Ready to rewrite the rules? Reach out to ThunderLabs to start your journey toward a more secure, convenient, and cost-effective future in authentication. 
Mark Belfanti

Mark Belfanti

Head of Cyber Security

Mark has been trusted with navigating the most complex of organisations, from ensuring the NBN is cybersecure, to managing the cybersecurity contract of telecoms partnerships at Westpac. Mark has also worked with ASIC, AMP and many others.

Join our tech community

We build digital solutions & recruit specialists. Learn about our projects and discover career & hiring opportunities at ThunderLabs.