H33BlogThe Future of Passwordless Authentication
Authentication February 24, 2026 · 20 min read

The Future of Passwordless Authentication:
FIDO2, Passkeys, and Post-Quantum Biometrics

Passwords cause 80% of breaches. Passkeys are the biggest UX leap in authentication history. But FIDO2 relies on ECDSA P-256—and Shor's algorithm will break it. This is the comprehensive guide to where passwordless authentication stands today, why it's quantum-vulnerable, and what comes next.

80%
Breaches from Credentials
2.5B
Passkey Accounts
0
Passwords Needed
PQ-Safe
H33 Auth

Every year, the Verizon Data Breach Investigations Report delivers the same verdict: stolen, weak, or phished credentials remain the dominant initial attack vector. In the 2024 DBIR, over 80% of web application breaches involved credentials. Despite billions of dollars spent on security awareness training, password managers, and multi-factor authentication, the password remains the weakest link in the security chain.

The industry has known this for decades. But now, for the first time, a credible replacement has reached mainstream adoption. Passkeys—built on the FIDO2/WebAuthn standard—have crossed the tipping point. Apple, Google, and Microsoft have deployed passkey support across their entire ecosystems. Over 2.5 billion accounts can use passkeys today.

This is the good news. The bad news is that FIDO2 was designed in a pre-quantum world. Its cryptographic foundation—ECDSA on the P-256 curve—will be broken by Shor's algorithm when a cryptographically relevant quantum computer (CRQC) arrives. Passkey private keys harvested today can be forged tomorrow. The authentication layer we're migrating the world to is already on a deprecation clock.

This guide covers the full arc: where we are, how we got here, and where we need to go.

The Password Problem in 2026

To understand why passwordless matters, you have to understand the scale of the password catastrophe. It's not a theoretical problem. It's a measurable, quantifiable disaster that costs the global economy hundreds of billions of dollars annually.

The Numbers

MetricValueSource
Breaches involving credentials80%+Verizon DBIR 2024
Credential stuffing attacks per day~3.5BCloudflare, 2025
Average cost per data breach$4.88MIBM Cost of a Data Breach 2024
Passwords reused across sites65%Google Security Blog
Phishing attacks per year3.4B+Zscaler ThreatLabz 2024
MFA bypass success rate (push fatigue)~25%Mandiant M-Trends 2024
Average passwords per employee87LastPass Business Report 2023
IT help desk calls for password resets20–50%Gartner, 2024

The fundamental problem is architectural. Passwords are shared secrets—both the user and the server know the secret (or a derivative of it). This means any compromise of the server database, any phishing attack, any man-in-the-middle interception exposes the credential. Password hashing (bcrypt, Argon2) slows offline cracking but doesn't prevent it. Password managers reduce reuse but add a single point of failure. Multi-factor authentication adds a layer but introduces its own attack surface: SIM swapping, push fatigue, TOTP interception.

The economic toll extends beyond breaches. The average enterprise employee maintains 87 passwords. Password resets account for 20–50% of all IT help desk calls, at an estimated cost of $70 per reset. For a 10,000-person company, that's $500,000–$1.2 million per year in help desk costs alone—before a single breach occurs. The password is not just insecure; it is an ongoing operational drag on every organization that uses it.

Credential Stuffing at Scale

Credential stuffing—the automated injection of stolen username/password pairs into login forms—has become the dominant attack pattern against web applications. Attackers purchase credential dumps from previous breaches (billions of credentials are available on dark web markets for pennies per record) and systematically test them against every major service.

The economics are staggering. A credential stuffing toolkit costs under $100. A dump of 1 billion credentials costs under $5,000. The hit rate on a typical service (where users reuse passwords) is 0.5–2%. Against a service with 100 million users, that's 500,000 to 2 million valid logins from a single campaign. Each compromised account can be monetized through account takeover, financial fraud, data exfiltration, or resale.

Cloudflare's 2025 threat data revealed that credential stuffing now represents the single largest category of malicious HTTP traffic, surpassing DDoS in total request volume. The attacks are highly distributed, using residential proxy networks and headless browsers to evade rate limiting. Traditional defenses (CAPTCHAs, IP blocking, device fingerprinting) are increasingly ineffective against sophisticated stuffing operations that rotate credentials across millions of IPs.

The Regulatory Shift

Executive Order 14028 (May 2021) and EO 14144 (January 2025) require federal agencies to adopt phishing-resistant authentication. OMB Memorandum M-22-09 mandates that agency staff use phishing-resistant MFA. The standard they point to: FIDO2/WebAuthn. Phishing-resistant authentication is no longer a best practice—it's a compliance requirement for anyone selling to the U.S. government.

Why MFA Alone Doesn't Solve It

Multi-factor authentication was supposed to fix the password problem. It didn't—it just moved the attack surface. SMS-based MFA is vulnerable to SIM swapping and SS7 interception. TOTP codes can be phished in real time using adversary-in-the-middle proxies (tools like Evilginx2 automate this). Push-based MFA is vulnerable to fatigue attacks—the Uber breach of September 2022, where an attacker simply spammed push notifications until the employee approved one, demonstrated this at scale.

The only form of MFA that is truly phishing-resistant is cryptographic authentication bound to origin—where the authenticator verifies the relying party's domain as part of the protocol. This is exactly what FIDO2 does.

FIDO2/WebAuthn Deep Dive

FIDO2 is a set of specifications developed by the FIDO Alliance and the W3C that enables passwordless, phishing-resistant authentication using public-key cryptography. It consists of two components: WebAuthn (the browser API, a W3C standard) and CTAP2 (Client to Authenticator Protocol, for communication with hardware authenticators like YubiKeys).

The core principle is simple: instead of sharing a secret with the server, the user generates a public/private key pair during registration. The private key never leaves the authenticator (hardware token, phone, or platform authenticator). The server stores only the public key. Authentication is a challenge-response protocol—the server sends a random challenge, the authenticator signs it with the private key, and the server verifies the signature with the public key.

The Registration Ceremony

When a user registers with a FIDO2-enabled service, the following exchange occurs:

WebAuthn Registration Flow

  1. Server generates challenge—A cryptographically random challenge (at least 16 bytes), along with the relying party ID (the domain), user information, and supported algorithm preferences (typically ES256—ECDSA with P-256)
  2. Browser calls navigator.credentials.create()—The WebAuthn API passes the options to the authenticator. The browser binds the relying party ID to the current origin, preventing phishing
  3. User verification—The authenticator performs local user verification (fingerprint, face, PIN). This is a local check—the biometric never leaves the device
  4. Key pair generation—The authenticator generates a new ECDSA P-256 key pair unique to this (relying party, user) combination. The private key is stored on the authenticator. The public key is wrapped in an attestation object
  5. Attestation response—The authenticator returns the public key, a credential ID, and an attestation signature that the server can verify to confirm the key was generated by a genuine authenticator

The Authentication Ceremony

When the user logs in:

WebAuthn Authentication Flow

  1. Server sends challenge—Random challenge, relying party ID, and a list of allowed credential IDs for this user
  2. Browser calls navigator.credentials.get()—The authenticator selects the matching credential. Origin binding prevents a phishing site from requesting credentials for a different domain
  3. User verification—Local biometric or PIN check on the authenticator
  4. Signature—The authenticator signs the challenge (plus authenticator data including sign count) with the private key. The server verifies the signature against the stored public key

Here's what a simplified WebAuthn registration and authentication flow looks like in code:

JavaScript webauthn-flow.js 
// ─── REGISTRATION ─────────────────────────────────────
const publicKeyOptions = {
  challenge: crypto.getRandomValues(new Uint8Array(32)),
  rp: { name: "Example Corp", id: "example.com" },
  user: {
    id: encode(userId),
    name: "alice@example.com",
    displayName: "Alice"
  },
  pubKeyCredParams: [
    { type: "public-key", alg: -7 }   // ES256 (ECDSA P-256)
  ],
  authenticatorSelection: {
    residentKey: "preferred",          // Discoverable credential (passkey)
    userVerification: "required"         // Biometric or PIN required
  },
  attestation: "direct"                  // Request attestation statement
};

const credential = await navigator.credentials.create({
  publicKey: publicKeyOptions
});
// Send credential.response (attestationObject + clientDataJSON) to server

// ─── AUTHENTICATION ───────────────────────────────────
const assertionOptions = {
  challenge: serverChallenge,           // Fresh random from server
  rpId: "example.com",                  // Origin-bound: phishing site can't spoof
  allowCredentials: [{
    type: "public-key",
    id: storedCredentialId
  }],
  userVerification: "required"
};

const assertion = await navigator.credentials.get({
  publicKey: assertionOptions
});
// Server verifies signature over (authenticatorData + clientDataHash)
// using the stored ECDSA P-256 public key

Resident vs. Non-Resident Credentials

FIDO2 supports two credential storage models:

Why FIDO2 Is Phishing-Resistant

The key anti-phishing mechanism is origin binding. When the browser calls the WebAuthn API, it includes the origin (e.g., https://example.com) in the client data that gets signed. If an attacker creates a phishing site at https://examp1e.com, the authenticator will either not find a matching credential (for resident credentials) or will sign data bound to the wrong origin (which the legitimate server will reject). This is enforced by the browser, not the user—no amount of social engineering can override it.

This is the fundamental difference between FIDO2 and every other authentication method. Passwords rely on the user to verify they're on the correct site. TOTP codes can be relayed. Push notifications can be accepted under social pressure. Only cryptographic origin binding provides phishing resistance that is independent of user behavior.

Passkeys: The Mainstream Moment

FIDO2 existed since 2019, but adoption was glacial. Hardware security keys were niche. Platform authenticators (Windows Hello, Touch ID) were limited to a single device. If you lost your phone, you lost your credentials. The UX was worse than passwords, not better.

Passkeys changed everything.

The Breakthrough: Synced Credentials

In 2022, Apple, Google, and Microsoft jointly announced support for multi-device FIDO credentials—now branded as "passkeys." The core innovation: FIDO2 private keys are synced across a user's devices via the platform's cloud keychain (iCloud Keychain, Google Password Manager, Windows Hello). This solves the two biggest UX problems of FIDO2:

The UX Advantage

A passkey login takes 14.9 seconds on average, compared to 30.4 seconds for password + SMS OTP (FIDO Alliance UX study, 2023). More importantly, the success rate is 13.8% higher—fewer abandoned logins. Passkeys are not just more secure than passwords; they're genuinely faster and easier to use. This is the first time in authentication history that the most secure option is also the most convenient.

Adoption Numbers (as of Early 2026)

Platform / ServicePasskey StatusScale
AppleBuilt into iOS 16+, macOS Ventura+, iCloud Keychain sync~2B devices
GoogleGoogle Password Manager sync, Chrome, Android 14+~3B devices
MicrosoftWindows Hello, Microsoft Authenticator, Edge~1.5B devices
AmazonPasskey login for 300M+ customer accountsLive
GitHubPasskey login, 100M+ developersLive
PayPalPasskey login across web and mobileLive
ShopifyPasskey login for merchant accountsLive
WhatsAppPasskey support for 2B+ usersLive

The FIDO Alliance reports that as of late 2025, passkeys are available on over 15 billion devices globally through the combined Apple, Google, and Microsoft ecosystems. Services like Google have reported that passkeys are now used more frequently than passwords + SMS OTP combined for returning users. This is not an experiment—it's a platform shift.

The Full Passwordless Landscape: Beyond Passkeys

Passkeys are the headline act, but the passwordless ecosystem is broader. Organizations evaluating passwordless strategies need to understand the full spectrum of available methods, each with distinct security properties, UX tradeoffs, and deployment considerations.

Magic Links

Magic links deliver a one-time login URL to the user's email address. Click the link, you're authenticated. No password, no code to type. Services like Slack, Medium, and Notion popularized this approach for consumer-facing applications.

The UX is excellent for infrequent logins—the user doesn't need to remember anything. But the security model has structural weaknesses:

Magic Links Are Not Phishing-Resistant

A phishing site can trigger a magic link request, then instruct the user to click the link they received in email. The user authenticates on the phishing site's session. Because magic links lack origin binding (the link works regardless of which site initiated the request), they provide zero phishing resistance. This is a fundamental architectural limitation, not a configuration issue.

SMS and Email OTP

One-time passwords (OTPs) delivered via SMS or email are the most widely deployed form of passwordless verification. They are familiar, require no app installation, and work on every device with a phone number or email address. Authentication services like Auth1 use SMS OTP as a primary passwordless method for consumer applications.

The convenience is real, but the security limitations are well documented:

SMS OTP remains useful as a fallback for users who cannot use passkeys, but it should not be the primary passwordless method for any application handling sensitive data.

Certificate-Based Authentication and Smart Cards

Certificate-based authentication (CBA) uses X.509 digital certificates stored on smart cards or hardware security modules to authenticate users. This is the gold standard for government and military systems. The U.S. Department of Defense's Common Access Card (CAC), used by over 3.5 million personnel, is the most widely deployed CBA system in the world.

In CBA, the user's private key is stored on a tamper-resistant chip (the smart card or USB token). Authentication involves a TLS mutual authentication handshake where the client presents its certificate, and the server verifies it against a trusted Certificate Authority (CA) chain. The private key never leaves the hardware.

CBA Strengths

Hardware-bound private keys. Phishing-resistant (certificate chain validation). Mature PKI ecosystem. Non-exportable keys prevent credential theft.

CBA Weaknesses

Requires physical hardware distribution. Certificate lifecycle management (issuance, renewal, revocation) is operationally complex. No cloud sync. Device loss requires physical replacement and re-issuance.

Enterprise Adoption

DoD (CAC), NATO, EU eIDAS, banking sector (EMV chip). Typically limited to high-security environments due to PKI overhead.

Quantum Risk

Most CBA deployments use RSA-2048 or ECDSA P-256 for certificate signing. Both are vulnerable to Shor's algorithm. PQ certificate chains require CA infrastructure migration.

Certificate-based authentication provides the strongest security guarantees of any currently deployed passwordless method, but its operational complexity and hardware dependency limit it to enterprise and government use cases. Passkeys can be viewed as a consumer-friendly evolution of the same principle—hardware-bound public-key authentication—without the PKI overhead.

Phishing Resistance Comparison

Not all passwordless methods are created equal when it comes to phishing resistance. The critical differentiator is whether the protocol cryptographically binds the authentication to the legitimate service's origin, or whether it relies on user judgment.

MethodOrigin BindingRelay-ResistantPhishing ResistanceNIST AAL
FIDO2 / Passkeys Yes (browser-enforced) Yes Strong AAL3 (hw) / AAL2
Smart Card / CBA Yes (TLS mutual auth) Yes Strong AAL3
FHE Biometrics Yes (API-bound) Yes Strong AAL3
TOTP (Authenticator App) No No (real-time relay) None AAL2
SMS OTP No No (SIM swap + relay) None AAL1
Magic Links No No (session fixation) None AAL1
Push Notification MFA Partial (number matching) Partial Weak AAL2

The table above reveals a sharp divide. Methods with cryptographic origin binding (FIDO2, CBA, FHE biometrics) provide genuine phishing resistance. Methods without origin binding (TOTP, SMS OTP, magic links, push MFA) provide no phishing resistance at all—regardless of marketing claims. Number matching in push MFA improves the situation slightly by requiring the user to select the correct number displayed on the login screen, but an adversary-in-the-middle proxy can display the same number, making the defense fragile.

Enterprise Passwordless: Deployment Case Studies

The theoretical advantages of passwordless authentication are well established. The question for enterprise security teams is whether it works in practice, at scale, with real users. The evidence from early large-scale deployments is compelling.

Microsoft: 1 Billion Passkey Authentications

Microsoft has been the most aggressive enterprise advocate for passwordless. As of early 2026, Microsoft reports over 1 billion passkey authentications per month across its consumer and enterprise services (Outlook, Xbox, Microsoft 365). Key findings from their deployment:

Google: Passkeys as Default

Google made passkeys the default sign-in method for all Google accounts in October 2023. By mid-2025, Google reported that passkeys were used for more than 50% of returning user authentications—surpassing password + SMS OTP as the most common login method. Google's internal data shows:

The Enterprise Friction Problem

Consumer deployments have clear success stories. Enterprise deployments are harder. The primary friction points:

Enterprise Passwordless Deployment Challenges

  1. Shared workstation environments—In healthcare, manufacturing, and retail, multiple users share a single device. Platform authenticators (Touch ID, Windows Hello) are tied to a single user's account. Hardware security keys or FHE biometrics are the only passwordless options for shared workstations.
  2. Legacy application compatibility—Many enterprise applications use LDAP/Kerberos authentication that predates WebAuthn. Passwordless integration requires federation (SAML/OIDC) layers or application rewriting.
  3. Contractor and third-party access—Passkeys are tied to personal devices and cloud accounts. Managing passkey lifecycle for temporary contractors or third-party vendors requires policy frameworks that don't yet exist at most organizations.
  4. Platform lock-in concerns—Passkeys synced via iCloud Keychain are not accessible from Android, and vice versa. Third-party password managers (1Password, Bitwarden, Dashlane) now support passkey storage as a cross-platform solution, but ecosystem fragmentation remains a real deployment consideration.

Despite these challenges, the trajectory is clear. Organizations that have deployed passkeys report measurable improvements in security posture, user satisfaction, and operational cost. The question is no longer whether to go passwordless, but how quickly you can execute the transition.

The Quantum Vulnerability in FIDO2

Here is where the story takes a critical turn. FIDO2's cryptographic backbone is ECDSA with the NIST P-256 curve (also known as secp256r1 or prime256v1). This is the algorithm specified as -7 (ES256) in the WebAuthn credential parameters. It is the default and, in practice, the only algorithm supported by the vast majority of authenticators.

ECDSA is an elliptic curve signature scheme. Its security depends on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP)—given a public key Q = dG (where d is the private key and G is the generator point), computing d from Q and G is computationally infeasible on classical computers.

Shor's algorithm solves the discrete logarithm problem efficiently on a quantum computer.

The FIDO2 Quantum Problem

Every FIDO2 credential ever created uses ECDSA P-256. Shor's algorithm requires approximately 2,330 logical qubits to break P-256 (Gidney, 2025). When a CRQC reaches this threshold, an adversary can:

1. Recover the private key from any stored public key—extracting it from a server's credential database

2. Forge authentication signatures indistinguishable from legitimate ones

3. Impersonate any user on any FIDO2-protected service

This is not a theoretical risk. Relying party servers store public keys in their databases. If those databases are compromised (or if the public keys were part of attestation data intercepted in transit), the private keys can be derived post-quantum. Every FIDO2 public key ever transmitted or stored is a future private key.

The HNDL Risk for Authentication

The Harvest Now, Decrypt Later paradigm applies directly to FIDO2 credentials. An adversary who captures the registration ceremony (which transmits the public key) or compromises a relying party's credential database (which stores it) can derive every user's private key once a quantum computer is available.

Unlike encrypted data (where HNDL requires interception during transmission), FIDO2 public keys are designed to be stored on servers. They are in databases today—millions of them, across thousands of services. No interception is needed. The adversary just needs access to any credential database, and the public keys become private keys.

The implications are severe:

Key Size: The Elephant in the Room

AlgorithmTypePublic Key SizeSignature SizeQuantum Safe
ECDSA P-256 Elliptic curve 64 bytes 64 bytes No
Ed25519 EdDSA 32 bytes 64 bytes No
ML-DSA-65 (Dilithium-3) Lattice (FIPS 204) 1,952 bytes 3,293 bytes Yes
ML-DSA-87 (Dilithium-5) Lattice (FIPS 204) 2,592 bytes 4,595 bytes Yes
SLH-DSA-128s (SPHINCS+) Hash-based (FIPS 205) 32 bytes 7,856 bytes Yes
FN-DSA-512 (FALCON) NTRU lattice 897 bytes 666 bytes Yes

The size difference is dramatic. An ECDSA P-256 public key is 64 bytes. An ML-DSA-65 (Dilithium-3) public key is 1,952 bytes—a 30x increase. Signatures go from 64 bytes to 3,293 bytes—a 51x increase. This matters for authenticators with limited storage (hardware security keys typically have only a few hundred kilobytes of writable memory), for Bluetooth Low Energy transport (which has strict MTU limits), and for NFC (which has tight timing constraints).

FN-DSA (FALCON) offers the most compact PQ signatures at 666 bytes, making it attractive for constrained authenticators. However, FALCON's NTRU lattice sampler is notoriously difficult to implement in constant time—a critical requirement for hardware security keys where side-channel resistance is mandatory. ML-DSA's simpler rejection sampling is more implementation-friendly, which is why it's the leading candidate for FIDO2 PQ migration despite larger signatures.

This isn't an insurmountable problem, but it requires redesign at every layer of the stack.

Post-Quantum Passwordless: What Needs to Change

Transitioning FIDO2 to post-quantum cryptography requires coordinated changes across the entire ecosystem. Here's what's on the roadmap and what's still open.

WebAuthn Specification Changes

The WebAuthn specification needs to register new COSE algorithm identifiers for post-quantum signature schemes. The current default, -7 (ES256), must be supplemented with identifiers for ML-DSA (FIPS 204). The IETF has draft specifications for COSE algorithm identifiers for ML-DSA, but they are not yet finalized.

Key changes needed:

ML-DSA (FIPS 204) as FIDO2's Successor

ML-DSA (Module-Lattice Digital Signature Algorithm), derived from CRYSTALS-Dilithium, is the primary candidate to replace ECDSA in FIDO2. It is a NIST-standardized (FIPS 204, August 2024) lattice-based signature scheme whose security relies on the hardness of the Module Learning With Errors (MLWE) problem—a problem for which no efficient quantum algorithm is known.

H33 Production Numbers

H33's production stack already uses ML-DSA (Dilithium) for all authentication attestation. Performance on Graviton4: ~240 microseconds for a combined sign + verify operation. In batch mode (1 attestation per 32-user batch), the per-authentication overhead drops to ~7.5 microseconds. Post-quantum signatures are not a performance bottleneck—they're a rounding error.

The Transition Timeline

August 2024
NIST FIPS 204 finalized—ML-DSA is no longer a draft. The standard is stable and implementable.
2024–2025
Library support—OpenSSL 3.5, BoringSSL, liboqs, pqcrypto-rs, and other major cryptographic libraries add ML-DSA support.
2026–2027
COSE / WebAuthn updates—IETF registers ML-DSA COSE algorithm identifiers. W3C WebAuthn Level 4 specification incorporates PQ algorithm support.
2027–2028
Authenticator firmware updates—Major authenticator vendors (Yubico, Feitian, Google Titan) ship firmware supporting ML-DSA key generation and signing.
2028–2030
Platform authenticator support—Apple, Google, Microsoft integrate ML-DSA into their passkey implementations (iCloud Keychain, Google Password Manager, Windows Hello).
2030+
ECDSA deprecation—Aligned with NIST IR 8547 timelines, ECDSA-only credentials begin deprecation in federal systems.

The critical gap: even after PQ passkeys are available, every ECDSA credential created before the transition remains vulnerable. Users will need to re-register credentials on every service—a mass migration that makes the password-to-passkey transition look simple by comparison.

FHE Biometrics: The Ultimate Passwordless

Passkeys eliminate passwords. Post-quantum passkeys will eventually eliminate the ECDSA vulnerability. But there's a deeper question: is a private key stored on a device—even a quantum-resistant one—really the best we can do?

Private keys can be extracted from devices (hardware vulnerabilities, side-channel attacks). Synced passkeys mean the private key exists in a cloud keychain—a high-value target. Device theft with biometric spoofing (presentation attacks) can unlock the authenticator. And the fundamental model still relies on something you have (the device) combined with something you are (a local biometric check that the server never sees).

Fully Homomorphic Encryption (FHE) biometric authentication takes a fundamentally different approach:

No Password

The user authenticates with a biometric. There is no shared secret, no password to phish, no credential to stuff.

No Private Key to Steal

There is no private key on the device. The biometric template is encrypted and sent to the server. Verification happens on encrypted data.

No Template to Harvest

The server never sees the plaintext biometric. The enrolled template is encrypted (BFV lattice-based FHE). Even if the database is breached, the attacker gets ciphertext.

HNDL-Proof by Construction

BFV encryption is lattice-based—not vulnerable to Shor's algorithm. An adversary who harvests the encrypted template today still cannot decrypt it with a quantum computer.

How FHE Biometric Auth Works

In an FHE biometric system, the biometric template (a numerical vector representing the biometric feature) is encrypted under a BFV (Brakerski/Fan-Vercauteren) lattice-based homomorphic encryption scheme before it leaves the user's device. The server performs the matching computation—an inner product between the encrypted probe and the encrypted enrolled template—entirely in the encrypted domain. The result is an encrypted match score that can be threshold-checked without ever revealing the underlying values.

Rust fhe_biometric_auth.rs 
// Enrollment: encrypt the biometric template on the client
let template: Vec<u64> = extract_biometric_features(&biometric_scan);
let encrypted_template = bfv_encrypt(&template, &public_key);
// Store encrypted_template on server — plaintext never exists server-side

// Authentication: encrypt the probe on the client
let probe: Vec<u64> = extract_biometric_features(&live_scan);
let encrypted_probe = bfv_encrypt(&probe, &public_key);

// Server-side: compute match score on ENCRYPTED data
// BFV inner product — lattice-based, NOT vulnerable to Shor's
let encrypted_score = fhe_inner_product(
    &encrypted_probe,
    &encrypted_template
);

// Threshold check in encrypted domain
let auth_result = encrypted_threshold_check(
    encrypted_score,
    threshold
);
// auth_result: encrypted boolean — server learns ONLY match/no-match
// Latency: ~50µs per authentication (H33 production, Graviton4)

Why This Is the Only Truly HNDL-Proof Passwordless Approach

Consider the HNDL risk for each authentication method:

MethodWhat Can Be HarvestedQuantum RiskHNDL-Proof?
Password + MFA Password hash (from breach), MFA seed (from breach) Grover's halves hash strength (still secure with Argon2) Partial
FIDO2 / Passkey (ECDSA) Public key (from RP database or registration ceremony) Shor's derives private key from public key No
FIDO2 / Passkey (ML-DSA) Public key (from RP database) Lattice-based, no known quantum attack Yes
Plaintext biometric (server-match) Biometric template (from breach or interception) Template exposed permanently, cannot be rotated No
FHE biometric (BFV lattice) Encrypted ciphertext only (lattice-based) BFV is lattice-based, no known quantum attack Yes

FHE biometrics occupy a unique position: the authentication factor (your biometric) is something you are—it cannot be forgotten, lost, or phished. The encrypted template is quantum-resistant by construction. And even a complete database breach exposes only ciphertext that cannot be reversed, even with a quantum computer. There is no private key to exfiltrate, no shared secret to intercept, no template to harvest.

Biometric Data Cannot Be Rotated

This is the fundamental difference between biometrics and every other authentication factor. If a password leaks, you change it. If a private key is compromised, you generate a new one. If your fingerprint template leaks in plaintext, you are compromised for life. There is no "new fingerprint." This is why biometric data requires a fundamentally different protection model—one where the plaintext never exists outside the user's device. FHE is the only architecture that provides this guarantee.

H33's Post-Quantum Passwordless Stack

H33's production authentication pipeline combines three post-quantum primitives into a single API call:

H33 Single-Call Authentication Pipeline

  1. FHE Biometric Matching (BFV lattice)—Encrypted biometric probe is matched against encrypted enrolled template using homomorphic inner product. N=4096, single 56-bit modulus, 32 users per ciphertext via SIMD batching. Latency: ~1,375 microseconds per 32-user batch.
  2. ZKP Verification (STARK Lookup)—Cachee STARK lookup proves the match result is valid without revealing the underlying score. Latency: ~0.067 microseconds.
  3. ML-DSA Attestation (Dilithium sign + verify)—The verified result is signed with a Dilithium key, producing a post-quantum attestation that can be verified by any relying party. Latency: ~240 microseconds per batch, ~7.5 microseconds per auth.

Total per-authentication latency: ~50 microseconds. Sustained throughput on a single c8g.metal-48xl instance (Graviton4, 192 vCPUs): 1.2 million authentications per second. Every component—FHE, ZKP, and digital signature—is lattice-based or hash-based, with zero dependence on RSA or elliptic curve cryptography. The entire stack is post-quantum by construction, not by future upgrade.

Implementation Decision Matrix

Not every application needs the same authentication approach. The right choice depends on your risk profile, user base, compliance requirements, and quantum readiness needs. Here's a practical decision matrix.

FactorPasswords + MFAPasskeys (ECDSA)Passkeys (PQ)Hardware TokensFHE Biometrics
Phishing resistance Low High High High High
Credential stuffing Vulnerable Immune Immune Immune Immune
Quantum readiness N/A (symmetric) Vulnerable Ready Depends on alg Ready (lattice)
HNDL-proof Partial No Yes No (ECDSA) Yes
User experience Poor Excellent Excellent Moderate Excellent
Recovery model Email reset Cloud sync Cloud sync Backup key Re-enrollment
Server stores secret? Yes (hash) Public key Public key Public key Ciphertext only
Shared workstations Yes No (device-bound) No (device-bound) Yes (portable) Yes (user-bound)
Deployment maturity Universal Mainstream ~2028+ Mature Available now (H33)
Best for Legacy systems Consumer apps Gov / regulated High-security staff PQ-sensitive, biometric use cases

Practical Guidance

Migration Roadmap: Passwords to Post-Quantum

Migration from legacy password authentication to post-quantum passwordless is a multi-year journey. The key principle: each phase delivers immediate security value while building toward the end state. You don't need to wait for PQ passkeys to start.

Phase 1: Passkey Deployment (Now)

1A. Add WebAuthn Registration and Login

Implement passkey support as an optional login method alongside existing passwords. Use a WebAuthn library (e.g., SimpleWebAuthn for Node.js, py_webauthn for Python, webauthn-rs for Rust). Allow users to register passkeys and use them as a primary or secondary factor.

1B. Incentivize Passkey Adoption

Prompt users to create passkeys during login. Offer passkey-only login for users who opt in (removes password from the account entirely). Track adoption metrics. Google's approach: persistent banners + skip-password-when-passkey-exists. Target: 30%+ adoption within 12 months.

1C. Deprecate SMS MFA

Once passkey adoption reaches critical mass, begin deprecating SMS-based MFA. Move remaining MFA users to TOTP or passkey-based authentication. SMS MFA is vulnerable to SIM swapping and SS7 interception—it provides a false sense of security.

Phase 2: Eliminate Passwords (12-24 months)

2A. Password-Optional Accounts

Allow new account registration with passkey only—no password required. For existing accounts, offer the option to remove the password entirely. GitHub, Microsoft, and Google all offer this today.

2B. Deploy Credential Stuffing Defenses

While passwords still exist in the system, deploy rate limiting, bot detection, and credential stuffing defenses. This buys time during the transition period.

2C. Audit and Inventory Cryptographic Dependencies

Catalog every system that relies on ECDSA, RSA, or other quantum-vulnerable algorithms. This inventory is required by NSM-10 for federal agencies but is essential for any organization planning a PQ transition. Map each dependency to a migration path and owner.

Phase 3: Post-Quantum Preparation (2026-2028)

3A. Cryptographic Agility

Architect your authentication system to support multiple signature algorithms. Store the algorithm identifier alongside each credential. When PQ algorithms become available in authenticators, your server should accept them without code changes.

3B. FHE Biometric Integration

For high-value use cases (identity verification, financial services, healthcare), integrate FHE biometric authentication as a step-up factor or primary method. H33 provides this as a single API call with ~50 microsecond latency.

3C. Hybrid Signature Support

Implement hybrid verification logic that can validate both classical (ECDSA) and post-quantum (ML-DSA) signatures. During the transition, relying parties should accept ECDSA-only, ML-DSA-only, and hybrid (ECDSA + ML-DSA) credentials. This ensures backward compatibility while enabling early PQ adoption.

Phase 4: Full Post-Quantum (2028-2030)

4A. PQ Passkey Migration

When authenticators support ML-DSA, prompt users to re-register credentials with PQ algorithms. Support hybrid (ECDSA + ML-DSA) signatures during the transition to maintain backward compatibility with older authenticators.

4B. ECDSA Deprecation

Set a sunset date for ECDSA-only credentials, aligned with NIST IR 8547 timelines (deprecated 2030, disallowed 2035 for federal systems). Notify users with ECDSA-only credentials to upgrade.

4C. Certificate Chain Migration

Migrate TLS certificate chains, code signing certificates, and attestation CA hierarchies to ML-DSA. This is the deepest infrastructure change and requires coordination with Certificate Authorities, browser vendors, and operating system vendors. Plan for a 2–3 year rollout within this phase.

The Key Takeaway

You don't have to wait for post-quantum passkeys to start the migration. Deploying ECDSA passkeys today eliminates the biggest current threat (phishing and credential stuffing). Post-quantum protection is the second phase, not a blocker for the first. The best time to deploy passkeys was 2023. The second best time is now.

The Bottom Line

The passwordless authentication landscape in 2026 sits at an inflection point. Passkeys have achieved what the security industry failed to do for 20 years: a password replacement that is simultaneously more secure and more convenient. Adoption is mainstream. The technology works. If you haven't deployed passkey support, you should.

But the picture is incomplete without the quantum context. FIDO2's reliance on ECDSA P-256 means that every passkey credential created today has a finite shelf life. Shor's algorithm will eventually break it. The HNDL risk means that public keys stored on servers today can be converted to private keys tomorrow. The migration to post-quantum passkeys (ML-DSA) is coming, but it requires updates to every layer of the ecosystem—specifications, browsers, authenticators, and relying parties—and will take years.

For organizations handling biometric data, the calculus is different. Biometric templates cannot be rotated. A plaintext template compromised today is compromised forever. FHE biometric authentication is the only architecture that provides passwordless convenience, phishing resistance, and quantum-safe template protection simultaneously. The plaintext never exists on the server, the encryption is lattice-based (immune to Shor's), and the verification happens entirely on encrypted data.

The passwordless methods available today are not all equal. Magic links and SMS OTP provide convenience but zero phishing resistance. TOTP authenticator apps can be relayed in real time. Push notifications can be fatigued. Only FIDO2 passkeys, certificate-based authentication, and FHE biometrics provide cryptographic origin binding and genuine phishing resistance. And of those three, only FHE biometrics are quantum-safe today without waiting for a multi-year ecosystem migration.

The migration path is clear: passwords → passkeys → PQ passkeys → FHE biometrics. Each step delivers immediate value. Start where you are, but know where you're going.

H33 provides post-quantum passwordless authentication with FHE biometric processing (BFV lattice-based), ML-DSA digital signatures, and ML-KEM key exchange—all in a single API call at ~50 microseconds per authentication. Every component is quantum-resistant by construction. Read the biometric authentication guide for implementation details.

Build With Post-Quantum Security

Enterprise-grade FHE, ZKP, and post-quantum cryptography. One API call. Sub-millisecond latency.

Get Free API Key → Read the Docs
Free tier · 10,000 API calls/month · No credit card required

Related Articles

Security
Zero Trust Architecture
Security
Credential Stuffing Defense
Security
AI Authentication Attacks
Verify It Yourself