It’s safe to say that no one is crazy about passwords. For chief information security officers, there’s the nightmare of employees leaving lists of passwords on their desks or putting them on Post-it notes on their computers. For workers, there’s the inconvenience of having to enter multiple passwords to gain access to various devices and resources.
Passwordless authentication technology is designed to address these issues, and use of these tools is on the rise. A recent survey of 200 CISOs by Wakefield Research, sponsored by security vendor Portnox, showed that a significant majority (92%) of the security leaders said their organizations had implemented or were planning to implement passwordless authentication. That’s up from 70% in 2024. CISOs cited improved employee productivity and enhanced user experience as the top benefits.
Passwordless authentication verifies user identity without the need for traditional passwords, through alternative methods such as hardware tokens, biometrics, or mobile push notifications. It offers potential benefits such as enhanced security and improved user experience.
Training services provider Universal Technical Institute has begun using a passwordless platform from Microsoft, “and as we expand adoption, the benefits show up quickly, with fewer password resets, fewer service desk tickets, and a faster start to the day,” said Adrienne DeTray, senior vice president and CIO at the company.
“The bigger impact is cultural,” DeTray said. “It shows that we’re serious about making technology feel lighter and more human again. Over the years, we’ve added so many systems and logins that the weight of technology has become part of the work. This is one of those steps that helps remove that administrative drag and makes the ecosystem feel more seamless and connected.”
It’s not just about security, DeTray said, but user experience as well. “Every password reset or lockout slows people down and chips away at their focus,” she said. “Passwordless takes that friction out of the day and gives people time back. It’s part of designing a connected ecosystem where security and usability work hand in hand.”
MFA losing status as ‘gold standard’ cybersecurity
R Systems International, a provider of digital product engineering services, is in the midst of a phased migration to a passwordless environment, said CTO Srikara Rao. “For us, this isn’t about chasing a trend, it’s a direct response to the fact that our previous gold standard, multi-factor authentication, is showing its age,” Rao said. “The threat landscape has evolved past what traditional MFA can handle.”
R Systems’ decision to make the move is driven by both security and business enablement factors. “Credential-based attacks remain the top threat vector, with a significant rise in phishing attempts and several near-miss incidents underscoring the urgency to act,” Rao said. “We want to promote solutions within our organization that are phishing resistant.”
On the operational side, password resets have become quite expensive, Rao said. Resets can be costly due to direct labor expenses and significant indirect costs such as lost employee productivity and IT resource drain. Research firm Forrester estimates that a single password reset can cost $70, and this can add up quickly for large enterprises.
In addition, it’s critical that the company adhere to compliance requirements such as PCI 4.0, which mandates that users reauthenticate everything they restart or access. “Passwordless authentication will make it seamless,” Rao said. “And finally, as we compete for top tech and cybersecurity talent, being a passwordless enterprise signals that we’re a forward-thinking, security-first organization.”
Bring-your-own-device policies are a factor
Health-care services provider Diversus Health is also moving to passwordless authentication, using the technology in the form of certificate-based network access control.
“Due to recently adopting a bring-your-own-device policy, our internal annual HIPAA compliance audit detected lack of network access control as one of our high-risk threats,” said Neil Ford, IT security administrator. “So, we began looking into solutions that could be used to mitigate the threat.”
Diversus Health earlier this year deployed a system from Portnox that uses certificate-based authentication to verify the identity of devices. “We deploy the certificate through a cloud-based endpoint management solution, so verification with Portnox is transparent to staff,” Ford said.
The solution has effectively mitigated the threat of unknown devices connecting to the company’s network and being able to access internal resources, Ford said.
One of the keys to a successful adoption of passwordless authentication is to effectively communicate the security change with staffers. “Employees are overcoming decades of password muscle memory and addressing legitimate user anxiety about ‘what if I lose my device?’ is critical,” Rao said. “We learned quickly that we had to sell the ‘why’ to our employees.”
Enterprises need to frame passwordless authentication not as another security mandate, but as a direct benefit to employees through less frustration, faster logins, and the elimination of password resets, Rao said. Before making the shift, R Systems ran small, interactive training sessions to get people comfortable with access tools such as fingerprint identification on their phones.
“I cannot stress enough the importance of organizations providing user education,” Rao. “It’s a significant difference between a successful deployment and a shelfware investment.”
R Systems passwordless strategy isn’t tied to a single vendor, but built on FIDO2 and WebAuthn open standards, “giving us flexibility to choose the right tool for each risk profile,” Rao said. “Privileged users such as administrators, developers, and executives use FIDO2 hardware security keys, while the broader workforce relies on passkeys integrated with device biometrics like Windows Hello and Face ID.”
The company is still evaluating the results of the transition to passwordless authentication and working to ensure that it works best for everyone.
“We’ve seen our employee experience improve dramatically, with faster logins and a significant reduction in password-related help desk tickets,” Rao said. “Most importantly, passwordless authentication has become a cornerstone of our zero-trust architecture, giving us a stronger, high-assurance identity layer that enables secure access regardless of user or device location.”
https://www.cnbc.com/2025/11/23/passwords-corporate-cybersecurity-employee-authentication.html
