Future Tech/authentication
Passwordless Everything by 2030
When I founded a CIAM platform in 2013, we built password reset infrastructure handling hundreds of millions of requests yearly. By 2030 that infrastructure is a museum exhibit.
// By 2030 · medium confidence · disruption 9/10
Prediction
// 2030
By 2030, no top-1000 consumer application will accept a password as a primary authentication factor.
What dies
- → the password
- → sms mfa
Who wins
- → Apple Passkeys
- → Google Passkeys
- → Microsoft Hello
The hook
A senior engineer at one of the top three identity providers told me their internal projection: passkey-eligible signups will cross 50% in 2027, 75% in 2029, 95% by 2031. That projection used to feel aggressive. It now feels conservative.
Thesis. Passwordless authentication did not win by being more secure. It won by being faster and lower-friction than the password it replaced. The transition is now an economics problem, not a technology problem.
The story
The setup
60 years of password infrastructure. Reset flows, complexity rules, breach response, the whole apparatus. A multi-billion-dollar industry built on a broken primitive that nobody questioned because nothing better existed.
The hinge
May 2022 FIDO Alliance announcement. Apple, Google, Microsoft simultaneously commit to passkey defaults across platforms. Three platform owners aligning on a replacement at the same time is rare enough to count as a generational event.
The current state
2026. Major consumer brands ship passkey-first signup. SMS MFA is being actively deprecated. The deprecation is faster than industry analysts predicted two years ago, which is the strongest signal that we are past the hump.
The trajectory
By 2028, passwords are the legacy fallback. By 2030, accepting a password is a competitive disadvantage in consumer products and an audit finding in enterprise.
The holdouts
Regulated industries, B2B legacy apps, geographies with low smartphone penetration. The 'long tail' of 5 to 10% will linger to 2035, but the marginal user is on a passkey-default app well before then.
First signals (verify today)
Apple/Google/Microsoft all default to passkeys. Amazon and Best Buy launched passkey-only signup in 2024. FIDO Alliance certified 1B+ deployments.
Key data points
- FIDO Alliance announcement: May 2022
- Apple passkey launch: iOS 16, September 2022
- Google passkey launch: Chrome 108, December 2022
- Amazon passkey signup option: 2024
- FIDO certified deployments: 1B+ by 2024
Contrarian angle
Most security frameworks still treat passwords as the baseline and passwordless as an upgrade. By 2028, that framing inverts. Accepting passwords becomes the security gap that auditors flag.
The flip side
What this kills
The paired obituary in Tech Graveyard.
Read the obituaryFAQ
Are passkeys truly more secure than passwords plus MFA?
Yes, by construction. Passkeys are bound to the origin and to a specific device, so they cannot be phished, replayed, or breached server-side (the server only stores the public key). Passwords plus SMS or TOTP MFA can still be phished in real time.
What happens if I lose my passkey device?
Modern passkeys sync through iCloud Keychain, Google Password Manager, or 1Password across the user's devices. Lose the device, keep the credential. The 'lost passkey' problem is largely solved as of 2024.
Will enterprises adopt passkeys as fast as consumer apps?
No. Enterprise lags consumer by 18 to 36 months on identity changes. Federation complexity, legacy app inventories, and procurement cycles slow the transition. The direction is the same; the timing is later.
More from guptadeepak.com
Want the technical deep-dive behind this prediction?
Read the companion articleRelated predictions
More from the authentication desk.
// By 2027
high confidencePhishing-Resistant Auth Becomes the Default by 2027
CISA mandated phishing-resistant auth for federal agencies in 2022. Enterprise follows federal within 24 months. Consumer follows enterprise within 24 more.
First signals: CISA mandate for federal agencies (2022). Apple/Google/Microsoft default passkey support. SMS MFA actively deprecated in NIST guidance.
authentication · Disruption 7/10
// By 2028
high confidenceMachine Identities Outnumber Humans 100 to 1 by 2028
Enterprises are managing machine identities with tools designed for humans. Agent Identity Governance is a category that does not exist yet. It will be a $5B market by 2028.
First signals: Current enterprise ratio at 45:1 (CyberArk 2024). Anthropic, OpenAI, and Google all shipping agent platforms. MCP specification adoption growing.
authentication · Disruption 10/10
// By 2029
medium confidencePersonal Data Vaults Become the Default Identity Model
The 25-year era of giving every app a copy of your data is ending. Personal data vaults give you back the keys. Selective disclosure replaces blanket sharing.
First signals: EU Digital Identity Wallet regulation enforced from 2026. Solid protocol production deployments. iOS App Intents normalizing app-to-app data borrowing.
authentication · Disruption 8/10