Companies are shifting workers to passwordless authentication
It’s safe to say that no one is crazy about passwords. It’s a nightmare for information security chiefs that employees leave lists of passwords on their desks or put them on Post-it notes on their computers. For employees, there is the inconvenience of having to enter multiple passwords to access various devices and resources.
Passwordless authentication technology was designed to solve these problems, and the use of these tools is increasing. A. Latest survey of 200 CISOs Research by Wakefield Research, sponsored by security provider Portnox, found that a significant majority (92%) of security leaders say their organization has implemented or plans to implement passwordless authentication. This is an increase from 70% in 2024. CISOs cited increased employee productivity and improved user experience as top benefits.
Passwordless authentication verifies user identity without the need for traditional passwords through alternative methods such as hardware tokens, biometrics, or mobile push notifications. It offers potential benefits such as enhanced security and improved user experience.
Education services provider Universal Technical Institute has begun using a password-free platform from Microsoft, “and as we expand adoption, the benefits are quickly emerging with fewer password resets, fewer service desk tickets, and a faster start to the day,” said Adrienne DeTray, the company’s senior vice president and CIO.
“The biggest impact is cultural,” DeTray said. “This shows that we’re serious about making technology feel lighter and more human again. We’ve added so many systems and logins over the years that the weight of technology has become part of the business. This is one of the steps that helps remove the administrative hurdle and makes the ecosystem feel more seamless and connected.”
DeTray said it’s not just about security, it’s also about user experience. “Every password reset or lockout slows people down and reduces their focus,” he said. “Passwordless takes all the hassle out of the day and gives people time back. It’s part of designing a connected ecosystem where security and usability work hand in hand.”
MFA loses ‘gold standard’ cybersecurity status
Digital product engineering services provider R Systems International is in the midst of a phased transition to a password-free environment, CTO Srikara Rao said. “For us, this isn’t about following a trend; it’s a direct response to the fact that our previous gold standard, multi-factor authentication, is showing its age,” Rao said. “The threat landscape has evolved beyond what traditional MFA can handle.”
R Systems’ decision to make this move is driven by both security and business enablement factors. “Credential-based attacks remain the largest threat vector, with a significant increase in phishing attempts and several near misses, underscoring the urgency to take action,” Rao said. he said. “We want to promote phishing-proof solutions within our organization.”
Rao said that from an operational perspective, password resetting has become quite expensive. Resets can be costly due to direct labor expenses and significant indirect costs such as lost employee productivity and IT resource consumption. Research firm Forrester estimates that a single password reset can cost $70, and that can add up quickly for large companies.
It’s also critical that the company comply with compliance requirements such as PCI 4.0, which requires re-authentication of anything users reboot or access. “Passwordless authentication will make the process hassle-free,” Rao said. “And finally, as we compete for the best technology and cybersecurity talent, being a password-free organization signals that we are a forward-thinking, security-first organization.”
Bring your own device policies are a factor
Healthcare provider Diversus Health is also moving to passwordless authentication using technology in the form of certificate-based network access control.
“Due to our recent adoption of a bring-your-own-device policy, our annual internal HIPAA compliance audit identified a lack of network access control as one of our high-risk threats,” said IT security manager Neil Ford. “So we started looking for solutions that could be used to reduce the threat.”
Earlier this year, Diversus Health deployed a system from Portnox that uses certificate-based authentication to authenticate devices. “We distribute the certificate through a cloud-based endpoint management solution, so verification with Portnox is transparent to staff,” Ford said.
Ford said the solution effectively reduces the threat of unknown devices connecting to the company’s network and accessing internal resources.
One of the keys to successful adoption of passwordless authentication is effectively communicating the security change to staff. “Employees are tackling decades of password memory and users are wondering ‘what if I lose my device?’ addresses legitimate concerns about critical,” Rao said. “We quickly learned that we needed to sell the ‘Why’ to our employees.”
Companies should frame passwordless authentication not as another security necessity, but as a direct benefit to employees through less frustration, faster logins and the elimination of password resets, Rao said. Before making the switch, R Systems held small, interactive training sessions to get people used to access tools like fingerprint recognition on their phones.
“I cannot emphasize enough the importance of organizations that provide user training,” Rao said. “There is a significant difference between a successful deployment and an investment in shelfware.”
Rao said R Systems’ passwordless strategy is not tied to a single vendor but is built on the FIDO2 and WebAuthn open standards and “gives us the flexibility to choose the right tool for each risk profile.” “Privileged users such as administrators, developers, and administrators use FIDO2 hardware security keys, while the broader workforce relies on passkeys integrated with device biometrics such as Windows Hello and Face ID.”
The company is still evaluating the implications of moving to passwordless authentication and working to make it work best for everyone.
“We have seen our employee experience improve significantly, with faster logins and a significant reduction in password-related help desk notifications,” Rao said. “Most importantly, passwordless authentication has become the cornerstone of our zero trust architecture, providing us with a stronger, highly secure identity layer that provides secure access regardless of user or device location.”
