[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyrprc274m2pVoJjWjvZvfJxI1Q4wbmjJHVogNKymN_o":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"9915f408-cadc-4ee8-ada5-8b1b515528a9","Experts Warn: Passwords Still Winning Despite Passwordless Push","experts-warn-passwords-still-winning-despite-passwordless-push-779a20","Today marks International Passwordless Day, an annual observance held on 23 June, the birthday of mathematician Alan Turing, whose foundational work in computing underpins the cryptographic principles that enable modern passwordless authentication. Created to raise awareness and accelerate the shift away from traditional passwords, the day arrives at a moment of genuine but uneven progress. […] The post Experts Warn: Passwords Still Winning Despite Passwordless Push appeared first on IT Security Guru.","Despite International Passwordless Day and the availability of more secure alternatives like passkeys, traditional passwords remain the primary authentication method globally. Experts highlight significant challenges including legacy infrastructure, the cost of re-engineering, user friction for less tech-savvy individuals, and inconsistent enterprise application support, leading to continued exploitation by threat actors.","Experts warn passwords remain dominant despite passwordless push, citing legacy systems and user friction.","Today marks International Passwordless Day, an annual observance held on 23 June, the birthday of mathematician Alan Turing, whose foundational work in computing underpins the cryptographic principles that enable modern passwordless authentication. Created to raise awareness and accelerate the shift away from traditional passwords, the day arrives at a moment of genuine but uneven progress. The tools to replace passwords exist. The standards are settled. Yet credentials remain the single most exploited attack surface in cybersecurity. Since the start of 2025, over 16 billion passwords have been compromised globally, more than there are people on the planet. According to Verizon’s Data Breach Investigations Report, credential abuse now accounts for 22% of all breaches, making it the most common initial attack vector ahead of phishing and software exploits. Brute force attacks have nearly tripled in the past year, rising from 20% to 60% of all basic web application attacks. Despite this, passwords remain the dominant authentication mechanism across the vast majority of enterprise and consumer environments. Security experts are calling on organisations to move from awareness to action, and to be honest about why the transition has taken so long. The Gap Between Ambition and Reality Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, argues that the industry needs to confront the gap between its ambitions and the current reality plainly, rather than masking it with optimistic messaging. “International Passwordless Day is a worthwhile moment to take stock, not to celebrate a problem solved, but to be honest about where we actually are. The technology case for passwordless authentication is compelling and well established. Passkeys are genuinely more secure than passwords. Phishing-resistant MFA eliminates the social engineering vectors that criminal groups like ShinyHunters and Scattered Spider have been exploiting at scale. The direction of travel is right. The pace of adoption, however, tells a more complicated story. The uncomfortable reality is that passwords remain the dominant authentication mechanism across the vast majority of enterprise and consumer environments in 2026. Despite years of industry consensus that passwords are fundamentally broken, the credential theft ecosystem has never been larger. This doesn’t reflect a technology that’s being phased out. It reflects one that remains deeply entrenched and is being exploited on an industrial scale. The gap between where the industry wants to be and where most organisations actually are is significant, and it’s worth calling this out rather than brushing it over with optimistic messaging about the passwordless future. There are three honest reasons why adoption is slower than it should be. First, legacy infrastructure. Most large organisations carry decades of applications, systems, and integrations that were built around password-based authentication and cannot support modern passwordless standards without significant re-engineering. The technical debt is real, and the remediation cost is substantial. Second, user friction cuts both ways. Passkeys genuinely improve the experience for technically comfortable users. For large, diverse workforces with varying levels of digital literacy, the transition requires meaningful change management investment that many organisations underestimate. Third, inconsistency across platforms. Consumer-facing passkey support has improved significantly, but enterprise application coverage remains patchy. If there’s one message that security leaders should take from today, it’s this – the organisations still debating whether to adopt phishing-resistant authentication are running out of time to make it a considered choice rather than an emergency response. Phishing-resistant alternatives exist, they work, and the cost of not deploying them is being measured in breaches. The passwordless vision is the right destination. What International Passwordless Day should honestly confront is that the journey there requires more than awareness; it requires organisations to make difficult, expensive infrastructure decisions that many have been deferring. The threat landscape is no longer patient enough to wait for a comfortable migration timeline.” Passwordless Shifts Risk, Not Eliminates It For organisations deploying passwordless solutions, the work does not end at rollout. Jamie Beckland, Chief Product Officer at APIContext, warns that removing passwords introduces new dependencies across the authentication chain that must be actively monitored, saying, “Passkeys and phishing-resistant authentication remove one of the weakest links in security, the reusable password — but they also introduce new dependencies across identity providers, device platforms, browsers, APIs and recovery workflows. The risk shifts to ensuring the whole authentication journey works reliably, everywhere, every time. That matters because authentication is no longer just a login screen. It is part of the service delivery chain. If a passkey flow fails, if an identity API slows down, or if a fallback mechanism is poorly monitored, the business impact can look like an outage, an abandoned transaction, or a locked-out customer. The organisations that succeed with passwordless will be the ones that treat it as both a security upgrade and an operational resilience challenge. It is not enough to deploy passkeys and assume the job is done. Companies need continuous monitoring across the full authentication workflow — from user interaction to API response to third-party identity service, so they can detect failures before customers or attackers expose them.” Biometrics Face a Privacy Backlash Not all alternatives to passwords are gaining equal traction. Paul Bischoff, Consumer Privacy Advocate at Comparitech, points to a growing public scepticism around biometric authentication that could shape the direction of adoption. “Passwords are slowly being phased out, and one of the more popular alternatives is fingerprints. However, I think we’re starting to see public opinion change on biometric authentication. Real concerns about surveillance and data privacy are driving people away from sharing their fingerprints and other biometric markers with big tech companies. Unlike a password, we can’t easily change our faces or fingerprints. Passkeys, however, will continue to grow in popularity.” The Case for Fewer Passwords, Not Stronger Ones Patricia Egger, Head of Security at Proton, sets out the historical context for why the password model has failed and makes the case for a structural shift rather than further incremental measures. “Privacy and security are intimately linked, and nowhere is that more apparent than in how we manage our credentials. Passwords were conceived in an era when users had only a handful of accounts to protect, password-cracking tools were not widely available, and phishing attacks were largely manual rather than automated. In that environment, asking users to create memorable passwords was a reasonable and effective way to secure access to their accounts. Over time, however, our use of online accounts as well as the threat landscape has changed dramatically, while the underlying password model has remained largely the same. To compensate for this change, we have continually added new requirements and safeguards: complexity rules, minimum length requirements, passphrases, and multifactor authentication. These measures can be viewed as band-aids that attempt to address the fundamental insecurity that arises from relying on humans to create, remember, and manage strong passwords. Even when people believe their passwords are strong, they often are not. Password reuse remains common, as do slight variations of the same password across multiple accounts. Furthermore, even users who develop a system for remembering several ‘strong’ passwords may be vulnerable. If two or three ","https:\u002F\u002Fwww.itsecurityguru.org\u002F2026\u002F06\u002F23\u002Fexperts-warn-passwords-still-winning-despite-passwordless-push\u002F?utm_source=rss&utm_medium=rss&utm_campaign=experts-warn-passwords-still-winning-despite-passwordless-push","https:\u002F\u002Fwww.itsecurityguru.org\u002Fwp-content\u002Fuploads\u002F2016\u002F12\u002Fpassword-1.jpg","2026-06-23T14:08:07+00:00","2026-06-24T16:00:15.26512+00:00",7,[18,21],{"name":19,"type":20},"passkeys","product",{"name":22,"type":23},"Huntress","vendor","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":24,"icon":26,"name":27,"slug":28},null,"Identity & Access","identity-access",[30,32,37],{"category":31},{"id":24,"icon":26,"name":27,"slug":28},{"category":33},{"id":34,"icon":26,"name":35,"slug":36},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":38},{"id":39,"icon":26,"name":40,"slug":41},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]