The rise of passwordless authentication in 2025

The rise of passwordless authentication in 2025

The way businesses verify their users' identities is undergoing a significant transformation. The traditional password, once the cornerstone of online security, is becoming increasingly vulnerable to breaches and phishing attacks. Originally, passwords served as the primary method for securing online accounts, but they quickly revealed several shortcomings.

Then came SMS one-time passwords (OTPs), which were initially never intended as a security measure but became a popular way to enhance security through an additional layer of authentication. However, SMS OTPs have become ubiquitous and have proven susceptible to compromises, such as SIM swapping and interception, and often introduce friction in the customer experience. In addition, over-the-top (OTT) applications and other methods emerged, offering varied solutions, yet each with its downsides in terms of either security or user-friendliness. 

As a result, the transition to passwordless technology is not just a trend but a necessity driven by the importance of enhancing security and improving user convenience.

The benefits of passwordless technology are undeniable, and the adoption of these new technologies comes with its own challenges. From ensuring widespread adoption to maintaining accessibility, the journey to a passwordless world is both exciting and complex.

The problem with passwords

Passwords have long been the go-to method for securing online accounts, but they come with several issues. 

The burden of remembering numerous passwords leads to frequent resets that overwhelm help desks and frustrate users. Forgotten passwords can also disrupt users' journeys on websites, leading to increased abandonment. 

Passwords are also easy targets for hackers who use tricks like guessing games or phishing emails to steal them. Users often choose simple, easily guessable passwords or use the same ones across multiple sites, making their accounts even more vulnerable. Cybercriminals have become experts at exploiting weak and reused passwords, making such accounts a common entry point for fraud. Even strong passwords can be compromised if stored insecurely or exposed in data breaches.   

Passwords are just not as secure as we might think. 

The next phase of passwordless authentication: passkeys

As more and more services have some digital option, robust and seamless authentication methods become necessary for businesses to thrive. This shift is driven by a combination of technological advancements and user and business demand for more secure and convenient ways to access their accounts.

The next phase of passwordless authentication is all about making the process easier and more secure. Passkeys offer a blend of security and ease of use that traditional methods like passwords can't always match. Passkeys are designed to be user-friendly. They leverage biometric markers (like fingerprints or facial recognition) and PINs, making the login process quick and intuitive. 

However, not all customers are ready to switch to passkeys immediately and passwordless standards are still being developed. That’s where Twilio comes in.

Twilio provides businesses the flexibility to bundle Twilio Verify Passkeys with the familiar SMS-based verification, including one-time passwords (OTPs) or multi-factor authentication. As a business, you can opt to use passwordless as your company’s authentication standard while still offering customers the option to use OTPs. This approach ensures that you can meet your customers where they are without leaving anyone behind. Moreover, as the FIDO Alliance continues to refine its standards for passkeys, businesses would benefit from leveraging solutions provided by experts like Twilio rather than building and maintaining their own. Developing an in-house solution is costly and requires constant vigilance to align with evolving FIDO standards. 

Twilio Verify offers authentication solutions that consistently incorporate the latest standards, ensuring security without the overhead of building. In fact, businesses who implemented Twilio Verify experienced a 174% ROI according to the 2024 Total Economic Impact™ (TEI) study on Twilio. By trusting Twilio, businesses can offer various authentication methods to users while also enjoying state-of-the-art authentication managed by a trusted partner.  

Fraud mitigation with passkeys

Going passwordless with passkeys can help protect you and your customers against several common fraud schemes. For instance, using passkeys would completely remove the risk of SMS pumping fraud, where fraudsters compromise SMS OTP flows with inflated traffic. Passkeys also reduce the risk of man-in-the-middle attacks, which are more common with SMS-based verification. Bots are more deterred by passkeys because they are harder to bypass, making the authentication process more secure.

Passkeys are unique to a specific domain, meaning they are not something you can lose and someone else can find. Unlike traditional security questions, which can be guessed or researched, passkeys are less hackable. From a connectivity standpoint, you can use a passkey to verify your identity without an active internet connection. The only catch is that the app you’re using will still require connectivity to complete the process. 

While passkeys are open source today, the future continues to evolve. Many people may not set up passkeys for various reasons, such as unfamiliarity or technical barriers. It's recommended to layer in adaptive authentication or step-up authentication to ensure comprehensive security. Passkeys are hailed as the future, but if they are not feasible, using SMS verification with Line Type Intelligence or Lookup SIM Swap detection as a robust alternative.

Implementing these layers of security ensures that your user authentication process is both secure and accessible to all your customers. 

Making authentication accessible

While passkeys are not explicitly ADA-compliant, they are more accessible than traditional password methods.

Passkeys leverage biometric markers and PINs, which can be easier for many users to manage, especially those with physical or cognitive disabilities. However, it's important to note that passkeys are still going through the standardization process. As they become the next big authentication method, you'll see them become more successful and widely adopted. Yet, there will still be people who rely on voice OTPs, particularly those who are vision-impaired.

Twilio's strength lies in the breadth of methods it provides, offering the flexibility to meet the diverse needs of your customers. For example, there will always be customers who have to rely on voice OTPs due to visual impairment. Whether it's through passkeys, SMS, or voice OTPs, though, Twilio ensures that you can authenticate users on a variety of channels, meeting customers where they are based on their needs. This comprehensive approach not only enhances security but also ensures that no customer is left behind.

Industry adoption of passwordless authentication

Passkeys have the potential to become the standard in highly regulated industries. Take the online gambling sector, for example. The National Institute of Standards and Technology (NIST)  has proposed that these platforms transition away from using SMS OTPs for verification, requiring them to adopt passkeys instead. In Singapore, the Monetary Authority of Singapore (MAS) decided that major retail banks would phase out SMS OTPs due to growing fraud. As these industry shifts continue, passkeys and SMS alternatives like silent network authentication are expected to gain approval and eventually become the norm in these tightly regulated markets.  

 The future trajectory of passkeys is promising. It’s projected that at least 25% of the world’s top 1,000 websites will support the use of passkeys by the end of 2025. As they become more common and accessible, business security standards will evolve to better support this technology. The inherent security features of passkeys, such as their uniqueness to a specific domain and resistance to common fraud schemes like SMS pumping, make them an attractive option for businesses looking to enhance their security posture. 

Step into the future with Twilio Verify

In 2025, we are seeing the demise of the password and the rise of passwordless authentication across many industries. Twilio Verify’s breadth of verification methods allows businesses to implement end-user authentication with both business and user preferences in mind. You can embrace the future of passwordless while also providing secondary options, ensuring no customers are left behind in the technological shift.  

Learn about all the options to protect your business and users from fraud with our User Authentication Decision Maker's Guide. If you’re ready to get started today, sign up for a free account with Twilio.