Is FIDO2 Passwordless Authentication a Hype or for Real?: A Position Paper

Abstract: Operating system and browser support that comes with the FIDO2 standard and the biometric user verification options increasingly available on smart phones has excited everyone, especially big tech companies, about the passwordless future. Does a dream come true, are we finally totally getting rid of passwords? In this position paper, we argue that although passwordless authentication may be preferable in certain situations, it will be still not possible to eliminate passwords on the web in the foreseeable future. We defend our position with five main reasons, supported either by the results from the recent literature or by our own technical and business experience. We believe our discussion could also serve as a research agenda comprising promising future work directions on (passwordless) user authentication.