Most people use numerous passwords on a typical day. However, you’ve probably had the frustrating experience of trying to buy something online and forgetting your password for the e-commerce site. Passwordless authentication potentially offers a better alternative, but what are the risks?

How Does Passwordless Authentication Work?

man holding a black iPhone with the lock screen up in front of a teal table

Passwordless authentication verifies a person’s identity through more secure options than passwords or other memorized information. You may already use some types of passwordless login techniques without realizing it. They include:

  • Biometrics: Proving your identity with a method such as your fingerprint or facial recognition.
  • Magic links: Clicking a single-use link containing a verification token to access a passwordless login website.
  • Hardware keys: Relying on physical devices, such as USB drives, that authenticate the user.
  • One-Time Passwords (OTP): Using a numeric, company-generated code to log in rather than a previously chosen password.
  • QR Code Verification: Confirming your identity by scanning a QR code instead of entering a password.

Some people argue that an OTP should not fall under the passwordless umbrella. After all, it still requires typing in a password. On the other hand, the access codes only last for short periods, making them slightly different from traditional passwords.

Passwordless authentication can also span more than one category. As TechCrunch explained, a 2021 release from Yubico includes a fingerprint reader for extra protection. It further encrypts data passed between the key and the fingerprint information storage component.

Where Can You Try Passwordless Shopping?

An April 2023 Statista report indicated there were 5.18 billion worldwide internet users. Many of those people like to engage in online shopping. Even so, it could be a while before shopping without a password becomes mainstream.

If you want to use the Microsoft Store or another Windows service without a password, there are now four ways to do that. You can use the Microsoft Authenticator app, Microsoft Hello, a security key, or an OTP sent to your phone or email.

Shopify also has a couple of apps that let store owners add various types of password authentication to their stores.

Despite some questioning whether passwordless authentication is realistic, Google has signaled its gradual transition toward a password-free future, too. One example available now is the security key built into Android phones running 7.0 and above. It checks for a Bluetooth signal passing between the security key and the device you use to sign in to Google’s services.

As a March 2023 PayPal press release explained, the company introduced passkeys for devices running Android 9+. That decision came after previously offering them for iOS products. PayPal still uses passwords but provides this new offering for people ready to transition to entering them less often, which is surely a sign of the way things are going in the future.

Beyond that, shopping without a password is still a niche offering. The technology exists for stores to offer it in the background though, so you might start seeing more passwordless login website options soon.

Other non-e-commerce services do offer passwordless logins, but these are still few and far between. Slack, for instance, can allow users to log in using a separate one-time, time-sensitive code sent to the associated email address. So yes, some places are starting to transition into a passwordless future, but the majority of apps and shops still rely on traditional passwords.

What Are the Pros and Cons of Passwordless Internet Usage?

upclose side view of person typing on a silver laptop while sitting at a desk

Some e-commerce experts think passwordless shopping could be the solution for cart abandonment, i.e. when customers add items to their basket but leave the site before actually checking out. After all, the goal is to provide people with a buying experience that’s as smooth as possible. Not having to remember a password would certainly remove one hassle.

You could even store online shopping credentials in a passwordless password manager, such as Spectre. It allows you to access passwords across multiple devices and stops hackers from getting them from a vault.

It could be argued that passwordless authentication is more secure than user-generated passwords because too many users set easy-to-guess passwords like "password123". Additionally, a 2022 study found 70 percent of people who had data stolen in breaches during the previous year had reused their passwords across multiple accounts. The problem of people reusing passwords also occurs within 64 percent of people working at Fortune 1000 companies. That habit could give hackers more access to stolen credentials.

Going password-free is not without risks, however. Someone can steal a physical security key. KrebsOnSecurity explained how the OTP method could fail in up to 80 percent of cases due to interception bots that grab the code before the rightful user can. Shockingly, people have also spoofed biometrics with everything from Play-Doh to 3D masks.

And rather worryingly, a 2023 HYPR report found only 3 percent of organizations use phishing-resistant passwordless methods. That takeaway highlights a vulnerability people may ignore if password-free logins provide a false sense of security.

Another issue, especially within enterprises, is that many business leaders and employees feel reluctant to embrace new technologies. They have likely used passwords for decades and may resist doing something new now. If the new way of buying office supplies means not entering a password, some people may initially complain or question the switch.

Is Passwordless Shopping Right for You?

Consider the security methods available to you. Buying a hardware key and keeping it in a safe is a secure option.

Using your phone to authenticate is a more questionable solution. OTP codes may not reach you. Someone could hack the biometric element if you lose your phone. Some suggest combining at least one of the options above with systems that analyze people’s behavior, such as how fast they type or how they hold their phones.

Authenticating yourself without a password is not risk-free, but neither is any other method you use to access the internet. All are potentially hackable for a dedicated and sufficiently skilled malicious party. Weighing up the risks and benefits of each one informs you before proceeding.