For years, passwords were the only thing that mattered for securing our online presence, but the discussion around authentication is evolving rapidly. Passkeys, biometrics, device trust, and adaptive identity management solutions are often cited as the key to the next level of security, while attackers are focusing on directly targeting our identity infrastructure. Session hijacking, multi-factor fatigue attacks, token thefts, and social engineering attacks have shown that enhanced authentication doesn’t mean enhanced security; it just shifts the risks elsewhere.
In addition, companies need to find ways to make the authentication process easier for users without compromising the system’s credibility. It isn’t simply about verifying that a password is valid; it’s about creating trust in the identity, device, session, and behaviours associated with each login attempt. To explore whether passwords will become obsolete and understand the current state of digital identity security, we reached out to a few cybersecurity experts to hear their thoughts.
From primary authentication controls to essential fallback mechanisms
Ross Moore, an Information Security Researcher, says passwords are moving from primary authentication controls to essential fallback mechanisms for recovery and legacy system integration. “While password alternatives (e.g., passkeys) eliminate some weaknesses of shared secrets, passwords remain necessary because many companies don’t have the infrastructure for a complete, immediate migration. And passwords are a fallback for passwordless recovery, such as when someone loses their hard token or can’t access their mobile device.”
For example, Moore says major tech companies support passwordless passkeys, but they still rely on password-based recovery flows when users lose their primary devices.
Multiplying at an exponential rate
On passwordless authentication, Moore says we’re not shifting but multiplying at an exponential rate. “NHIs (non-human identities) outnumber human IDs by 50:1. These are IDs such as service accounts, API keys, and AI agents. These have to be controlled by some other method than passwords and 2FA. If orgs can’t keep track of their HIs, they won’t be able to manage and maintain their NHIs, including handling investigations when problems arise from zombie and shadow NHIs.”
High-risk NHIs can benefit from passwordless to avoid forgotten passwords and MFA fatigue, he continues. “It can certainly make life easier for those involved in the day-to-day management of the identities, and that will have great benefits in and of itself. But merely eliminating one attack surface while adding another doesn’t make it stronger. It increases the value of stolen session tokens and compromised devices as new high-priority targets.”
He says passwordless authentication strengthens security by neutralizing credential theft but also leans the attack surface to device integrity and identity provider trust. That attack surface could also include the Availability part of the CIA triad, as sort of a passive attack surface, such as when someone loses their device. “Security improves if organisations harden the identities to protect the trust models that replace passwords.”
Pretty much every security aspect involves defence-in-depth
When it comes to human behaviour vs technical weaknesses, Moore says pretty much every security aspect involves defence-in-depth. “Removing passwords would actually decrease the obstacles necessary for attackers to hurdle. Strong passwords for people are a good idea, backed with MFA. For prevalent attacks like infostealers, they can decrypt passwords in the browser while on the victim’s machine, but those can be stopped by proper EDR. Something like the Storm infostealer can snag and decrypt encrypted credentials on their own infra, but that, while advanced, could be detected by monitoring for and alerting to exfiltration of items such as credential database and token cache.”
People and process gaps have become the primary bypass vector
Moore adds that attackers increasingly exploit alert, or even decision, fatigue, and poor user experience design to manipulate users into approving access rather than attempting to break encryption algorithms. It’s much easier. “However, the surge in identity-based attacks reveals that people and process gaps have become the primary bypass vector as technical cryptographic controls improve. While technology does wonders, there’s very little to stop a person from insisting on installing what they think is a valid program or opening a Word document that contains a hidden payload. There’s always a price attached – for a company to best ensure that a) nothing malicious gets installed and b) the right people get alerted when something bad does get installed, that’s a lot of money. The least expensive path forward for everyone is for people to know what to look for and avoid it, and the best thought process for a company is to weigh the costs: occasional malware theft of files, or invest in better organisational security measures.
Moore says the 2023 MGM Resorts breach resulted from social engineering (vishing) the IT help desk, proving that human verification failures can compromise systems even when authentication protocols are technically sound. “An important factor in investigations is not automatically blaming the individual who was the ingress point for the breach, where was the layered defence? Were all other systems working well? Were training and good reporting channels in place? It’s too easy to read the news and blame the individual instead of a potentially broken system.”
Different levels of trust
So, how do we maintain digital identity trust without making systems either too restrictive or too vulnerable? Moore says there are different levels of trust – someone getting into their personal email isn’t as risky as someone getting into their bank account. Context awareness is important.
“The digital equivalent of credit cards would be one way to move forward. They are useful, overall reliable, and fairly easy (though inconvenient) to replace when compromised. Even in this, it’s often banks who are the first to be alerted to suspicious activity, freeze the card, alert the unsuspecting victim, and get the card on the way in no time. The customer is first. Having this kind of fully functioning process (always alert, dynamic technical actions, having customer service ready to respond whenever needed), in place is another way to maintain trust while keeping the right friction. Has the provider gone through every possible scenario they could to consider how to implement the authn/authz process properly?”
Another facet is interoperability, he adds. “What systems take what form of digital ID? Will all of those providers work together to provide a unified solution? Or will consumers be forced to have all kinds of tokens and devices for their workplace, office suites, emails, healthcare portals, volunteer work, online platforms, social media, etc.? There needs to be some integrated solution for digital identity trust to become more seamless. And like so many other technologies, consumers should brace themselves that it will not be actually seamless, only “more seamless.” Much like the paperless idea, it doesn’t mean ‘no paper’ only ‘less paper’.”
Trust authentication needs something adaptive and risk-based, adjusting security friction as needed based on real-time context and behaviour, Moore says. “Friction should be enough to provide brakes to keep us from running off the road, but not so much that is keeps us from accelerating.”
Passwords aren’t actually the issue
Javvad Malik, Lead CISO advisor at KnowBe4, says: “I think there is a lot of unnecessary debate around passwords because I don’t think they are actually the issue. It’s more about the implementation and the lack of planning. We ended up in this situation where everyone has to remember hundreds of different passwords and then to compensate even large organisations end up with spreadsheets called ‘passwords FINAL 2026 v4.xlsx’.”
Moving towards passwordless is a great idea, Malik adds. “Passkeys, biometrics, trusted devices, are all an improvement on passwords, but like anything insecurity we cannot eliminate the risk, the risk just shrinks and in most cases it actually relocate elsewhere. For instance, KnowBe4’s Phishing Threats trend Report Volume 7, illustrates how adversary in the middle has seen a +139% rise and bypasses MFA entirely.”
This is why he thinks we need to not look at passwords in isolation, but rather look at them in the whole context of authentication, both from a technical aspect and from a user experience one.”
A little bit of friction is necessary
“Seamless authentication is good, anything we can do to improve the user experience and make it smoother and make security less visible to them as a blocker is generally a good thing. But there are times where a little bit of friction is absolutely necessary because we want people to slow down pause and think about what actions they’re taking. Because even though passwords may be dying, and maybe in a few years we won’t see many passwords at all, especially at the organisational level. But that doesn’t mean identity attacks will disappear,” Malik ends.
A 1960s technology asked to defend a 2026 world
Anastasios Arampatzis, Account Manager, at Bora, says the password is a 1960s technology asked to defend a 2026 world. “MIT’s CTSS introduced it for time-sharing terminals, which, honestly, was a clever solution to a quaint problem. Sixty years on, we are still patching that idea with complexity rules, rotation policies, and managers, while attackers walk past all of it. In the age of agentic AI, continuing to lean on passwords is less a security choice than an act of institutional nostalgia.”
He believes passwordless authentication is a genuine step forward, but implementation matters more than the marketing suggests. “Synced passkeys are excellent for everyday consumer use where the risk profile is modest. For businesses, privileged accounts, and high-value individuals, device-bound credentials and hardware keys remain non-negotiable.”
Not the disappearance of the attack surface but its migration
Arampatzis says what we are really witnessing is not the disappearance of the attack surface but its migration. “Adversaries are no longer trying to crack credentials, since they are cryptographically protected. Instead, they are hijacking session tokens that already carry valid credentials. The lock got stronger; the keyring is now the target.”
Sessions are where this shift is most acute, he adds. “A stolen token does not need to defeat MFA, impersonate a face, or guess a passkey. It simply rides on trust that has already been granted, often for hours or days after the authentication event. Token binding, short-lived sessions, continuous device posture checks, and behavioural signals must now do the work that authentication alone once carried. Identity without session integrity is a verified introduction followed by an unverified conversation.”
Exploiting trust, attention, and habit
This brings us to the human layer, where the real bypass lives, he continues. “Identity-based attacks, such as MFA fatigue, session hijacking, and consent phishing, succeed because they exploit trust, attention, and habit rather than cryptography. Stronger authentication has pushed attackers further upstream, into the moments where people decide to approve, click, or comply. Continuous verification is no longer a maturity goal. It is the baseline.”
Seamlessness and trust will always exist in tension, Arampatzis says. “Friction is not the enemy of good security; misplaced friction is. Military bases do not apologize for layered checks at the gate, and neither should the systems guarding our most critical digital assets. The calculus is straightforward: friction must be proportional to the asset’s value and the consequences of its compromise. A consumer logging into a streaming service and a treasurer authorizing a wire transfer should not face the same gate, because the blast radius of a breach is different. Calibrate friction to impact, and identity stops being a single door. It becomes the architecture of trust itself.”
Passwords were never the problem
Chloe Messdaghi, Founder & Principal Advisor at Thornbridge Advisory, adds: “Let’s be honest: passwords were never the problem. The problem is that we built entire security architectures on the assumption that humans would behave like machines, remembering 16-character strings, never reusing them, rotating them quarterly. That was always a fantasy.”
She asks if passwords are obsolete. “Not entirely, but they’re on life support. The real question is whether what’s replacing them is actually stronger, or just differently fragile. Passwordless authentication is genuinely promising, but let’s not confuse “more seamless” with “more secure.” When we move trust to devices and identity signals, we haven’t eliminated the attack surface. We’ve just relocated it. Attackers adapt fast. They already have.”
The human layer is consistently the most exploitable one
Messdaghi says the rise of session hijacking and MFA fatigue attacks tells us something important: the human layer is consistently the most exploitable one, not because people are careless, but because security systems are still designed around edge cases rather than real human behaviour. “When an MFA prompt fires 40 times, and someone finally taps ‘approve’ just to make it stop, that’s a design failure.
“What concerns me most is the false sense of safety that comes with frictionless authentication. Seamless can quietly become complacent. The less visible security is, the less people think about it — and that’s exactly when systems become vulnerable.”
Trust in digital identity has to be earned continuously, she adds, not granted once at login. “That means adaptive, context-aware systems that monitor behaviour over time, not just at the gate. It also means investing in security awareness that meets people where they are, not treating them as liabilities to be managed, but as stakeholders in their own protection.
“We can build better systems. But only if we stop designing for the ideal user and start designing for the real one.”
A legacy fallback mechanism
Dimitris Georgiou, CSO at Alphabit Cybersecurity SA, says passwords are not yet entirely obsolete, but they have transitioned from a primary security perimeter to a legacy fallback mechanism. “The enterprise shift toward FIDO2/WebAuthn standards demonstrates that cryptographic, phishing-resistant authentication is vastly superior to shared secrets. However, total elimination remains challenging due to legacy infrastructure, non-federated services, and disaster recovery scenarios in which users lose access to all trusted devices.”
Rather than viewing passwords as a necessary security layer, he says we should treat them as an inherited vulnerability. “Realistically, they will remain with us until our password managers, currently hoarding vast collections of username/password combinations, gradually begin to empty! Until then, modern identity systems must aim to remove passwords from the daily user workflow, treating any reliance on them as a risk acceptance that requires compensating controls such as strict device posture enforcement and continuous behavioural monitoring.”
Attackers behave like water when under pressure
Speaking of passwordless authentication and what it means, Georgiou says we are seeing both a genuine elevation in baseline security and a fundamental shift in the attack surface. “Moving away from passwords eliminates credential stuffing, brute-force attacks, and traditional phishing, and this is an objective win in removing a large class of human-centric vulnerabilities.”
Attackers, he explains, behave like water under pressure; they do not attack the strongest point, they find the smallest crack. “As trust shifts to the device, via TPMs and hardware enclaves, and the Identity Provider (IdP), so does the attack surface, toward device enrolment workflows, endpoint compromise, IdP misconfigurations, and the underlying registration protocols. If an attacker compromises the endpoint or manipulates the identity onboarding process, they inherit the device’s trusted status. Passwordless systems do not eliminate risk; they concentrate it in areas that demand deeper architectural scrutiny rather than user vigilance.”
Exploiting the path of least resistance
Talking of the rise in identity-based attacks, Georgiou believes this trend shows that attackers exploit the path of least resistance. “As technical perimeters harden, human behaviour and session management become primary vectors. MFA fatigue attacks exploit cognitive overload and user compliance, turning a technical control into a psychological vulnerability. Similarly, adversary-in-the-middle (AiTM), phishing bypasses standard MFA by exploiting users’ inability to distinguish between legitimate and proxied authentication flows.
“At the same time, session hijacking exposes a significant technical weakness, the static nature of authentication tokens. Traditionally, once authentication is completed, session cookies are treated as trusted until expiration, effectively assuming that trust, once granted, remains valid. The rise of infostealer malware that extracts these tokens from browser memory highlights how optimistic that assumption has become, and why point-in-time authentication must evolve toward continuous validation.”
Shifting to continuous, adaptive trust
When it comes to maintaining digital identity trust without making systems either too restrictive or too vulnerable, Georgiou says the solution lies in shifting from static, point-in-time authentication to Continuous Adaptive Trust within a Zero Trust Architecture (ZTA). Frictionless user experiences must be balanced by rigorous, largely invisible validation in the background.
To maintain trust without degrading usability or increasing risk, organisations should implement three core strategies:
- Contextual and behavioural signals: Continuously evaluate telemetry such as device health, network reputation, typing cadence, and geovelocity. Introduce friction only when something meaningfully deviates from the norm.
- Token binding and cryptographic isolation: Bind session tokens to the device’s cryptographic identity, for example a hardware enclave, rendering stolen cookies ineffective outside their original context.
- Step-up authentication for high-value actions: Keep routine access seamless, but require strong verification, for example biometrics or hardware keys, when it truly matters, such as configuration changes or access to critical data.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.