It’s safe to say that no one is obsessed with passwords. A chief information security officer’s nightmare is when employees leave lists of passwords on their desks or on post-it notes on their computers. Employees have the inconvenience of having to enter multiple passwords to access various devices and resources.
Passwordless authentication technologies are designed to address these issues, and the use of these tools is increasing. A recent survey of 200 CISOs by Wakefield Research, sponsored by security vendor Portnox, showed that the majority of security leaders (92%) said their organizations have implemented or plan to implement passwordless authentication. This is up from 70% in 2024. CISOs cite improved employee productivity and a better user experience as the top benefits.
Passwordless authentication verifies user identity without the need for traditional passwords through alternative methods such as hardware tokens, biometrics, and mobile push notifications. This offers potential benefits such as increased security and improved user experience.
Universal Technical Institute, a training services provider, has started using Microsoft’s passwordless platform. “As we scale deployments, we see immediate benefits, including fewer password resets, fewer service desk tickets, and faster starts to the day,” said Adrienne DeTray, senior vice president and CIO at the company.
“The bigger impact is cultural,” DeTray said. “This shows that we’re serious about making technology feel lighter and more human. Over the years, we’ve added so many systems and logins that the weight of technology has become part of the job. This is one of the steps that will help remove administrative friction and make the ecosystem feel more seamless and connected.”
According to DeTray, it’s not just about security, but user experience as well. “Password resets and lockouts slow people down and make them lose focus,” she says. “Passwordless removes that friction from the day and gives people back time. It’s part of the design of a connected ecosystem where security and ease of use work together.”
MFA loses its status as the “gold standard” for cybersecurity
R Systems International, a provider of digital product engineering services, is in the midst of a gradual transition to a password-free environment, says CTO Srikara Rao. “For us, this is not about following a trend, but rather a direct response to the fact that multi-factor authentication, which has been the gold standard, is showing its age,” Rao said. “The threat landscape has evolved beyond what traditional MFA can handle.”
R Systems’ decision to make this move was driven by both security and business enablement factors. “Credential-based attacks remain the number one threat vector, with phishing attempts increasing significantly and several near-miss incidents demonstrating the urgency of action,” Rao said. “We want to promote phishing-resistant solutions within our organization.”
On the operational side, Rao said resetting passwords has become very expensive. Resetting can be costly as it incurs direct labor costs and significant indirect costs such as lost employee productivity and IT resource depletion. Research firm Forrester estimates that a single password reset can cost $70, which can quickly add up for large enterprises.
Additionally, it’s important for businesses to adhere to compliance requirements such as PCI 4.0, which requires users to reboot or re-authenticate everything they access. “Passwordless authentication makes it seamless,” Rao said. “And finally, as we compete for top technology and cybersecurity talent, being a password-free company shows that we are a forward-thinking, security-first organization.”
Bring your own device policy is a factor
Healthcare service provider Diversus Health is also using technology in the form of certificate-based network access control and moving to passwordless authentication.
“Due to our recently implemented bring your own device policy, our annual HIPAA compliance internal audit identified lack of network access controls as one of our high-risk threats,” said IT Security Administrator Neil Ford. “So we started looking at solutions that could be used to mitigate the threat.”
Earlier this year, Diversus Health introduced Portnox’s system, which uses certificate-based authentication to verify a device’s identity. “We deploy certificates through a cloud-based endpoint management solution, so Portnox validation is transparent to our staff,” said Ford.
Ford said the solution effectively mitigated the threat of unknown devices connecting to the company’s network and gaining access to internal resources.
One of the keys to successfully implementing passwordless authentication is effectively communicating security changes to your staff. “Employees are overcoming decades of password memorization and addressing legitimate user concerns: ‘What if I lose my device?’ It’s important,” Rao said. “We quickly learned that we needed to sell the ‘why’ to our employees.”
Companies need to frame passwordless authentication not as a new security obligation, but as something that directly benefits employees by reducing frustration, speeding up logins, and eliminating password resets, Rao said. Prior to the migration, R Systems conducted small interactive training sessions to help people become familiar with access tools such as fingerprint recognition on their phones.
“The importance of organizations providing user education cannot be overstated,” says Rao. “This is the difference between a successful implementation and investing in shelfware.”
R Systems’ passwordless strategy is not tied to a single vendor and is built on open standards of FIDO2 and WebAuthn, “giving us the flexibility to choose the right tools for each risk profile,” Rao said. “Privileged users such as administrators, developers, and executives use FIDO2 hardware security keys, while the broader workforce relies on passkeys integrated with device biometrics like Windows Hello and Face ID.”
The company is still evaluating the results of the transition to passwordless authentication and working to ensure it works best for everyone.
“Our employee experience has dramatically improved with faster logins and a significant reduction in password-related help desk tickets,” said Rao. “Most importantly, passwordless authentication is the foundation of our Zero Trust architecture, providing a stronger, more assured identity layer that enables secure access regardless of user or device location.”
