The rise of quantum computing is reshaping the foundations of cryptography and, by extension, authentication. While many industries rely on authentication methods like FIDO2 tokens, X.509 certificates, RFID tokens, mobile push authentication, OTP tokens, and more, these mechanisms heavily depend on cryptographic algorithms that will soon be obsolete.
The time to transition to post-quantum authentication (PQA) is now — not when quantum computers become powerful enough to break today’s cryptographic standards. The timely transition is crucial because upgrading cryptography is not straightforward. Yet, the new algorithms ensure better security, protecting systems not only from future quantum threats but also from today’s classical vulnerabilities. But how do different authentication methods hold up against this seismic shift? Let’s break it down.
1. FIDO2 and Passkeys
FIDO2 is a modern authentication protocol relying on public-key cryptography to authenticate users with passkeys or hardware security keys. The problem? Current FIDO2 implementations typically use RSA or Elliptic Curve Cryptography (ECC), both of which are vulnerable to quantum attacks.
- Impact: High. FIDO2 relies on digital signatures, which quantum computers can break using Shor’s algorithm.
- Solution: Transition to post-quantum cryptographic (PQC) alternatives, such as ML-DSA (Dilithium), a NIST-endorsed digital signature algorithm.
- Complexity: Moderate to high. The entire ecosystem of passkeys and security tokens needs to be upgraded to support post-quantum cryptography.
2. X.509 Certificates and PKI-Based Authentication
Public key infrastructure (PKI) is a backbone of secure authentication, used in TLS, smart cards, VPNs, and enterprise identity solutions. However, PKI systems also typically rely on RSA or ECC for digital signatures and key exchanges.
- Impact: High. Quantum computers can break RSA and ECC, rendering PKI-based authentication completely insecure.
- Solution: Migration to hybrid PKI using post-quantum cryptographic schemes like ML-DSA and ML-KEM (Kyber).
- Complexity: High. Organizations must upgrade root CAs, certificates, and client authentication mechanisms before Q-Day.
3. RFID Tokens and Smart Cards
RFID authentication and smart cards often use symmetric authentication or asymmetric PKI-based authentication.
- Impact: Low for symmetric authentication but high for asymmetric PKI-based RFID tokens.
- Solution: Ensure symmetric authentication keys have at least 256 bits and upgrade asymmetric authentication to post-quantum methods.
- Complexity: Moderate. While symmetric key-based RFID can be updated with stronger keys, PKI-based smart cards require a hardware upgrade.
4. Mobile Push Authentication
Mobile push authentication (such as those used in banking apps, MFA solutions, and passwordless authentication) typically uses digital signatures or HMAC-based authentication codes.
- Impact: Moderate to high. A system that relies on ECC or RSA to sign authentication requests is especially vulnerable.
- Solution: Move to post-quantum hybrid authentication with ML-DSA for digital signatures or extend symmetric key-based HMAC schemes.
- Complexity: Low to moderate. Mobile apps can be updated, but ensuring post-quantum security in the key exchange process requires architectural changes.
5. EU Digital Identity Wallet (EUDI-W)
The EU Digital Identity Wallet (EUDI-W) is an upcoming digital identity framework set to be adopted across the European Union. It will allow citizens to store and use identity credentials for online authentication and digital signatures. However, EUDI-W relies on PKI-based digital signatures and encryption, which quantum computers will compromise.
- Impact: High. The authentication and identity verification mechanisms in EUDI-W will be affected, requiring a transition to post-quantum cryptographic digital signatures.
- Solution: EU authorities and identity providers must adopt hybrid post-quantum digital signature schemes, such as ML-DSA (Dilithium).
- Complexity: High. As a government-regulated initiative, transitioning EUDI-W to post-quantum security will require policy updates, regulatory adjustments, and technological upgrades across all participating nations.
6. One-Time Password (OTP) Tokens
OTP tokens (including TOTP, HOTP, and OCRA) use symmetric key-based HMAC authentication.
- Impact: Low. HMAC is relatively safe from quantum attacks but still requires sufficient key lengths (at least 256 bits) to mitigate quantum threats.
- Solution: Increase symmetric key sizes and ensure key exchanges use quantum-safe methods.
- Complexity: Low. OTP solutions are less affected but still require upgrades in key size.
Final Thoughts
The quantum era is approaching faster than most organizations realize. Most organizations operate with multiple authentication methods, making the transition to post-quantum authentication complex. Banks, fintechs, and enterprises relying on authentication must start migrating now to avoid being caught unprepared. Authentication methods based on digital signatures and PKI require urgent action, while symmetric key-based solutions need key size upgrades.
At Wultra, we are leaders in post-quantum authentication, offering quantum-safe PowerAuth® mobile authentication, post-quantum passkeys, and FIDO2 tokens.
If you're looking to future-proof your authentication strategy, let's talk. Contact us at sales@wultra.com for a consultation.
.webp)
