Point/Counterpoint: Are We Moving to a Passwordless Future?

Written by

Andrew Shikiar Executive Director, FIDO Alliance
Andrew Shikiar Executive Director, FIDO Alliance

Yes: Andrew Shikiar

You might think you’ve heard it all before, right? A passwordless age is the cyber utopia we all yearn for but promises of totally wiping out passwords feels far-fetched and far off. After all, how do you go about unpicking a thread so tightly woven into your daily life?

Eradicating passwords will take time, but recent industry news and progress is showing we can confidently say the future is passwordless – and getting nearer.

Passwords Are (Nearly) Over! But Why Now?

We all know the pandemic accelerated digital transformation across all sectors, bringing many more services online. Consumers have more passwords, spend more time online and are doing more sensitive activities like banking digitally than ever before – so it’s unsurprising that cyber-criminals are moving online to the easiest and most lucrative point of attack.

In a gloomy economic climate, the vulnerabilities created by passwords are hitting small businesses hard too. According to Verizon, 81% of company data breaches are caused by poor passwords. Cloud service providers that are underpinning popular apps and online services are also under heavy attack, demonstrating the importance of mitigating the vulnerabilities of passwords. I’d like to share a recent example from two cloud service providers recently targeted by the same phishing attack.

In early August, several employees at Twilio received text messages from a fake IT department, directing them to a fraudulent website that required a password change. The unfortunate result was a successful takeover of some employee credentials, which enabled the hackers to gain access to internal Twilio systems – including some customer data. Dozens of employees at Cloudflare received pretty much the same messages, but the attack was thwarted as Cloudflare had issued employees FIDO security keys that are tied to users and implement origin binding.

These attacks are only growing in frequency. Using unshareable credentials like security keys and biometrics is the only way businesses and consumers can protect themselves from themselves when it comes to cybersecurity.

Passwords simply don’t fit in the future (or present) of security.

How the Change is Happening

In the case of businesses, the integration of strong authentication security keys and biometrics – as illustrated by the Cloudflare example – is undoubtedly the way forward for them to quickly bolster systems with more robust, passwordless authentication. The technology exists, and it’s easier and more important to implement than ever.

The tipping point for consumers may be the introduction of passkeys. Apple, Google and Microsoft recently publicly committed to support this FIDO-based approach to make password-free sign-ins a reality and to make the web a safer space for all. It leverages the same action we use to unlock our devices every day – like using a PIN, fingerprint or facial recognition – only now, this action will help us sign into websites and apps, without having to remember a password or dealing with SMS codes (both of which are also phishable).

By making FIDO’s phishing-resistant security readily available to consumers across all major browsers and operating systems, and removing the need to re-enroll for every account or device, it couldn’t be easier for consumers to make the switch. Crucially, as users don’t need to enter a password to enroll new devices anymore or for account recovery, service providers can now actually make moves to safely start taking passwords out of the equation entirely.


The backing of big tech is a sign of things to come and a strong start, but ultimately the demise of passwords will only be accelerated by service providers making passkeys available to use with their services. The good news is that we won’t have long to wait as there are plenty of major providers working to go live with support for passkeys very soon, which in turn should accelerate broader cross-industry utilization. 

Rather than idly waiting by for passwordless to happen, there are a few things we can all be doing in the meantime. For starters, let’s share our ‘path towards passwordless’ experiences – good and bad. Twilio’s post-attack response and incident report should be commended, as should Cloudflare’s. The idea of ‘security by obscurity’ needs to die – not telling anyone you’ve suffered a breach or been attacked doesn’t make you any more secure. Security by community will be key to our collective success.

The community element also sits at the heart of the passwordless technology making this happen too. While Apple, Google and Microsoft made a major splash with their joint announcement on passkeys, they are just three of the hundreds of organizations involved in the FIDO Alliance who bring perspectives spanning borders and industries, and whose use cases are also being addressed by FIDO’s specifications and implementation guidelines. 

While it will take some time, a future that is not dependent on passwords is drawing near. Thanks to a combination of lessons learned, sheer industry will and new approaches that will make passwordless authentication easier for consumers to use at scale. 

Lawrence Perret-Hall, Director, CYFOR Secure
Lawrence Perret-Hall, Director, CYFOR Secure

No: Lawrence Perret-Hall

Passwords are a crucial pillar of cybersecurity and will continue to be valuable for years to come – but only if strict policies are in place and adhered to.

Fortunately, many organizations recognize the value of a strong password. Identity and access management, i.e., restricted admin rights, password policies and two factor authentication, is considered one of the 10 key components to cybersecurity by the UK’s National Cyber Security Centre (NCSC). According to the Cyber Security Breaches Survey 2022, published by the UK government, 87% of businesses and 77% of charities are undertaking action in identity and access management – making it the most actioned area of cybersecurity for UK organizations.

Password policies do not have to be complex, but they should be re-enforced often and well understood across an organization. Some examples of important policies include:

  • Never re-using the same password: A unique password for every account/device is critical for ensuring that hackers cannot compromise a whole network through one breached data point. While it may seem hard to keep up with a variety of different credentials, password managers are a safe and secure way to create and store strong passwords.

  • Make use of passphrases rather than words: Much longer than the traditional password, a passphrase is a sentence-style string of text that is far more difficult to crack. They are also typically easier to remember than a combination of numbers and symbols!

  • Refresh passwords every six weeks: Each organization relies on a different time period before refreshing passwords, but around six weeks to 90 days is an appropriate length of time before a user should be prompted to change their logins. It means that if credentials have been stolen, this data is only accurate for a short amount of time.

  • Use Multi-Factor Authentication: MFA is perfect for adding another layer of security to a corporate VPN by using pins, devices or biometric/voice technology as a way to authenticate logins. Yet while this extra layer is becoming an essential for users accessing areas like online banking, it is not impossible for hackers to bypass.

  • Regularly train staff on cyber hygiene and best practices: Cybersecurity awareness training helps to keep password security front of mind for all staff within an organization, especially while working remotely. If teams do not understand why password best practice matters, it is unlikely they will embrace the appropriate policies.

  • Mandate password protection on ALL devices: Particularly for any company encouraging bring your own device (BYOD) strategies, it’s critical to mandate the installation of password-protection applications on personal devices. By providing an additional security control in the event of a human failure, it reduces the likelihood of a threat actor pivoting from a personal device into the corporate network and penetrating critical IT infrastructure.

  • Recognize that passwords only go so far: While the password is a critical element to cybersecurity, it is not the be all and end all for strong enterprise security. Organizations big and small must recognize the value of components like a suite of relevant back-ups, incident response playbooks and regular dark web monitoring to avoid falling victim to a potentially devastating cyber-attack.


For years, passwords have been a reliable solution for protecting assets and devices. Their value is well understood across industry and act as a crucial reminder of the importance of data privacy and security every time a user accesses their accounts. While solutions like biometric technology are gaining traction in this space, the password shouldn’t go anywhere just yet. New technologies may well still be hackable and simply open an organization up to more tech stack complexities and new vulnerabilities. If all of these listed policies are adhered to, with password hygiene front of mind for the whole workforce, an organization would be remiss to move away from passwords any time soon.

What’s hot on Infosecurity Magazine?