1. Home
  2. Agenda
  3. Session 197— How to Transition Online Service to Passwordless at No Cost

Agenda

How to Transition Online Service to Passwordless at No Cost

Passwordless Alliance

Session 197

Thursday, 10 July 2025 in 2 days 14:00–14:45 (UTC+02:00) Physical (on-site) and Virtual (remote) participation Room G, Palexpo Interactive Session
Register »

Physical (on-site) and Virtual (remote) participation

ITU-T X.1280 Case Studies from Ecuador, France, and Korea

For the successful development of an information society, innovative ideas and technologies are essential to transform everyday inconveniences into convenient, safe, and economical solutions. This session presents the vision and case studies of creating a more secure and efficient information society by replacing user passwords—the core weakness of the current system—with passwordless technology.

User passwords can be leaked, reused by attackers, or exploited through phishing, pharming, and other attacks by fake service providers. To address these risks, technologies like OTPs, PKI certificates, mobile authentication, biometrics, and QR code authentication have been introduced. However, these measures have not yet fully realized the goal of a passwordless society.

The main reason is that existing authentication technologies place the entire responsibility of proof on users. Users must submit authentication values, and online services simply verify them. This model leaves users responsible for proving their legitimacy.

In 2024, ITU-T established X.1280, an international standard that changes this model. X.1280 uses out-of-band mutual authentication: the online service presents an automatic password to the user, who compares it to the automatic password generated on their smartphone and approves it with their smartphone’s biometric sensor. This shifts the responsibility of proof to the online service.

This approach frees users from entering, changing, or memorizing passwords, significantly improving convenience. It also provides stronger security against cyberattacks such as phishing and man-in-the-middle attacks, while reducing costs by enabling out-of-band biometric authentication through users’ smartphones without needing an additional biometric sensor on each user device.

Following the adoption of X.1280, global ICT experts formed the Passwordless Alliance, a non-profit organization headquartered in Geneva, Switzerland. The Alliance promotes passwordless standards and offers free products globally to build an information society without passwords.

To achieve this, the Alliance distributes Passwordless X1280, free software based on the X.1280 standard. This helps B2C and G2C online services transition to passwordless systems. Examples include online store, consumer support center, and universities in France, Ecuador, and South Korea that now use systems where users approve automatic passwords via their smartphones instead of entering passwords.

Additionally, IT associations and educational institutions in the U.S., Ecuador, and South Korea have adopted educational programs and materials on X.1280 and promote passwordless education.

The main takeaways of this session include:

  • The ITU-T X.1280 international passwordless standard
  • The role of the Passwordless Alliance in promoting passwordless standards and free software
  • Case studies of passwordless software adoption across various online services in France, Korea, Ecuador
  • Case studies of the adoption and implementation of passwordless education programs in the US, Korea, Ecuador
Panellists
Ms. Xiaoya Yang
Ms. Xiaoya Yang Counsellor ITU

Ms. Xiaoya Yang is the Counselor of ITU-T Study Group 17 ‘Security’ since 2017. 

With 20+  years of professional experience in telecommunication regulation, legislation and international standardization and coordination, she was the Head of the WTSA Programmes Division in the Telecommunication Standardization Bureau of the International Telecommunication Union (ITU-TSB) in 2010-2016, the Co-counsellor of ITU-T Study Group 2 on 'Operational aspects of service provision and telecommunications management' and Study Group 3 on 'Tariff and accounting principles including related telecommunication economic and policy issues' from 2009 to 2010; Counselor of ITU-T Study Group 17 on 'Telecommunication security' from 2007 to 2008; and Workshop Project Coordinator from 2004 to 2006. She served as key member in secretary for major ITU conferences since 2012 - World Conference on International Telecommunications (2012), Work Telecommunication Policy Forum (2013), ITU Plenipotential Conferences (2014, 2018, 2022), World Telecommunication Standardization Assembly (2012, 2016, 2022, 2024). 

Before joining ITU, she worked in the Ministry of Information Industry of China from 1998 to 2004. There she was the division director responsible for regulation of Internet services and cybersecurity. From 1997 to 1998 she worked in China Telecom as a network engineer and Internet service manager. She has a M.S. in Computer Science from Tsinghua University, China and an MBA from Hong Kong Polytechnic University.

Dr. CHAESUB LEE
Dr. CHAESUB LEE Chairman Passwordless Alliance (Switzerland)

Dr Lee has worked in the ICT/Telecom domain for the last 37 years since 1987.
He led many technical standards on ICT/Telecom based on ITU-T and had many different roles: NGN-FG Chairman, IPTV-FG Vice Chairman, Working party Chairman and Study Group 13 Chairman. He engaged in many subjects such as NGN, IPTV, IoTs, Future Networks, Fixed Mobile Convergence, Fixed networks on 5G, Architectural aspects of Security, and others.
He served as the Director of ITU TSB as an Elected Officer during 2015 and 2022.

He has been serving as the chairman of Passwordless Alliance since its establishment in 2024, Geneva, Switzerland.

Mr. Jonghyun Woo
Mr. Jonghyun Woo President Passwordless Alliance(Switzerland)

Jonghyun is a serial entrepreneur who has developed human-oriented technologies that help people maintain a balance with new technologies, including AI.

He pursues the development of neutral technologies that prevent people from overly relying on technology and losing their autonomy without excessively wasting computing resources due to convenience. Rather than automation, he advocates for user-participatory technology, where users engage actively to achieve more excellent utility from appropriate ICT technologies and resources.

His notable technologies becoming international standards include a passwordless technology (X.1280), where online services submit an automatic password to the user, and the user verifies the service on their smartphone instead of users inputting passwords and services verifying them. Another is storage protection technology (X.1220), which prevents stored data from being stolen or encrypted even if the user accidentally runs ransomware or data-stealing malware. There is also out-of-band physical authentication technology (X.oob-pacs), which verifies whether a robot or facility in front of the user is genuine before allowing usage.

He has established the Passwordless Alliance in Geneva with the aim of eliminating passwords for all online services worldwide, which is distributing free passwordless software. 

  

Prof. Nelson Fernando
Prof. Nelson Fernando Professor ESPE (Ecuador)

ACADEMIC DIRECTOR  at ESCOM & ESPE university

SYSTEMS AND COMPUTER ENGINEER

MASTER'S DEGREE IN CYBERSECURITY 

MASTER'S DEGREE IN INDUSTRIAL SAFETY

BACHELOR OF MILITARY SCIENCE

Mr. Christophe Candela
Mr. Christophe Candela Head of Biometric Research Lab ID3 Technologies (France)

Head of Biometric Research Lab

Topics
Capacity Building Cybersecurity Digital Divide Digital Economy Digital Inclusion Digital Skills Digital Transformation Education Emerging Technologies Global Digital Compact (GDC) Infrastructure Smart Cities WSIS+20 Review
WSIS Action Lines
  • AL C3 logo C3. Access to information and knowledge
  • AL C4 logo C4. Capacity building
  • AL C5 logo C5. Building confidence and security in use of ICTs

C3. Access to information and knowledge
This session directly supports C3 by promoting technologies that make online services more accessible, secure, and user-friendly. By eliminating the need for passwords through passwordless authentication (ITU-T X.1280), this session presents solutions that remove barriers for users who may face challenges with complex password systems, such as the elderly or those with low digital literacy. The promotion of Passwordless X1280 free software and the sharing of case studies demonstrate how people around the world can securely and conveniently access information and services without relying on vulnerable password-based methods.

 
 C4. Capacity building
This session contributes to C4 by fostering capacity building at both individual and institutional levels. It introduces how the Passwordless Alliance provides free software, educational materials, and training resources that enable IT associations, educational institutions, and online service providers to adopt and operate passwordless technologies. Case studies from the U.S., Ecuador, and South Korea illustrate how education programs based on international standards help local communities and professionals enhance their digital security skills and promote secure service delivery.

 
C5. Building confidence and security in use of ICTs
This session strongly aligns with C5 as it focuses on enhancing trust and security in digital services. By presenting ITU-T X.1280 and related passwordless solutions, this session demonstrates how common cyber threats such as phishing, pharming, and man-in-the-middle attacks can be effectively addressed. The out-of-band mutual authentication model, which shifts the responsibility of proof from users to online services, provides stronger protection for users and helps build confidence in the use of ICTs.

 
Summary of linkages:
This session showcases how passwordless technologies promote inclusive and secure access to information (C3), strengthen capacity building through education and free tools (C4), and enhance trust and security in digital services (C5).

Sustainable Development Goals
  • Goal 9 logo Goal 9: Build resilient infrastructure, promote sustainable industrialization and foster innovation
  • Goal 10 logo Goal 10: Reduce inequality within and among countries
  • Goal 11 logo Goal 11: Make cities inclusive, safe, resilient and sustainable
  • Goal 14 logo Goal 14: Conserve and sustainably use the oceans, seas and marine resources
  • Goal 16 logo Goal 16: Promote just, peaceful and inclusive societies
  • Goal 17 logo Goal 17: Revitalize the global partnership for sustainable development

This session on passwordless technology and the ITU-T X.1280 standard directly supports multiple Sustainable Development Goals by fostering innovation, inclusion, security, and global cooperation in the information society.

Goal 9: Build resilient infrastructure, promote sustainable industrialization and foster innovation
The session highlights innovative authentication technology that improves digital infrastructure resilience by replacing vulnerable password systems with a robust, secure, and standardized passwordless approach. By distributing free software and encouraging broad adoption, it fosters technological innovation accessible to many industries and services, strengthening sustainable ICT infrastructure worldwide.

Goal 10: Reduce inequality within and among countries
Passwordless authentication simplifies secure access to online services without financial or technical burdens on users. By promoting free, standardized tools globally—especially in developing countries —the initiative helps reduce digital divides and inequality in access to safe online environments, empowering marginalized communities.

Goal 11: Make cities inclusive, safe, resilient and sustainable
Secure, convenient online services are essential for smart, inclusive urban environments. The session’s technology improves user safety against cyber threats and increases trust in digital public and private services, contributing to resilient and sustainable cities where citizens can safely participate in digital life.

Goal 16: Promote just, peaceful and inclusive societies
By enhancing security through out-of-band mutual authentication and reducing risks of cybercrime like phishing and man-in-the-middle attacks, the session promotes trust in online interactions. This supports peaceful and inclusive societies by protecting individuals’ rights and fostering justice in digital communication and transactions.

Goal 17: Revitalize the global partnership for sustainable development
The formation of the Passwordless Alliance, a non-profit NGO headquartered in Geneva, exemplifies global cooperation among ICT experts, governments, academia, and private sectors. By sharing open standards and free software, the Alliance strengthens international partnerships and collective efforts to achieve a secure, accessible, and sustainable information society.

GDC Objectives
  • Objective 1: Close all digital divides and accelerate progress across the Sustainable Development Goals
  • Objective 2: Expand inclusion in and benefits from the digital economy for all
  • Objective 3: Foster an inclusive, open, safe and secure digital space that respects, protects and promotes human rights
Links

Passwordless Alliance Official Website
https://www.passwordlessalliance.org

 

MPM

MPM