A survey conducted in 2024 by NordPass found that, on average, each person in the workplace manages 87 passwords. This abundance often leads to the use of easily guessed passwords or the practice of password reuse, contributing to the increasing frequency of data breaches. Given the weak protection passwords provide, it begs the question: why do organisations continue to depend on them?
Tech leaders share the barriers to passwordless authentication and how organisations can better secure their IT systems. Passwordless authentication verifies something unique to a user (like biometrics) or something physical that the individual must possess (such as hardware tokens).
Andras Cser, vice president and principal analyst, Forrester:
Key contributing factors preventing organisations from adopting passwordless include users’ unfamiliarity with the technology and familiarity with passwords and two-factor authentication (2FA); technical debt and licensing/integration costs of replacing 2FA/password-based authentication with passwordless authentication; and service providers’ and enterprises’ reluctance to trust all authentication credentials to Apple KeyChain and Google Password Manager.
Forrester expects additional maturing of lost/compromised passkey recovery and open-source reference implementations. We see user experience playing a key role in adopting passwordless authentication: facial and fingerprint recognition are key modalities in adoption.
Lim Teck Wee, area vice president for Asean, CyberArk:
See also: Responsible AI starts with transparency
By removing passwords, the risk of account compromise is significantly reduced. It is a more robust way to shield user identities against phishing, keylogging, and man-in-the-middle attacks.
Removing complex password requirements and frequent password updates also simplifies the user experience. Passwordless authentication can also increase productivity by eliminating the need for password-related IT support tasks such as password reset.
The top barriers preventing organisations from going passwordless are legacy and complex systems. It involves dealing with thousands of users, countless applications, hybrid and multi-cloud environments, and complex login flows.
See also: Mitigating the third-party identity threat
Identity and access management (IAM) can facilitate organisations’ transition to a passwordless world through capabilities like passwordless endpoint authentication. Organisations should look at passkeys, a new multi-device passwordless factor that uses the devices’ security capabilities. In addition, passkeys are highly phishing-proof and eliminate possible attack vectors with factors like MFA [multi-factor authentication] that require human interaction.
Angus McDougall, regional vice president for Asia Pacific and Japan, Entrust:
A good first step is for organisations to adopt a hybrid identity and access management approach. Combining digital and physical identifications allows flexibility based on user preference or situation.
This involves replacing passwords with biometrics or device-based authentication, which reduces friction while providing a secure and transparent user experience. Deploying high-assurance passwordless solutions that include proximity detection and certificate-based authentication can further eliminate security threats from remote-based account takeover attacks while offering more convenience for users.
To fortify against identity attacks, organisations should also consider identity verification as a step-up authentication when securing high-value financial transactions or for high-value individuals within an organisation, such as C-suite or IT staff, who have access to critical systems.
Edwardcher Monreal, principal solutions architect, IAM Consumer Authentication Solutions, HID:
Organisations may be hesitant to go passwordless due to resistance to change or cost concerns, but it could also be because they lack awareness about the benefits.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Adopting passwordless solutions means leveraging passkeys, a modern-day replacement for passwords based on FIDO standards. Passkeys enable organisations to secure log-ins and digital assets via passwordless authentication using fast, convenient methods.
The login experience will be familiar and consistent across many of the user devices, and it follows a simple verification of their fingerprint or face or using a PIN for device-bound passkeys. Device-bound passkeys provide an option for organisations that require additional proof of provenance of a user’s passkeys. Passkeys help reduce expensive reset requests, and they cannot be intercepted or cracked by attackers, making them more resilient to data breaches.
HID is a member of the FIDO Alliance and is proud to support the security standard on multiple fronts. This includes converged credentials that combine physical access into buildings and smart cards that contain passkeys for digital access, which is in demand inside regulated enterprises or highly secure industries.
Brett Winterford, regional chief security officer for Asia Pacific and Japan, Okta:
At this point, there are very few reasons not to pursue passwordless solutions. Adoption tends to be held back by legacy applications that do not support modern authentication standards and anxiety over the perceived costs of distributing modern devices and physical security keys to users. However, it’s mostly held back by an institutional reticence to leave the familiarity of passwords behind.
Okta’s recent Secure Sign-in Trends Report demonstrates a movement towards more secure access methods. Many workforce administrators now require users to sign in using phishing-resistant authenticators, sign-in methods in which credentials are cryptographically bound to a domain at enrolment to prevent even the most sophisticated phishing attacks.
Our research shows that passwordless, phishing-resistant authenticators — such as Okta FastPass or FIDO2 WebAuthn — lead to dramatically faster sign-in duration and fewer sign-in failures. Passkeys offer promising alternatives in customer identity flows. They bring phishing-resistant, passwordless authentication to the websites and apps we use daily.
Jasie Fon, regional vice president for Asia, Ping Identity:
Barriers to passwordless adoption result from many systems and applications not being built to use open standards and, therefore, not supporting the standards needed for passwordless authentication. Additionally, rewiring and integrating with legacy infrastructure can lead to potential downtime, and many are not willing to risk negatively impacting the bottom line or other critical business operations.
However, any short-term impact could result in significant long-term savings, as going passwordless helps prevent and protect against costly data breaches while ensuring customers and employees enjoy secure and frictionless digital experiences.
New methods such as passkeys, biometrics, or FIDO2 standards can improve the organisation’s security posture. Given the complexities, organisations should work with partners with various solutions that can accommodate all identity types at scale for various scenarios across all stages of their passwordless journey.
