“Password is dead”. How many times have you heard this phrase over the years? Apparently, it can be traced back to at least 2004, when Bill Gates famously predicted that passwords would become obsolete soon, replaced by more sophisticated authentication methods like biometrics and smart cards.
Unfortunately, 20+ years later, we are not quite there yet: eradicating passwords completely, like smallpox or polio, is still an ongoing effort. Still, we’ve made some significant progress recently. All modern smartphones natively support at least some kind of biometric authentication, such as face recognition or fingerprint scanning. Organizations like the FIDO Alliance have spent years developing and promoting strong authentication standards like FIDO2 and passkeys. Finally, large service providers like Microsoft, Google, or Apple have invested a lot into implementing and integrating those standards into their services.
Although the FIDO standards are now nearly a decade old, their adoption rate was low until support for it was implemented in all major browsers. It has only really gained notable recognition when Apple made passkeys an integral part of its ecosystem two years ago. So, ubiquitous and convenient strong authentication is finally getting some serious traction, but did you know that all that progress could be undone literally overnight?
The Cryptocalypse
If you’ve been following the recent developments in quantum computing at least superficially, you should know that we are closer to it becoming reality than ever before. Even if the whole thing has been somewhat overshadowed by the “AI race” now, major players continue pushing for quantum supremacy. Just a couple of months ago, Google unveiled its most advanced quantum chip. Even if we do not hear a lot from other countries, the recent DeepSeek market upheaval should have taught us that an underdog player from China can again completely undermine western countries’ long-term plans.
If you haven’t been following the topic recently, you probably should. You could start by reading an older KuppingerCole’s blog post, and then perhaps listen to a more recent Analyst Chat about the cryptographic apocalypse. To summarize both: yes, nobody knows for sure whether the real breakthrough will happen tomorrow or in a few years. The real issue though is that when it happens, the impact on the IT industry will be catastrophic and impossible to respond reactively. And it’s not just breaking encryption of sensitive data that we have to worry about. In fact, traditional symmetric encryption methods like AES are not significantly affected by quantum algorithms. Their asymmetric counterparts, however, are the foundation of modern digital business.
Whether swiping a smart card to enter a secure facility, signing a digital contract, or just logging in to your online banking account — you are utilizing some means of strong authentication. These methods rely on public-key cryptographic algorithms such as RSA, Diffie-Hellman, and Elliptic Curves, which cannot be compromised using traditional computers, but can be easily rendered useless by a quantum computer with the help of well-known Shor’s algorithm.
Most modern communication protocols, such as HTTPS (TLS), SSH and most VPN implementations rely on digital signatures or certificates for establishing the identity of connecting parties. They can be easily compromised as well, leading to eavesdropping, identity theft, fraud, data leaks, and other potential attacks.
Oddly enough, even the old-school password authentication will be disrupted by quantum computers, since passwords are usually stored in databases as hashes, cryptographic functions that prevent the exposure of original plaintext passwords. An attack against popular hash functions on a quantum computer effectively reduces their strength by half, substantially decreasing the time needed to crack them.
Multifactor solutions are not immune either. All those hardware authenticators like YubiKey are relying on the same asymmetric cryptographic functions to create and securely exchange keys with other parties. And since your biometric data like fingerprints is not supposed to ever leave your device, those systems utilize derived keys and hashes, which can be compromised as well.
How realistic is the doomsday scenario?
A common response to all these concerns is that while the impact of the “quantum risk” is undeniably massive, the probability of the actual working quantum computer appearing overnight is still extremely low. Realistically, the skeptics might be right, but the problem is still complicated and nuanced. Consider this simple analogy: the probability of a meteorite hitting your house tonight is also extremely low. But this does not imply that your house doesn’t need a strong roof. Or an even stronger basement, for that matter.
When looking at post-quantum cryptography, one must understand that the actual danger of quantum algorithms breaking current encryption standards is just one facet of a bigger issue. For example, it is well known that intelligence agencies around the world have been harvesting and storing encrypted information across the Internet, intending to analyze it later when an opportunity arises. The impact of a quantum computer will therefore not just affect current sensitive transactions, but the years’ worth of past secrets as well.
On the other hand, quantum computing is not the only way to undermine the reliability of encryption. We have already lived through multiple incidents, when the reliability of certain encryption algorithms has been compromised by other factors. The Heartbleed vulnerability in OpenSSL is just one example of encryption undermined by a bug in a specific implementation. Some older standards like SHA-1 have been deprecated simply because they can now be cracked using modern classical computers, not even at the cloud scale.
Future-proofing your authentication
The proverbial silver lining behind all these issues is that a solution is already available, and it guarantees to solve all the weaknesses of existing encryption methods against quantum computers. Researchers have been working on new, quantum-resistant encryption standards for over a decade. A major standardization effort has been initiated by NIST back in 2016, and in August 2024, three new standards for post-quantum cryptography (PQC) were finally approved. NIST also proposed a decade-long timeline for migrating to these standards but urges all organizations to start as soon as possible.
From now on, crypto-agility should become your mantra — the ability to quickly modify and replace parts of your cryptographic infrastructure in response to new threats. Wherever possible, you should start replacing existing crypto with new PQC standards today. When considering new products or services that incorporate cryptography and strong authentication, their crypto-agility should become a major criterion for selection. Finally, avoid the temptation to use proprietary (and thus untested and untrustworthy) cryptographic solutions.
Of course, no organization is perfectly agile. A combination of technical debt, supply chain issues, and friction between business units and teams will inevitably lead to a transitional period, when you’ll need to combine both classical and quantum-safe algorithms in some kind of hybrid architecture. Have a long-term upgrade strategy to avoid the chaos and high costs of responding to incidents instead of a controlled proactive implementation.
But most importantly, avoid learning from your mistakes – learn from the mistakes of others instead! Do not miss the opportunity to meet your industry peers and experts to gain practical knowledge. Join us at the EIC 2025 to discuss the future of strong authentication, crypto-agility, and other important topics this May in Berlin.