Is the Future Passwordless?

Passwords definitely have their disadvantages so could passwordless authentication be the answer? As Microsoft further nudges the world away from passwords, Phil Muncaster from ESET explains what your organisation should consider before going password-free.

For such a clumsy sounding word, “passwordless” actually promises to make life a lot easier – for both users and security teams. It offers the tantalizing prospect of cutting admin costs, enhancing productivity and reducing cyber-risk. And yet, despite these eye-catching benefits, uptake in both business-to-consumer (B2C) and business-to-business (B2B) environments has not been as strong as one might have expected.

However, when the world’s biggest software company decides to back a new technology approach, it’s time to take notice. Microsoft described passwords as “inconvenient, insecure, and expensive” quite a while ago; fast forward to March of this year and the company introduced passwordless authentication for business customers. In September, Microsoft announced that it would be extending support for all users. You might say that the era of passwordless authentication is finally here.


Passwords have been around for about as long as computers. Their demise has been predicted many times. And yet they’re still here, securing everything from corporate applications to online banking, email and e-commerce accounts.

The problem is that we now have way too many of these credentials to manage and remember. One estimate suggests that 57% of US workers have scribbled corporate passwords on sticky notes. And the number is growing all the time as we expand our digital footprint. One October 2020 estimate claims that the average person has around 100 passwords, nearly 25 percent more than before the pandemic began.

From a cybersecurity perspective, the challenge with passwords is well documented. They provide attackers with a target that is increasingly easy to steal, guess, phish or brute force. Once they have these in their possession, threat actors can masquerade as legitimate users, waltzing past perimeter security defenses and staying hidden inside corporate networks for much longer than would otherwise be the case. The length of time taken to identify and contain a data breach today stands at 287 days.

Password managers and single sign-on offer some form of redress for these challenges, storing and recalling complex passwords for each account so users don’t have to. But they’re still not universally popular among consumers. The result? We reuse easy-to-remember credentials across multiple accounts, exposing consumer and corporate accounts to credential stuffing and other brute force techniques.

It’s not just about security risk either. Passwords require significant time and money for IT teams to manage, and may add extra friction to the customer journey. Breaches may require mass resets across large volumes of accounts, which can interfere with the user experience in B2B and B2C environments.


In this context, passwordless authentication offers a major leap forward. By using an authenticator app with biometric systems such as facial recognition, or a security key or a unique code sent via email/SMS, organisations can in one fell swoop eliminate the security and admin headaches associated with static credentials.

By adopting this approach for B2B and B2C operations alike, organisations can:


However, passwordless is not a panacea. There remain several barriers to adoption, including:

As the post-pandemic era begins in earnest, two trends will shape the future of passwordless adoption: a surge in the use of consumer online services and the emergence of the hybrid workplace. With the mobile device at the center of both, it would seem to make sense that any corporate passwordless strategy start here.

Phil Muncaster

Passwordless authentication: Is your company ready to move beyond passwords? | WeLiveSecurity