The Passwordless Transition:
SSO, MFA, and FIDO2

We've all heard the phrase, "Rome wasn't built in a day." This timeless truth reminds us that significant progress often requires patience, careful planning, and incremental steps. The journey toward passwordless authentication is no exception.

The demand for secure and seamless authentication is growing in today's digital landscape. However, discussions about passwordless authentication are often polarizing—oversimplified as a quick fix or buried in technical jargon. Both approaches miss the bigger picture: achieving passwordless authentication is not a single solution but a strategic journey.

This journey begins by addressing the vulnerabilities of outdated authentication methods, like passwords and one-time passwords (OTPs), and recognizing the need for innovative solutions to ensure security and usability. By taking suitable approaches, businesses can move closer to a future where authentication is secure and frictionless.

The Problem with Passwords

Traditional authentication methods, like static passwords, have been a growing concern in the financial industry for years. They are notoriously hard to remember, pushing users to create weak or repetitive passwords for convenience. Research shows that nearly 65% of online users reuse passwords across multiple accounts, creating a negative domino effect: when one account is compromised, attackers exploit those same credentials to breach others. The result? Credential stuffing attacks and data breaches have cost the financial sector millions.

Over a decade ago, experts turned to one-time passwords (OTPs) as one of the multi-factor authentication (MFA) methods to address these issues. Initially hailed as a more secure alternative, OTPs offered an additional layer of authentication by requiring users to input a temporary code sent to their device. However, with the rise of generative AI, SIM-Swap, and advanced attack techniques, hackers have become adept at intercepting OTPs through methods like man-in-the-middle (MITM) attacks and social engineering. The limitations of OTPs and the increasing sophistication of hackers have accelerated the need for more secure and frictionless solutions.

Apart from OTPs, other MFA methods introduced to the online space include hardware tokens, authenticator apps, smart cards, out-of-band authentication via push notifications, and more. Although considered and added layer of security, for the mass user base, MFA remains complex since it may involve another software application or device. This also slows down the authentication process, which significantly impede on their applications in online payment journeys, leading to an increase in cart abandonment rate.

Single Sign-On: The First Step Toward Passwordless

The journey to passwordless authentication often begins with Single Sign-On (SSO). SSO simplifies authentication by allowing users to access multiple applications and services using a single, trusted account. For example, Gmail or Apple Account enable seamless access across various platforms. This reduces the burden of managing multiple passwords, enhances productivity, and lowers IT costs by minimizing password reset requests.

However, SSO has its own limitations. While it reduces password fatigue, it also introduces risks:

• Single Point of Failure: A compromised SSO account provides attackers access to all linked applications.

• Broad Privileges: SSO can violate the principle of least privilege, granting users more access than necessary.

• Session Persistence: If sessions are not terminated immediately, attackers may still have access even after deactivating an account.

Despite these risks, SSO is a critical step in reducing dependency on traditional passwords, paving the way for more advanced solutions to remove passwords entirely: FIDO2 .

FIDO2: Eliminating One Password At A Time

While SSO has simplified authentication, it still relies on passwords as the foundation, leaving vulnerabilities like phishing, credential reuse, and password fatigue unaddressed. Recognizing these persistent challenges, major organizations such as Apple, Google, Microsoft, and others have joined forces to introduce FIDO2 , a global standard that replaces passwords entirely with secure, user-friendly alternatives.

How FIDO2 Works

FIDO2 leverages public key cryptography to create a passwordless authentication approach that is inherently resistant to phishing and credential theft:

• A private key is securely stored on the user's device and never leaves it.

• A public key is stored on the public server.

During the authentication process, the server sends an authentication challenge to the user's device, which the private key signs. The server then validates the signature using the stored corresponding public key. Because the private key is never shared, even in the case of a server breach, authentication information remains uncompromised. This makes FIDO2 inherently safer than any password-based approach.

The Benefits of FIDO2 for Financial Institutions

FIDO2 eliminates the need for passwords and introduces more secure and convenient authentication methods. By leveraging user biometrics like fingerprints, facial recognition, or device-based passkeys, FIDO2 delivers a seamless and secure user experience.

For financial institutions, the benefits of adopting FIDO2 include:

• Reduced Fraud Risks: By eliminating shared secrets, FIDO2 protects against phishing, credential stuffing, and other password-based attacks.

• Enhanced User Experience: Biometrics and passkeys streamline authentication, reducing user friction and increasing satisfaction.

• Regulatory Compliance: Passwordless authentication aligns with modern regulatory requirements for strong customer authentication (SCA) and data security.

• Lower Costs: By reducing reliance on password resets and improving security, institutions can minimize IT support and breach-related expenses.

HiTRUST: Your Trusted Partner on the Passwordless Journey

At HiTRUST, we recognize that transitioning to passwordless authentication is not an overnight process—it's a journey that requires strategic planning and robust technology. Our solutions combine user behavioral data and the cutting-edge innovation of FIDO2 to create a seamless and secure authentication experience.

The passwordless future isn't just about technology; it's about building trust and enabling businesses to protect their customers and employees. Let's work with HiTRUST towards a future where security and simplicity coexist.