Today marks International Passwordless Day, an annual observance held on 23 June, the birthday of mathematician Alan Turing, whose foundational work in computing underpins the cryptographic principles that enable modern passwordless authentication. Created to raise awareness and accelerate the shift away from traditional passwords, the day arrives at a moment of genuine but uneven progress. The tools to replace passwords exist. The standards are settled. Yet credentials remain the single most exploited attack surface in cybersecurity.
Since the start of 2025, over 16 billion passwords have been compromised globally, more than there are people on the planet. According to Verizon’s Data Breach Investigations Report, credential abuse now accounts for 22% of all breaches, making it the most common initial attack vector ahead of phishing and software exploits. Brute force attacks have nearly tripled in the past year, rising from 20% to 60% of all basic web application attacks.
Despite this, passwords remain the dominant authentication mechanism across the vast majority of enterprise and consumer environments. Security experts are calling on organisations to move from awareness to action, and to be honest about why the transition has taken so long.
The Gap Between Ambition and Reality
Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, argues that the industry needs to confront the gap between its ambitions and the current reality plainly, rather than masking it with optimistic messaging.
“International Passwordless Day is a worthwhile moment to take stock, not to celebrate a problem solved, but to be honest about where we actually are. The technology case for passwordless authentication is compelling and well established. Passkeys are genuinely more secure than passwords. Phishing-resistant MFA eliminates the social engineering vectors that criminal groups like ShinyHunters and Scattered Spider have been exploiting at scale. The direction of travel is right. The pace of adoption, however, tells a more complicated story.
The uncomfortable reality is that passwords remain the dominant authentication mechanism across the vast majority of enterprise and consumer environments in 2026. Despite years of industry consensus that passwords are fundamentally broken, the credential theft ecosystem has never been larger. This doesn’t reflect a technology that’s being phased out. It reflects one that remains deeply entrenched and is being exploited on an industrial scale. The gap between where the industry wants to be and where most organisations actually are is significant, and it’s worth calling this out rather than brushing it over with optimistic messaging about the passwordless future.
There are three honest reasons why adoption is slower than it should be. First, legacy infrastructure. Most large organisations carry decades of applications, systems, and integrations that were built around password-based authentication and cannot support modern passwordless standards without significant re-engineering. The technical debt is real, and the remediation cost is substantial. Second, user friction cuts both ways. Passkeys genuinely improve the experience for technically comfortable users. For large, diverse workforces with varying levels of digital literacy, the transition requires meaningful change management investment that many organisations underestimate. Third, inconsistency across platforms. Consumer-facing passkey support has improved significantly, but enterprise application coverage remains patchy.
If there’s one message that security leaders should take from today, it’s this – the organisations still debating whether to adopt phishing-resistant authentication are running out of time to make it a considered choice rather than an emergency response. Phishing-resistant alternatives exist, they work, and the cost of not deploying them is being measured in breaches. The passwordless vision is the right destination. What International Passwordless Day should honestly confront is that the journey there requires more than awareness; it requires organisations to make difficult, expensive infrastructure decisions that many have been deferring. The threat landscape is no longer patient enough to wait for a comfortable migration timeline.”
Passwordless Shifts Risk, Not Eliminates It
For organisations deploying passwordless solutions, the work does not end at rollout. Jamie Beckland, Chief Product Officer at APIContext, warns that removing passwords introduces new dependencies across the authentication chain that must be actively monitored, saying, “Passkeys and phishing-resistant authentication remove one of the weakest links in security, the reusable password — but they also introduce new dependencies across identity providers, device platforms, browsers, APIs and recovery workflows. The risk shifts to ensuring the whole authentication journey works reliably, everywhere, every time. That matters because authentication is no longer just a login screen. It is part of the service delivery chain. If a passkey flow fails, if an identity API slows down, or if a fallback mechanism is poorly monitored, the business impact can look like an outage, an abandoned transaction, or a locked-out customer.
The organisations that succeed with passwordless will be the ones that treat it as both a security upgrade and an operational resilience challenge. It is not enough to deploy passkeys and assume the job is done. Companies need continuous monitoring across the full authentication workflow — from user interaction to API response to third-party identity service, so they can detect failures before customers or attackers expose them.”
Biometrics Face a Privacy Backlash
Not all alternatives to passwords are gaining equal traction. Paul Bischoff, Consumer Privacy Advocate at Comparitech, points to a growing public scepticism around biometric authentication that could shape the direction of adoption. “Passwords are slowly being phased out, and one of the more popular alternatives is fingerprints. However, I think we’re starting to see public opinion change on biometric authentication. Real concerns about surveillance and data privacy are driving people away from sharing their fingerprints and other biometric markers with big tech companies. Unlike a password, we can’t easily change our faces or fingerprints. Passkeys, however, will continue to grow in popularity.”
The Case for Fewer Passwords, Not Stronger Ones
Patricia Egger, Head of Security at Proton, sets out the historical context for why the password model has failed and makes the case for a structural shift rather than further incremental measures. “Privacy and security are intimately linked, and nowhere is that more apparent than in how we manage our credentials.
Passwords were conceived in an era when users had only a handful of accounts to protect, password-cracking tools were not widely available, and phishing attacks were largely manual rather than automated. In that environment, asking users to create memorable passwords was a reasonable and effective way to secure access to their accounts.
Over time, however, our use of online accounts as well as the threat landscape has changed dramatically, while the underlying password model has remained largely the same. To compensate for this change, we have continually added new requirements and safeguards: complexity rules, minimum length requirements, passphrases, and multifactor authentication. These measures can be viewed as band-aids that attempt to address the fundamental insecurity that arises from relying on humans to create, remember, and manage strong passwords.
Even when people believe their passwords are strong, they often are not. Password reuse remains common, as do slight variations of the same password across multiple accounts. Furthermore, even users who develop a system for remembering several ‘strong’ passwords may be vulnerable. If two or three of those passwords are exposed in data breaches — a relatively common occurrence — an attacker may be able to identify the underlying pattern or method used to generate them. Once that method is understood, additional accounts protected by the same approach can become vulnerable as well.
This is why the long-term answer is not stronger passwords, but fewer passwords. Passwordless authentication, through technologies such as passkeys, addresses the problem at its source by removing the shared secrets that attackers target and users struggle to manage. While passwords will remain part of the security landscape for some time, organisations should be moving toward a future where authentication is built on cryptographic proof rather than human memory.
Passwordless authentication is a major step forward, but it is not a silver bullet. Organisations must pair it with other relevant controls to achieve defence in depth. Often, this includes secure devices, robust monitoring, employee awareness training, and strong security hygiene across their environment. Reducing reliance on passwords removes a key attack vector, but lasting resilience comes from treating identity, devices, and people as equally important parts of the security strategy.”
Passwordless Adoption Requires Governance Across Both Old and New Models
Darren Guccione, CEO and Co-Founder of Keeper Security, argues that passwordless authentication cannot be viewed in isolation from the credential systems it is gradually replacing. “Passwordless Day exists because the industry recognises something most security teams already know: the password as a primary authentication mechanism is structurally inadequate. It is not a question of length or complexity. It is that credentials of any kind, once created, can be stolen, phished or replayed.
Keeper’s 2026 global research tells the same story. A third of IT and security leaders globally identify password reuse as the most common problematic behaviour they observe among employees, and only 30% of organisations have fully adopted passkeys across their environments. Despite widespread awareness of the problem, 37% of security teams still find enforcing strong credential practices to access their workforce extremely challenging.
Progress is happening, but the application is uneven. Just 35% of organisations have implemented phishing-resistant multifactor authentication, including FIDO2 and passkeys, in the past 18 months. Thirty-six percent cite technical integration complexity, and 29% cite the need to support hybrid environments, as the primary barriers to modernising authentication. These are not excuses, but the operational conditions under which many organisations are trying to move forward.
The practical reality points to the adoption of a hybrid model. Passkeys and passwords coexisting for years to come, but demanding governance across both. Strong credentials must be stored and managed in a zero-knowledge environment. Access must be enforced with least-privileged controls. Organisations that fail to govern both will remain exposed to the same credential-based attacks that Passwordless Day was created to address.”
Reducing the Burden on Users
Javvad Malik, Lead CISO advisor at KnowBe4, says the shift to passwordless authentication is as much about improving the human experience of security as it is about improving technical controls. “Passwordless is not just a technical upgrade, it’s an evolution which recognises that passwords have their limitations and cannot scale at the rate that is needed. But perhaps more importantly, it acknowledges that for too long, we have asked too much of people. Passwords put an unreasonable burden of security on the head of the users. We expect them to choose unique and strong passwords, maintain discipline, and forego convenience.
Passkeys and other phishing-resistant methods help shift some of that burden back to the technology, reducing friction while improving protection. The real opportunity is not simply to remove passwords, but to create security experiences people can use confidently without needing to become security experts.”
Managing Trust Through Cryptography
Kawin Boonyapredee, CISO advisor at KnowBe4, argues that passwordless adoption has become a business continuity issue as attackers increasingly monetise stolen credentials at speed. “Today on International Passwordless Day, the message to enterprise leadership is clear: passwords are a liability organizations can no longer afford. With 94% of passwords reused and the average breach cost involving compromised credentials hitting $4.44 million, relying on static secrets is unsustainable against AI-driven phishing attacks. The rise of Cybercrime-as-a-Service means stolen credentials are instantly monetized, making the transition to phishing-resistant authentication a business continuity necessity rather than just a security upgrade.
The industry standard has shifted toward FIDO2 passkeys, which use public-key cryptography to ensure no shared secret ever leaves the user’s device, effectively neutralizing phishing attempts. As organizations have increasingly adopted Multi-Factor Authentication (MFA), this still leaves organizations vulnerable to push bombing and SIM swapping. To close this gap, CISOs must adopt a hybrid authentication model: deploying synced passkeys for general workforce productivity to ensure ease of use, while mandating device-bound passkeys, such as hardware keys, for high-privilege accounts to meet rigorous assurance levels.
Ultimately, operational success requires treating identity as a continuous process by establishing clear protocols for recovery and revocation without creating helpdesk bottlenecks. Organizations must eliminate legacy password fallbacks such as keeping traditional passwords active as a ‘backup’; this results in organizations negatively removing the security benefits of passkeys and expanding the attack surface. Hence, by removing these legacy paths, enterprises can significantly reduce help desk costs and demonstrate proactive due diligence, moving from merely managing passwords to managing trust through cryptography.”
From Awareness to Action
The consensus across security experts is clear: the technology to replace passwords is available, mature, and effective. Passkeys achieve a 93% login success rate compared to 63% for traditional authentication, and organisations that have deployed them at scale have reported dramatic reductions in phishing incidents and support overhead.
What International Passwordless Day represents, then, is less a celebration of progress and more a prompt to confront the structural, organisational, and political barriers that continue to slow adoption. Legacy infrastructure, user change management, inconsistent platform support, and a tendency to defer difficult decisions in favour of incremental improvement – these are the challenges that the industry must address if the passwordless future is to become a reality for more than a minority of organisations.
The threat landscape, as Patel notes, is no longer patient enough to wait.
