When we talk about the future of authentication, the conversation inevitably turns to passwordless systems: passkeys, hardware tokens, device bound cryptographic credentials. It's a compelling vision: no more password reuse, no more phishing, no more "forgot password" emails clogging inboxes.
Across industry, companies are starting to shift their mindset toward a world without passwords. But what does that actually mean for users?
Will it finally eliminate the longstanding problems that have plagued passwords for decades? Could it answer the security industry’s recurring claim that humans are the weakest link? Is this the start of a new, simplified mental model for authentication—one that offers a smoother, more intuitive user experience? Ultimately, is "passwordless by default" really becoming the new normal? For now, it certainly looks that way.
The Problem Is Hiding in Plain Sight
One example of how human factors intersect with security is account recovery—the safety net that's supposed to help when a user forgets a password, loses a device, or gets locked out. In my broader research on usability and the role of humans in security (including work I contributed to during my time at Nokia Bell Labs, as well as other independent studies) we've seen how recovery flows often fall short.
Many widely used platforms with millions of users suffer from usability gaps that can undermine even the strongest technical protections. Account recovery is just one example of a broader challenge—a theme we're exploring further at Black Hat USA 2025, where we'll examine its implications for security, usability, and the future of authentication.
Why Passwordless Authentication Isn't a Cure-All
Passwordless authentication promises to eliminate many of the risks we've lived with for decades, such as password reuse, bruteforce attacks, phishing, and keylogging. Instead, we log in with something we have (a device or hardware key) and something we are (a biometric).
But here's the catch: passwordless authentication doesn’t eliminate the need for recovery. Even in a world without passwords, things will still go wrong:
Devices will be lost, stolen, or factory reset
Hardware keys will be misplaced or broken
Cloud credential backups will fail
Users will switch devices or operating systems
When that happens, the system must decide: How do we let the user back in? If the answer is to 'fall back to a weak recovery flow,' then all the cryptographic elegance of passwordless authentication is wasted. We've simply shifted the attack surface from the front door to the side gate.
The Forgotten Edge Cases
This is where we face a more personal dilemma. From stories of people from around the world who were seriously ill, we've observed how biometrics can fail over time. Weight loss, tremors, and facial changes caused fingerprint and face recognition to stop working reliably. For months, they struggled to authenticate, facing repeated failures and frustration.
Layer on top of that the delays from power-of-attorney paperwork, onsite verification requirements, or multi-week identity confirmation processes… and the problem becomes clear. These are not rare events. They can affect:
Users with disabilities, who may have difficulty using biometric or device-bound methods
People with chronic illnesses, whose physical condition may change unpredictably
Elderly users, who may face both physical and procedural barriers
Dependent users in assisted living, who rely on caregivers for device management
For these groups, passwordless authentication could actually make lockouts more severe than they are today. In a world reliant on passwords, there's at least the possibility of recalling or resetting a passphrase. In a purely passwordless authentication environment, access could be blocked until physical presence is verified or special procedures are completed—processes that can take weeks.
Designing for Resilience and Inclusion
The future of authentication can't just be about removing passwords. If passwordless authentication is going to succeed, it also needs to build resilience, the ability to recover quickly and securely when things go wrong, and inclusivity—ensuring the system works for everyone, not just the tech savvy or physically able. Password managers can play a pivotal role here by acting as secure passkey vaults and backup recovery layers, ensuring users can regain access without falling back to weak or exclusionary recovery flows.
One approach to consider is inclusive passwordless authentication design. Rather than eliminating passwords outright, we can encourage layered authentication ecosystems that still offer secure, accessible alternatives such as hardware keys or trusted device access, without demanding always-on connectivity or biometric reliability. This helps avoid scenarios where convenience for some becomes exclusion for others and acknowledges that authentication is often a race between usability improvements and new forms of digital exclusion.
Human-Centered Design in Authentication
As the field of usable security evolves, there's been a notable shift in design priorities: from simply strengthening technical defenses to crafting experiences that are adaptable, recoverable, and human-centered. At F-Secure, our work on authentication and recovery models reflects this philosophy—focusing on solutions that anticipate real-world friction, reduce lockouts, and balance strong security with equitable access. This means designing systems that can meet users where they are, with pathways that work in high connectivity environments as well as offline or constrained contexts.
History in usable security research has shown that when recovery is poorly designed, people get locked out, frustrated, or resort to unsafe workarounds. This isn't just an inconvenience; it can mean losing access to finances, health services, or essential communications.
Why This Matters for Everyone
It's tempting to think of these concerns as edge cases—problems that only affect a small percentage of users. But the reality is different. Travelers lose devices. Parents hand them to kids. Hardware gets stolen. Illness happens. Life happens. No one is immune to the circumstances that make password recovery necessary.
By designing recovery that is secure, transparent, and accessible, we're not just protecting vulnerable groups, we're protecting everyone.
The Road Ahead: Passwordless Authentication Without Fear
We're at a pivotal moment: passwordless authentication is moving from early adoption into the mainstream. Tech giants are rolling out passkey support. Standards like WebAuthn are maturing. The hype is real and, in many ways, justified.
But if we rush forward without rethinking recovery, we'll end up with a new authentication model built on old weaknesses. The lessons from security research are clear:
Passwordless needs more than technology. It needs policies and processes that are as strong as the cryptography behind them.
Recovery must be treated as a primary security feature, not a secondary afterthought.
Accessibility must be a requirement from day one, not a retrofitted patch.
The future of authentication shouldn't just be passwordless—it should be fearless. It must handle both the best-case and worst-case scenarios without compromising security or excluding users.
Hear more about this topic at Black Hat USA 2025
Thursday, August 7 | 1:30pm–2:10pm PDT
Islander F & G, Level 0 – North Convention Center, Mandalay Bay, Las Vegas, USA
Session: Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future
About the Author
Amel Bourdoucen (soon-to-be Doctor of Science in Technology in early September) is a User and Impact Researcher at F-Secure and a doctoral researcher in the Department of Computer Science at Aalto University, Finland. Her work focuses on the intersection of usable security, privacy, and human-centered design.
Amel has investigated security and privacy challenges across a range of contexts, including app permissions, deceptive mobile game design, and privacy in family-sharing platforms. Her work has been published in top academic venues and featured in international media, including: