Thinking about going passwordless? Here’s what to consider first. 

In 2004, Bill Gates made a bold prediction that passwords would soon be dead. Almost twenty years later, the password is pretty much as prevalent as ever. If you’re here, it’s a question that’s probably crossed your mind too: why do we have to persist with passwords? They’re expensive and time-consuming for IT teams to reset, end users still struggle with them, and they’re a constant source of security breaches.  

It’s certainly not for a lack of trying. At the 2022 Worldwide Developers Conference, Apple announced that the iOS 16 and macOS Venture operating systems will have passwordless logins. Microsoft have also recently gone “passwordless by default” as of May 2025, with new Microsoft accounts no longer requiring passwords and instead relying on passkeys, push notifications, or security keys as standard. They report nearly 1 million new passkeys registered daily, with an impressive 98% success rate for passkey logins versus just 32% for passwords.

However, ‘going passwordless’ isn’t as simple as it sounds. It’s a journey which could start with adding MFA to all password scenarios, then adding single-sign on (SSO) to reduce the amount of passwords. For some organizations, that could be enough – others will want to take further steps. 

First, we need to think about what passwords are good for when used properly. They’re a simple access security measure, to make sure the right people access the right things – operating systems, websites, and locally installed applications. And they’re something every employee understands. So when getting rid of (or greatly reducing) them, organizations have to weigh up the costs, usability, and limitations of the replacement authentication technology available. 

How does passwordless authentication work? 

‘Passwordless’ can describe a couple of different scenarios. For example, when an end user uses their fingerprint, facial, or iris recognition, they haven’t technically entered a password. However, there’s still a credential exchange and a secret being stored on the server side. The biometric authentication is gating the stored secret and if it fails, like Windows Hello did after an upgrade in October 2022, a password is used as a fallback.  

An alternate scenario is authenticating without exchanging any passwords with the platform the user is authenticating to. For example, when a user authenticates via biometrics to a FIDO2 device, it cryptographically authenticates them to the service using keypairs. During the FIDO2 authentication process, a public/private key pair are generated when a user registers with a service. No passwords are stored or exchanged, so even if there was a server-side breach, there are no passwords to steal.  

The private key is stored in a hardware-based vault on the device, while the public key is shared with the service. When a user wants to log in, the service sends a cryptographic challenge. The user authenticates themselves by either PIN or biometrics, but this information is never shared across the network – the private FIDO2 key remains on the user’s device. 

Both definitions of passwordless are valid, but it’s important for an organization to be clear about what they’re aiming for. 

Why are businesses considering going passwordless?

Every business is different, so decision makers need to consider what exactly it is they hope to gain from ditching passwords. For most organizations, it’s likely to be one of the three following reasons – often a combination of all. 

1. Reduce password attacks

Password attacks are the biggest issue when it comes to passwords. The 2025 Verizon DBIR estimates that 88% of data breaches involve stolen credentials. People are the problem, as end-users create weak, easy-to-guess passwords that are susceptible to dictionary and brute force attacks. If people reuse their strong work passwords across personal sites and devices, the risk multiplies. Specops research shows 30% of end users use the same password across all of their accounts. Many more just use slight variations.  

A famous password attack is the Colonial Pipeline hack, where a ransomware attack affected consumers and businesses along the entire East Coast. Attackers got into the network through an exposed password for a VPN account, after it was believed an employee had used the same password for the VPN in another location. This gave the hackers their initial entry point to deploy ransomware onto the network. 

However, it’s not fair to solely blame end users for password attacks. They often have too many passwords to remember and too little support from their organizations with weak password policies. Some enforce higher standards, but even strong passwords are susceptible to password reuse and external threats such as phishing.

Alternative solutions to defend against password attacks

While the types of password attacks are constantly evolving, the best defense is a layered approach that strengthens your authentication at multiple levels.

A strong password policy is the first line of defense. Tools like Specops Password Policy enforce complexity requirements and block the use of compromised passwords in real time using its Breached Password Protection feature. This means that even existing passwords in Active Directory are continuously evaluated against known attack lists.

But password policy alone isn’t enough. Adding multi-factor authentication (MFA) significantly reduces the risk that a stolen or guessed password will lead to a successful breach. Specops Secure Access brings MFA to critical access points like Windows logon, RDP and VPN, making sure users prove their identity beyond just a password.

By combining password hygiene with secure authentication methods, organizations can dramatically reduce the attack surface without requiring an immediate move to full passwordless authentication.

2. Save time and money for IT teams

Password resets are a time burden on IT teams who would rather focus on other issues. Forrester estimate they also cost about $70 per password reset – which can add up to a serious time and money sink in a large business. Some organizations see losing passwords as a way to use IT teams’ time and resources more effectively.  

Alternative solutions to save time

There are other low friction options available that could reduce this burden. For example, software such as Specops uReset allows users to reset their own passwords in a simple and secure way. They can authenticate themselves through third-party services like Duo Security, Google Authenticator, Microsoft Authenticator, Okta, PingID, Symantec VIP, and Yubikey – taking the strain of resets away from the IT team. 

The addition of a tool like Specops uReset means end users can securely change their own passwords, directly integrating with other authentication services. This can greatly reduce calls and tickets to the helpdesk, saving on costs and IT time.

3. End user experience and productivity

Many of the security issues stem from the fact that end users don’t like passwords. Poor end user UX is also a driver of time-wasting calls to the service desk. People don’t like thinking of passwords, remembering them, and having to create unique ones at set intervals.

In a large enterprise, time spent resetting passwords and contacting IT support can add up to a lot of lost working hours over the years. Some organizations are considering going passwordless to offer a better end user experience for their employees and boost their productivity.  

Alternative solutions to improve UX

Of course, another option is to make the tools and process you already in place have more user friendly. Integrating a third party tool such as Specops Password Policy into your Active Directory can help guide users during password changes instead of the standard and frustrating ‘your password doesn’t meet length or complexity standards’ message. End users get a better experience thanks to dynamic feedback at the password change screen that guides them towards creating a strong password.

Is passwordless authentication safe? 

Most organizations are already familiar with multi-factor authentication (MFA). It adds an invaluable layer of security to the password by including anything from retina scans, face scans, fingerprint scans, push notifications, authenticator apps, magic links, SMS notifications, QR codes, pattern unlocks, USB security keys, Bluetooth security keys, and phone-based security keys.  

So why not choose two or more factors from that list and cut passwords out entirely? Passwords create risk (or more accurately, poor password policies create risk). But the truth is, there’s no hack-proof authentication system – and passwordless authentication isn’t safe by default just because it removes the password.

Biometric limitations 

Biometrics are what most people think of when we talk about replacing passwords, although they’re more commonly used in combination with passwords as part of MFA rather than instead of them. Of course, the ubiquity of smartphones is the main reason biometrics have increased in popularity. Better sensors and improvements to face, voice, and fingerprint recognition (on PCs and tablets too) have made it a viable option.  

However, biometrics do have some limitations. Despite improved technology, there’s plenty of evidence of the wrong person’s faces and fingerprints unlocking a device. They also open up privacy concerns if an organization is considering rolling out biometric authentication. Your face and fingerprint are unique – but how are those biometric traits recorded, stored, and accessed? Some people might not like handing over even more personal data to companies like Apple, Google, and Microsoft. 

Another issue with biometrics is if they do become compromised, they can’t be reset. We’re not talking about gory action movie scenes here – but biometrics can be spoofed. And if they were to become compromised or fail, what would we fall back to? The password. 

Social engineering

Although passwords are more vulnerable to rudimentary attacks such as dictionary and brute force techniques, the truth is no authentication factors are invulnerable to hackers. Biometrics can be spoofed, SMS notifications are vulnerable to prompt bombing, and hardware tokens can be stolen.  

Phishing is the most common way to steal passwords, but passwordless solutions can be phished too. Hackers can send users an email or text link that trick them into visiting a man-in-the-middle website, which can capture everything even after logging in with a passwordless authentication token. 

FIDO2-based authentication tools are the best we have, but even they aren’t infallible. An email account on the device could be compromised, the device itself could be physically stolen, and no passwords means no fallback if another authentication method is compromised.  

Is passwordless authentication more cost effective? 

Over a long period, it’s possible removing passwords could reduce costs. Especially in organizations that had weak policies and were experiencing many breaches and a steady stream of helpdesk calls and resets. But going passwordless isn’t a new idea, so why haven’t more businesses taken the plunge? The simple answer is it isn’t financially feasible in the short term for many organizations – yet. 

Authentication tools aren’t always going to be compatible with an organization’s operating system or devices. Think about the various directories, applications, and services within your organization that require passwords. It would probably take some time to list them all. Now consider updating or revising every single one to accommodate a transition to passwordless authentication.  

It could also be costly for some organizations to get the myriad devices used to access their network aligned with biometrics or FIDO2-compliant tokens. Older devices or industry-specific hardware might not be compatible with the latest passwordless tech. Perhaps one day everything will have caught up – but right now, plenty of businesses would not have the hardware and software in place for a full transition to passwordless.  

FIDO2 devices can be more expensive too, so some organizations might decide the juice simply isn’t worth the squeeze, when passwords (used correctly) can do a ‘good enough’ job. 

Does passwordless offer a better user experience? 

Passwordless doesn’t always guarantee a better end user experience. Biometrics are fast on their own, but waiting for a SMS and entering codes takes longer than typing in a password. Some end users might see changing from passwords, which they’ve used their whole lives, as a pain and try to circumvent. They might not be comfortable sharing biometric details with their company, which opens up extra privacy issues regarding storage and deletion. Workplaces will have to go through some user education and teething problems.  

Certain industries may find the passwordless transition harder than others. In somewhere like a warehouse where frontline workers use shared credentials or shared devices, passwords may be more appropriate. In a hospital, speed is of the essence and a biometric login could help.

Although, what happens when passwordless tech glitches out, loses vital online access, or needs backing up in a critical situation? The humble password will need to come to the rescue. 

Four questions to ask before going passwordless 

Before committing to a passwordless journey, here are four important questions to consider. The answers will shape your strategy – and might make you rethink whether going passwordless is the right thing for your business at this moment in time: 

Reduce password pain with Specops  

Security, UX, and cost-saving are the main drivers of passwordless adoption. However, you might be surprised how easy it is to reduce these headaches with simple existing third-party tools that integrate with your Active Directory. Passwords aren’t inherently a problem – weak passwords are.

Not sure about passwordless but ready to make sure the passwords you do have are more secure? Contact us today to see how we can help.