Top three threats to passwordless authentication systems

by James Trenholmeon Posted on

The password has apparently been dead, or at least dying, for over twenty years now. But 2025 really does feel like the year that passwordless authentication could become a reality. Microsoft has announced that it will be moving away from password in favour of Passkey, and so too is the UK Government. The momentum is building, and that is a good thing – but that doesn’t mean there aren’t still issues with passwordless authentication systems that need addressing to make sure they deliver the security they promise.

In this blog, we’re diving into what we see as the top three threats to passwordless authentication systems – and what can be done about them.

What is passwordless authentication?

Any authentication workflow that doesn’t rely on a user providing a password can be considered a form of passwordless authentication. Instead of using passwords, these systems use one of two things to verify the user:

  • Something they have, such as a hardware token or their mobile device.
  • Something they are, which is generally any form of biometric information.

Depending on your age, it may surprise you to know that physical fobs containing one-time codes have been around since the 1980s. The main reason passwordless authentication hasn’t taken off sooner is the relative complexity of implementation compared to passwords; now that initiatives like FIDO2 are making it easier to implement passwordless authentication than ever before, big organisations are finally breaking away from passwords.

Let’s now look at the main threats to these workflows, and what can be done about them.

Threat #1: AI-powered deepfakes

While most of us have been using AI to turn ourselves into action figures or cartoons, researchers have been looking into the potential of using AI to bypass biometric authentication systems. In particular, face and voice recognition technologies are believed to be vulnerable to AI deepfakes.

On the subject of biometric data, attacks have also been documented where trojans have been specifically harvesting biometric data that could be used to gain access to bank accounts, according to Group-IB.

There are a few avenues cybersecurity providers and enterprises can take to combatting this threat:

  • Invest in more advanced biometric systems that check for “liveness” factors such as eye movements, or that detect the presence of heat along with a fingerprint. While this isn’t a silver bullet, it is believed these measures can spot AI deepfakes.
  • Move away from “something you are” based authentication methods, in favour of “something you have” methods – or use both in concert, though this may increase the complexity of your implementation and make the process less smooth for your users.

Threat #2: weak backup and recovery mechanisms

If your users lose their passkey or their hardware token, how do they recover their accounts? If it’s via email, SMS, or even a password, then attackers have an ideal opportunity to launch a downgrade attack on your systems, forcing the system to use a weaker method of authentication that’s vulnerable to attack.

The only way around this is to make sure that your account recovery mechanism is at least as secure as your primary authentication workflow, while remaining as easy and convenient for users as is practical. This is something that Authentikey from Cavero Quantum is ideally poised to help with – scroll down (or keep reading) to learn more.

Threat #3: quantum attack

Many passwordless authentication systems rely on a form of public key infrastructure, where public/private key pairs are generated to verify the machine identities that, in turn, verify the human identities in the system. The algorithms used to generate those keys will nearly all be vulnerable to attacks from quantum computers, once a cryptographically relevant quantum computer (CRQC) is created – which could be within the next decade, by some estimates.

The only solution here is to move away from classical key creation algorithms and adopt a quantum-safe alternative – and governments including the US and the UK are drawing up plans for national transitions to quantum-safe security. Currently, there are two methods of quantum-safe key exchange: Quantum Key Distribution, and Post-Quantum Cryptography. Quantum Key Distribution is the most secure, but relies on physical hardware (specifically fibre optic cables) which limit the distance over which it can function and make implementation expensive and complex. Post-Quantum Cryptography uses algorithms based on mathematical problems that even quantum computers cannot solve without taking millennia or even millions of years. Some of these algorithms – including the NIST-approved ML-KEM and ML-DSA – can be complex to integrate into your systems, though.

Cavero Quantum: quantum-safe key exchange and authentication

To make passwordless authentication as secure as possible, then, you need to address the vulnerabilities highlighted in this blog:

  • You either need to rely on an authentication method other than biometrics, or at the very least ensure your biometric data is heavily protected.
  • You need an account recovery mechanism that doesn’t open you up to risk of a downgrade attack.
  • You need to ensure any key creation involved in your workflow is done using quantum-safe algorithms.

That’s where we come in.

At Cavero Quantum, we have built a quantum-safe key exchange protocol called Symmetrikey, and the world’s first Continuous Trust Verification Protocol, called Authentikey. Working together, these two technologies enable you to build passwordless authentication that’s quantum-safe, protected against man in the middle attacks, and not reliant on potentially vulnerable biometric data.

How Cavero Quantum supports passwordless authentication

Authentikey uses a shared ledger of key exchanges between two parties to provide mutual authentication – that is, each party in the exchange authenticates the other. In the context of passwordless authentication, this shared key history becomes the “something you have” that replaces a password. Authentikey is a viable alternative to using biometric data, and works equally well as a primary authentication method or as a recovery mechanism.

When used together with Symmetrikey, Authentikey also protects against the risk of quantum attack as the key exchange protocol is quantum-safe. Authentikey is also compatible with other quantum-safe keys including ML-KEM, for customers that need to adhere to NIST regulations. We’ve also built Authentikey to be compatible with ECDH keys, allowing you to implement Authentikey using classical encryption first and then upgrade to quantum-safe key exchange in the future.

From a system integration perspective, Symmetrikey can be used as a drop-in replacement for ECDH; in short, working with Cavero Quantum makes moving to quantum-safe passwordless authentication faster, simpler, and therefore more effective than many other methods of quantum-safe authentication.

Let’s build the next passwordless authentication solution together

Hopefully this blog has given you some thoughts about how you can create the most secure passwordless authentication solution possible – and shown you how Cavero Quantum can help you make that a reality.

We are interested in partnering with organisations in the fraud and identity management space, as well as all institutions that use passwordless authentication, to develop products and solutions together that solve these pressing challenges and ultimately protect more people from online threats.

To learn more about our technology, or to get in touch, just fill in the form below.