Smartphone authentication: The killer app that can augment the smartphone’s utility

Authenticating online access: The smartphone is a common link between two-factor authentication and passkeys

The smartphone is likely to play an increasing role in managing fraudulent access to online accounts. In 2024, it is expected to predominantly be used for delivery of passcodes as part of the two-factor authentication (TFA) process, whereby a one-time password (OTP) is sent to a phone, often within a text message.³ In 2023, there were an estimated 1.3 trillion such messages sent via telecom networks, generating an estimated US$26 billion from network traffic alone.⁴

The smartphone may also be used increasingly to generate passkeys—likely the medium-term replacement for passwords. Passkeys authenticate access to online accounts without passwords.⁵ With this approach, a pair of keys is generated for every account, one public and one private key stored on a phone. Users who want to access an account check that the keys match. The private, device-based key is released once the user has been validated using the same process that would normally be used to unlock the phone, which could be biometric (face or fingerprint) or via a password or pattern. As of 2024, usage of passkeys could be modest; by 2030 usage may become higher as it could supplant TFA.

One driver for smartphone-based authentication, based on either technology, is the growing average number of online accounts and associated volume of breaches. The cost of attacks, which are predicated on vulnerabilities that exist via passwords to authenticate access to a growing number of online accounts, is likely unsustainable. Users are asked to create a unique and, ideally strong, password for each account with some enterprises requiring that workers change their password quarterly. The relatively static and limited human ability for recall cannot cope with the combination of the growing number of accounts held, and the ask to memorize rising numbers of “strong” passwords.⁶

The outcome is an abundance of weak passwords, with the most popular still being “123456” and “password.”⁷ Repositories of passwords paired with user IDs are often targeted and there were an estimated 24 billion passwords—one for every three people on earth—exposed by hackers in 2022.⁸ The annual cost of data breaches is forecast at more than US$5 trillion in 2024.⁹ Furthermore, passwords are often repeated: One analysis found 64% of people used the same password across multiple accounts, incrementing the impact of a breach, as a single user ID and password combination may unlock multiple accounts.¹⁰ Password users can also be vulnerable to phishing attacks, designed to trick users into sharing credentials with malign entities. An estimated 3.4 billion malicious emails are sent daily.¹¹

Two-factor authentication and passkeys can provide another level of security, as additional information beyond the pair of password and user ID is required. Either approach can be effective at minimizing the impact of breaches. It can repel almost all automated bot attacks and bulk phishing attacks.¹² A very high proportion of compromised accounts did not use multi-factor authentication.¹³

TFA may incur a charge for the delivery of the one-time password, while pass keys do not (aside from bandwidth usage);¹⁴ the cost of each TFA may limit how frequently smartphone-based authentication is triggered. One deployment of passkeys found that using smartphone-based biometric authentication enabled a two-thirds reduction in the number of OTPs per user, saving 1.9 pence (US 2.4 cents) per message.¹⁵ The momentum behind passkey is likely to grow further to the commitment by Apple, Microsoft, and Google in May 2022 to support the same passkey standard.¹⁶ Apple launched support for passkeys with iOS 16 in September 2022,¹⁷ and Google supports these for all operating systems from Android 9.0.¹⁸ A growing, but still selective number of companies supported passkeys as of September 2023.¹⁹

Authenticating commerce

The smartphone is also likely to play a growing role in authenticating transactions, both online and in stores. This is expected to be based on a range of technologies, including biometric identification capabilities. Two- or multi-factor authentication and passkeys will likely also play an important role.

Mobile already represents a significant share of all e-commerce, but the majority of purchases made are still offline. In the United States, almost half of sales (47%, equivalent to US$99.5 billion) were via mobile in the 2022 holiday season, up from 43% the prior year.²⁰ But as of Q2 2023, e-commerce was still 15.4% of all payments, up one percentage point year-over-year.²¹ E-commerce’s share of all sales has tended to increase steadily since the mid-90s, except for the anomalous period of 2020−2021.²² If this trend continues, the role of smartphones for online transactions should continue to increase.

In-store, the impact of payments via smartphone apps is smaller. According to one analysis, only three cents of every dollar spent in-store in Q2 2022 in the United States was paid via a smartphone app.²³

Authenticating physical access

The smartphone is also likely to be used increasingly to validate physical access into buildings. Buildings that use card readers to permit or prohibit access often use Near-field communications (NFC) to exchange information between the gate and the card. The first smartphones to incorporate NFC were launched in 2011 and as of 2024,²⁴ this capability is likely to be ubiquitous. As such, smartphones could substitute for access cards. Alternatively, Bluetooth could be used to communicate with the reader. With hardware and software upgrades (of a complexity and cost that varies by company), existing gates could be ready to work with smartphones.

The proportion of businesses whose premises are mobile-ready has been growing steadily. According to one survey of businesses in North America, EMEA, and Asia Pacific, 24% were mobile-capable in 2022, up from 16% in 2020, and a further 42% were planning to upgrade.²⁵

This migration to smartphones could save on operational costs, address risks as well as reduce environmental impacts. Smartphone-based entry passes can be distributed via app downloads. They can also be canceled remotely via over-the-air instruction. Businesses around the world are likely to have teams dedicated to the allocation of physical cards to staff and visitors and temporary cards to replace forgotten cards in 2024. A phone-based approach would still require oversight and could enable some staff to be re-assigned from their current repetitive role of handing out entry cards.

There will likely be debates on the risks of migrating to smartphone-based entry this year. One benefit of the ID card in most buildings is visible identity; however, in some offices ID cards are often pocketed and identity checks are not often commonplace. ID cards may also be stolen, enabling bad actors to gain access to a building if there is lax security. By contrast, a smartphone’s biometric authentication could be used to provide further validation prior to tapping the phone on the reader, like the process for making a payment or entering the subway. Additionally, individuals may leave their ID card at home or elsewhere (including public venues) but may be more vigilant about their smartphones because of their utility.

The sustainability dividend from migrating to mobile may be significant. The traditional, legacy method of validating access to buildings is via photo identity cards housed in lanyards. There are 3.4 billion people in the global workforce.²⁶ If only half of these are issued a lanyard, that implies almost two billion lanyards, some of which may end up landfill. There are also multiple temporary ID cards issued for events. The Fira Barcelona hosts 2.5 million visitors each year;²⁷ the Las Vegas Convention Center has two million visitors.²⁸ Some shows are already migrating to smartphone-based digital access passes, including the Mobile World Congress at the Fira Barcelona, saving on the need to manufacture and subsequently dispose of physical passes and lanyards, and on the need to dedicate staff to issue them.²⁹

Smartphone access passes could also be used for other functions, such as payment at vending machines, access to printing machines, and checking in to events, such as university lectures, or conference sessions. In the United States, there were 53 universities that had adopted smartphone passes as of September 2022.³⁰

As well as authenticating access to commercial premises, over time smartphones may also be used more commonly to permit entry into private homes. One benefit of this would be the ability to send keys to guests on a time-limited basis.³¹

Authenticating travel

Prior to the pandemic, there were 4.5 billion airline passengers per year in 2019.³² Prior to boarding, passengers need to show their boarding pass and may also need to show identification. A boarding pass can be within a mobile app, particularly for regular travelers. This can save on printing and reduces the likelihood of loss. Some baggage receipts are also moving to apps.³³

However, proof of identity at a caliber sufficient for travel is slowly moving online. One of the most advanced countries is Ukraine, which launched an app in 2020 that hosts multiple documents including a national identity card. As of December 2022, almost 18.5 million Ukrainians (more than 40%) had downloaded the app.³⁴ In the United States, three states have launched support for digital driving licenses: Arizona, Georgia, and Maryland.³⁵ In 2024 and 2025 a European National Identity initiative co-funded by the EU plans to trial smartphones for applications including mobile driving licenses.³⁶ In the UK, the government is targeting availability of digital driving licenses by 2024:³⁷ Development programs have been underway since 2016.³⁸

The smartphone may also be used for elements of pre-authorization for travel, for example for the submission of fingerprints required for entry visas. Over the coming years, smartphones could be used to capture this biometric data in lieu of specialized machines. The United Kingdom’s government has been evaluating smartphones to capture fingerprints and face data.³⁹

A migration to smartphone-based national or regional identify is unlikely in the near term but could be likely in the medium to long-term: As authentication for a widening range of high-value processes, including accessing US$100,000 cars, US$1,000,000 homes, and US$10 million office buildings becomes more common, trust and familiarity in creating smartphone-based identity could increase. A large proportion of smartphone owners may be ready to add identity to their array of smartphone applications. According to Deloitte UK’s Digital Consumer Trends, about a quarter of respondents in developed markets would like to use their phone as their driving license or passport.⁴⁰

Bottom line

In 2024 and over the coming decades, smartphones could replicate and exceed the functionality of tens of billions of physical authentication tools in use today, including keys, passwords, driving licenses, passports, credit cards, and cash. The smartphone’s success is not limited to just unit sales: The value of its multiplier is becoming more significant.

The addition of authentication to the smartphone’s utility could be analogous to its assimilation of the functionalities of multiple form factors, including compact cameras, MP3 players, alarm clocks, handheld GPS navigation, office desk phones, and tourist guidebooks.

However, authentication may be more valuable capability than playing music, snapping selfies, or setting an alarm. Smartphone-based verification of identity can accelerate, enhance, and reduce the cost of processes that are often fundamental to commerce, enterprise security, and border control.

Modern society often requires technologies such as keys, passports, and means of payment. However, these tools do not always need to be physical – they can exist as software capabilities within smartphones and can be better keys, passports, and payment tools as a result.

As society migrates to smartphone-based authentication, it will be important to help ensure that no users are left stranded: change is often challenging, depending on the individual.

Given the widening future scope of the smartphone, it is likely to cement its position as a successful device. This may dampen (but not eradicate) discussions of when it might be toppled by another form factor.