Everyone gets that passwords, hate them or hate them, are a necessary security evil for so many business applications. With automatic password hacking machines, out there and employed by hackers, advice from Google about the dangers of relying on passwords, and even password manager vendors having to warn users not to reveal their master passwords as attackers strike, there has to be something better. The good news is that there is: passwordless technology of the type that Microsoft is encouraging a billion users to adopt. Yet, despite all of this, organizations seem apathetic when it comes to adopting this more secure authentication technology. One security expert has warned that for those businesses that have seen the light, deployed passwordless and declared victory, there’s bad news in store.
Blind Faith In Passwordless Is As Dangerous As Passwordless Apathy
The newly published 2026 ID IQ Report from RSA, amongst other things, asked in excess of 2,000 global security experts just how often they had been failed when it came to identity security in the broadest sense. The results do not make for comforting reading, whether you are a security professional, business or customer. 69% of organizations reported a breach due to inadequate identity security capabilities. A majority of businesses indicated they were still using outdated solutions, relying on passwords for authentication. However, 90% reported that their efforts to transition to passwordless technology were stalling because challenges in removing passwords persisted.
This is bad news for everyone concerned, as anything that hinders passwordless adoption at scale results in a less secure environment for all. But how can this apathy be overcome, at least in terms of deployment hurdles facing organizations? I spoke to the RSA CEO, Greg Nelson, who said that business needs to “prioritize end-to-end coverage, meaning they need passwordless options that can seamlessly integrate across their entire IT estate, from cloud applications to on-premises systems, with the goal of eliminating passwords from every workflow, not just a select few.” That Nelson is suggesting passwordless needs to go everywhere that the business does is no surprise, it’s the ultimate authentication security goal after all. That said, incremental progress shouldn’t be overlooked. While inefficiency remains with “point solutions” covering individual users or use cases, they are way better than doing nothing at all.
But Nelson also confessed that a big bang rollout is unlikely to succeed, recommending “a phased implementation strategy, starting with high-risk user groups or critical applications. See what works, what doesn’t work, and adjust for the next batch of users.”
Which brings me to the main point of this article: blind faith in passwordless is as dangerous as no faith at all. “Organizations can’t just deploy passwordless, declare victory, and walk away,” Nelson warned, adding that “passwordless must be a part of a full-spectrum identity security framework that includes secure enrollment, robust credential recovery processes (especially for help desk interactions), and continuous identity governance.” In other words, organizations need to secure the entire credential lifecycle rather than just putting a big technology bolt on the front door. “Think of passwordless as a foundational pillar that elevates your entire security posture,” Nelson concluded.
As Anna Pobletts, head of passwordless at 1Password, said “since we’ve used passwords for decades, they’re just too ingrained in our culture to go away overnight, a broader public understanding and comfortability with passkeys will be critical for mass passkey adoption.” The same goes for organizations…