Smartphone authentication: The killer app that can augment the smartphone’s utility

Smartphones can help you securely log in, tap to pay and enter cars, buildings, and airports. As security concerns grow, the need for authentication will likely consolidate the smartphone’s status as the ultimate goldilocks device: the right size, power, connectivity and trust.

Paul Lee

United Kingdom

Ben Stanton

United Kingdom

Kevin Westcott

United States

In 2024, the smartphone is expected to have one of its most successful years ever, despite a historically modest sales forecast of 1.26 billion units,1 several hundred million units short of its all-time peak of 1.57 billion.2 The smartphone’s success will be due in part to the ever-rising value of its five-billion user ecosystem—with authentication becoming an increasingly important addition to the device’s value. 

Smartphones are expected to be used to authenticate processes across an ever-widening range of actions, such as accessing websites, making payments, unlocking cars, and controlling entry to physical buildings trillions of times in 2024. And in the medium term, the volume could swell to tens of trillions in a year with additional applications including proving identity, becoming mainstream. In 2024, usage of the smartphone as an authenticator will still likely be a fraction of its long-term potential impact, as illustrated in Figure 1.

Authenticating online access: The smartphone is a common link between two-factor authentication and passkeys

The smartphone is likely to play an increasing role in managing fraudulent access to online accounts. In 2024, it is expected to predominantly be used for delivery of passcodes as part of the two-factor authentication (TFA) process, whereby a one-time password (OTP) is sent to a phone, often within a text message.3 In 2023, there were an estimated 1.3 trillion such messages sent via telecom networks, generating an estimated US$26 billion from network traffic alone.4

The smartphone may also be used increasingly to generate passkeys—likely the medium-term replacement for passwords. Passkeys authenticate access to online accounts without passwords.5 With this approach, a pair of keys is generated for every account, one public and one private key stored on a phone. Users who want to access an account check that the keys match. The private, device-based key is released once the user has been validated using the same process that would normally be used to unlock the phone, which could be biometric (face or fingerprint) or via a password or pattern. As of 2024, usage of passkeys could be modest; by 2030 usage may become higher as it could supplant TFA.

One driver for smartphone-based authentication, based on either technology, is the growing average number of online accounts and associated volume of breaches. The cost of attacks, which are predicated on vulnerabilities that exist via passwords to authenticate access to a growing number of online accounts, is likely unsustainable. Users are asked to create a unique and, ideally strong, password for each account with some enterprises requiring that workers change their password quarterly. The relatively static and limited human ability for recall cannot cope with the combination of the growing number of accounts held, and the ask to memorize rising numbers of “strong” passwords.6

The outcome is an abundance of weak passwords, with the most popular still being “123456” and “password.”7 Repositories of passwords paired with user IDs are often targeted and there were an estimated 24 billion passwords—one for every three people on earth—exposed by hackers in 2022.8 The annual cost of data breaches is forecast at more than US$5 trillion in 2024.9 Furthermore, passwords are often repeated: One analysis found 64% of people used the same password across multiple accounts, incrementing the impact of a breach, as a single user ID and password combination may unlock multiple accounts.10 Password users can also be vulnerable to phishing attacks, designed to trick users into sharing credentials with malign entities. An estimated 3.4 billion malicious emails are sent daily.11

Two-factor authentication and passkeys can provide another level of security, as additional information beyond the pair of password and user ID is required. Either approach can be effective at minimizing the impact of breaches. It can repel almost all automated bot attacks and bulk phishing attacks.12 A very high proportion of compromised accounts did not use multi-factor authentication.13

TFA may incur a charge for the delivery of the one-time password, while pass keys do not (aside from bandwidth usage);14 the cost of each TFA may limit how frequently smartphone-based authentication is triggered. One deployment of passkeys found that using smartphone-based biometric authentication enabled a two-thirds reduction in the number of OTPs per user, saving 1.9 pence (US 2.4 cents) per message.15 The momentum behind passkey is likely to grow further to the commitment by Apple, Microsoft, and Google in May 2022 to support the same passkey standard.16 Apple launched support for passkeys with iOS 16 in September 2022,17 and Google supports these for all operating systems from Android 9.0.18 A growing, but still selective number of companies supported passkeys as of September 2023.19

Authenticating commerce

The smartphone is also likely to play a growing role in authenticating transactions, both online and in stores. This is expected to be based on a range of technologies, including biometric identification capabilities. Two- or multi-factor authentication and passkeys will likely also play an important role.

Mobile already represents a significant share of all e-commerce, but the majority of purchases made are still offline. In the United States, almost half of sales (47%, equivalent to US$99.5 billion) were via mobile in the 2022 holiday season, up from 43% the prior year.20 But as of Q2 2023, e-commerce was still 15.4% of all payments, up one percentage point year-over-year.21 E-commerce’s share of all sales has tended to increase steadily since the mid-90s, except for the anomalous period of 2020−2021.22 If this trend continues, the role of smartphones for online transactions should continue to increase.

In-store, the impact of payments via smartphone apps is smaller. According to one analysis, only three cents of every dollar spent in-store in Q2 2022 in the United States was paid via a smartphone app.23

Authenticating physical access

The smartphone is also likely to be used increasingly to validate physical access into buildings. Buildings that use card readers to permit or prohibit access often use Near-field communications (NFC) to exchange information between the gate and the card. The first smartphones to incorporate NFC were launched in 2011 and as of 2024,24 this capability is likely to be ubiquitous. As such, smartphones could substitute for access cards. Alternatively, Bluetooth could be used to communicate with the reader. With hardware and software upgrades (of a complexity and cost that varies by company), existing gates could be ready to work with smartphones.

The proportion of businesses whose premises are mobile-ready has been growing steadily. According to one survey of businesses in North America, EMEA, and Asia Pacific, 24% were mobile-capable in 2022, up from 16% in 2020, and a further 42% were planning to upgrade.25

This migration to smartphones could save on operational costs, address risks as well as reduce environmental impacts. Smartphone-based entry passes can be distributed via app downloads. They can also be canceled remotely via over-the-air instruction. Businesses around the world are likely to have teams dedicated to the allocation of physical cards to staff and visitors and temporary cards to replace forgotten cards in 2024. A phone-based approach would still require oversight and could enable some staff to be re-assigned from their current repetitive role of handing out entry cards.

There will likely be debates on the risks of migrating to smartphone-based entry this year. One benefit of the ID card in most buildings is visible identity; however, in some offices ID cards are often pocketed and identity checks are not often commonplace. ID cards may also be stolen, enabling bad actors to gain access to a building if there is lax security. By contrast, a smartphone’s biometric authentication could be used to provide further validation prior to tapping the phone on the reader, like the process for making a payment or entering the subway. Additionally, individuals may leave their ID card at home or elsewhere (including public venues) but may be more vigilant about their smartphones because of their utility.

The sustainability dividend from migrating to mobile may be significant. The traditional, legacy method of validating access to buildings is via photo identity cards housed in lanyards. There are 3.4 billion people in the global workforce.26 If only half of these are issued a lanyard, that implies almost two billion lanyards, some of which may end up landfill. There are also multiple temporary ID cards issued for events. The Fira Barcelona hosts 2.5 million visitors each year;27 the Las Vegas Convention Center has two million visitors.28 Some shows are already migrating to smartphone-based digital access passes, including the Mobile World Congress at the Fira Barcelona, saving on the need to manufacture and subsequently dispose of physical passes and lanyards, and on the need to dedicate staff to issue them.29

Smartphone access passes could also be used for other functions, such as payment at vending machines, access to printing machines, and checking in to events, such as university lectures, or conference sessions. In the United States, there were 53 universities that had adopted smartphone passes as of September 2022.30

As well as authenticating access to commercial premises, over time smartphones may also be used more commonly to permit entry into private homes. One benefit of this would be the ability to send keys to guests on a time-limited basis.31

Authenticating travel

Prior to the pandemic, there were 4.5 billion airline passengers per year in 2019.32 Prior to boarding, passengers need to show their boarding pass and may also need to show identification. A boarding pass can be within a mobile app, particularly for regular travelers. This can save on printing and reduces the likelihood of loss. Some baggage receipts are also moving to apps.33

However, proof of identity at a caliber sufficient for travel is slowly moving online. One of the most advanced countries is Ukraine, which launched an app in 2020 that hosts multiple documents including a national identity card. As of December 2022, almost 18.5 million Ukrainians (more than 40%) had downloaded the app.34 In the United States, three states have launched support for digital driving licenses: Arizona, Georgia, and Maryland.35 In 2024 and 2025 a European National Identity initiative co-funded by the EU plans to trial smartphones for applications including mobile driving licenses.36 In the UK, the government is targeting availability of digital driving licenses by 2024:37 Development programs have been underway since 2016.38

The smartphone may also be used for elements of pre-authorization for travel, for example for the submission of fingerprints required for entry visas. Over the coming years, smartphones could be used to capture this biometric data in lieu of specialized machines. The United Kingdom’s government has been evaluating smartphones to capture fingerprints and face data.39

A migration to smartphone-based national or regional identify is unlikely in the near term but could be likely in the medium to long-term: As authentication for a widening range of high-value processes, including accessing US$100,000 cars, US$1,000,000 homes, and US$10 million office buildings becomes more common, trust and familiarity in creating smartphone-based identity could increase. A large proportion of smartphone owners may be ready to add identity to their array of smartphone applications. According to Deloitte UK’s Digital Consumer Trends, about a quarter of respondents in developed markets would like to use their phone as their driving license or passport.40

Bottom line

In 2024 and over the coming decades, smartphones could replicate and exceed the functionality of tens of billions of physical authentication tools in use today, including keys, passwords, driving licenses, passports, credit cards, and cash. The smartphone’s success is not limited to just unit sales: The value of its multiplier is becoming more significant.

The addition of authentication to the smartphone’s utility could be analogous to its assimilation of the functionalities of multiple form factors, including compact cameras, MP3 players, alarm clocks, handheld GPS navigation, office desk phones, and tourist guidebooks.

However, authentication may be more valuable capability than playing music, snapping selfies, or setting an alarm. Smartphone-based verification of identity can accelerate, enhance, and reduce the cost of processes that are often fundamental to commerce, enterprise security, and border control.

Modern society often requires technologies such as keys, passports, and means of payment. However, these tools do not always need to be physical – they can exist as software capabilities within smartphones and can be better keys, passports, and payment tools as a result.

As society migrates to smartphone-based authentication, it will be important to help ensure that no users are left stranded: change is often challenging, depending on the individual.

Given the widening future scope of the smartphone, it is likely to cement its position as a successful device. This may dampen (but not eradicate) discussions of when it might be toppled by another form factor. 

Figure 1 sources

A.      Rosie O'Connor, “Mobile authentication market: 2023-2028,” Juniper Research, October 23, 2023.

B.      Adobe Experience Cloud, “Top ecommerce statistics for 2023,” May 12, 2023.

C.       Chantel Wakefield, “Cars that use digital keys in 2023,” Kelley Blue Book, June 14, 2023.

D.      Hedges & Company, “How many cars are there in the world in 2023?”, accessed November 14, 2023.

E.       Emirates, “Emirates goes digital, phases out paper boarding passes for flights departing Dubai,” May 12, 2023. 

F.       ICAO, “The world of air transport in 2019,” accessed November 16, 2023.

G.      Eurostat, “Household composition statisticsv,” accessed November 16, 2023.

H.      Richard Fry, Jeffrey S. Passel And D’Vera Cohn, “U.S. household growth over last decade was the lowest ever recorded,” Pew Research Center, October 12, 2021.

I.         ICAO, “The world of air transport in 2019.”

J.        The World Bank, “Labor force, total,” accessed November 16, 2023.

K.       Apple, “Countries and regions that support Apple Pay,” August 10, 2023.

L.       UITP, "Data: Public transport & urban mobility data,” accessed November 16, 2023.

M.    Sorin-Andrei Dojan, “Mobile wallets, most popular payment method in China: GlobalData,” Electronic Payments International, July 6, 2023.

N.      PYMNTS, “Mobile wallet adoption,” August 2022.

O.      US Census Bureau News, “Quarterly retail e-commerce sales 2nd quarter 2023,” press release, August 17, 2023.

By

Paul Lee

United Kingdom

Ben Stanton

United Kingdom

Kevin Westcott

United States

Endnotes

  1. Needham Mass., “Global smartphone shipments expected to decline 1.1% in 2023 as recovery is pushed forward into 2024 amidst weak demand, according to IDC tracker,” IDC, March 1, 2023. 

    View in Article
  2. Counterpoint, “2023 global smartphone shipments to hit decade low as Apple inches closer to top spot,” press release, August 17, 2023. 

    View in Article
  3. Jack Flynn, “17 essential multi-factor authentication (MFA) statistics [2023],” Zippia, February 6, 2023. 

    View in Article
  4. O'Connor, “Mobile authentication market: 2023-2028.” 

    View in Article
  5. Thorin Klosowski, “RIP, Passwords. Here’s what’s coming next,” Wirecutter, January 11, 2023; Apple Support, “Use passkeys to sign in to apps and websites on iPhone,” accessed November 16, 2023.

    View in Article
  6. Denise Ranghetti Pilar, Antonio Jaeger, Carlos F. A. Gomes, and Lilian Milnitsky Stein, “Passwords usage and human memory limitations: A survey across age and educational background," PLoS One. 7, no. 12 (2012).

    View in Article
  7. Patricija Cerniauskaite, “Are we still lazy with our passwords? The 2021 top 200 most common passwords list is here,” NordPass, November 23, 2021.

    View in Article
  8. Clare Stouffer, “139 password statistics to help you stay safe in 2023,” Norton, June 26, 2023. 

    View in Article
  9. United Nations, “As Internet user numbers swell due to pandemic, UN Forum discusses measures to improve safety of cyberspace,” accessed November 16, 2023.

    View in Article
  10. SpyCloud, Annual Identity Exposure Report 2022, accessed November 16, 2023.

    View in Article
  11. Valimail, “Email fraud landscape spring 2021,” April 16, 2021.

    View in Article
  12. Josephine Wolff, “Is multifactor authentication less effective than it used to be?,” Slate, February 22, 2022. 

    View in Article
  13. Catalin Cimpanu, “Microsoft: 99.9% of compromised accounts did not use multi-factor authentication,” ZDNET, March 5, 2020.

    View in Article
  14. Rubion, “What is SMS 2FA? Text message authentication explained,” April 20, 2022.

    View in Article
  15. FIDO Alliance, “National health service uses FIDO authentication for enhanced login,” February 24, 2021. 

    View in Article
  16. FIDO Alliance, “Apple, Google and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign-ins,” May 5, 2022.

    View in Article
  17. Apple Support, “Use passkeys to sign in to apps and websites on iPhone”; Apple Support, “Sign in to an account on your Mac with a passkey,” accessed November 16, 2023.

    View in Article
  18. Google Chrome Help, “Manage passkeys in Chrome,” accessed November 16, 2023.

    View in Article
  19. Passkeys Directory.

    View in Article
  20. Adobe, “Adobe: Holiday shopping season drove a record $211.7 billion for e-commerce,” January 11, 2023.

    View in Article
  21. US Census Bureau News, “Quarterly retail e-commerce sales 2nd quarter 2023.”

    View in Article
  22. Benedict Evans, “Back to the trend line?,” July 28, 2022.

    View in Article
  23. PYMNTS, “Apple Pay has 48% share of mobile wallets yet only tiny sliver of total retail payments,” August 15, 2022.

    View in Article
  24. GSM Arena, “Nokia 6131 NFC,” accessed November 16, 2023.

    View in Article
  25. IFSEC Insider, “A guide to mobile access control systems,” August 23, 2023.

    View in Article
  26. The World Bank, “Labor force, total.” 

    View in Article
  27. Fira de Barcelona, “Key facts and figures,” accessed November 16, 2023.

    View in Article
  28. Vegas Means Business, “Las Vegas Convention Center,” accessed November 16, 2023.

    View in Article
  29. MWC Barcelona, “Digital badge,” accessed November 16, 2023.

    View in Article
  30. Wikipedia, “List of campus identifications in mobile wallets,” accessed November 21, 2023.

    View in Article
  31. Nuki, “Say hello to the smartest Nuki door lock ever,” accessed November 16, 2023.

    View in Article
  32. ICAO, “The world of air transport in 2019.”

    View in Article
  33. Rachel Chang, “This airline is phasing out paper boarding passes,” Condé Nast Traveler, May 15, 2023.

    View in Article
  34. Ukraine Now, “Digital country,” accessed November 16, 2023.

    View in Article
  35. Apple, “Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet,” press release, September 1, 2021; Umar Shakir, “Apple’s digital state ID cards are now available for Maryland residents,” The Verge, May 26, 2022. 

    View in Article
  36. Potential, “Building the future of digital identity in Europe,” accessed November 16, 2023.

    View in Article
  37. RAC, “Digital driving licences will arrive before 2024,” September 20, 2021. 

    View in Article
  38. BBC, “UK developing digital driving licence,” May 16, 2016.

    View in Article
  39. UK Government, “ Biometric self-enrolment feasibility trials,” July 4, 2022.

    View in Article
  40. Deloitte, “Digital Consumer Trends 2023,” accessed November 16, 2023.

    View in Article

Acknowledgments

Cover image by: Manya Kuzemchenko