Yesterday marked World Password Day, although many cybersecurity specialists now believe passwords are nearing the end of their run. Passkeys, fingerprint logins and facial recognition are becoming common in different industries: banking, shopping, workplace software and public services.
The UK’s National Cyber Security Centre now recommends using passkeys wherever they are available. The agency said passkeys are more secure because they cannot be intercepted, reused or stolen in the same way as passwords. The NCSC also said passkey logins are up to eight times faster than signing in with a username, password and two step verification code.
Marcus Lauren, Chief Product Officer at NEXT Biometrics, said, “World Password Day this year comes against a backdrop of rising geopolitical tension and an increasingly hostile cyber threat landscape. While ransomware and criminal activity remain persistent risks, the most serious and sophisticated attacks are now often linked, directly or indirectly, to nation states.”
Lauren also said, “The UK’s cyber agency has already signalled a shift, The National Cyber Security Centre (NCSC), an arm of GCHQ, has warned that passwords are too vulnerable to modern day attacks, no matter how complex and consequently forgettable they are. They said they are ‘overhauling decades of practice’ by advising the public to stop relying on them for protection.”
Naomi Grossman, compliance manager at VinciWorks, said, “I don’t believe in World Password Day because I think passwords are the real problem in cybersecurity. It’s amazing to me that decades after the rise of the internet, we’re still relying on a system that shifts risk onto users and then blames them when it fails.”
Why Are Passkeys Appearing Across So Many Industries?
Passkeys are becoming common because passwords continue to create security and operational problems. Staff forget them, recycle them across accounts or choose passwords that attackers can easily guess.
The NCSC said passkeys are stored safely on trusted devices and protected through fingerprint scans, facial recognition or PIN verification. The agency also said passkeys reduce the effectiveness of phishing attacks carried out by cyber criminals and nation state groups.
Lauren said businesses now face constant pressure from password management. He said, “For businesses, password dependency is now both a security risk and an operational burden. It remains one of the most common entry points for attackers, while also driving inefficiencies through resets, lockouts and user friction.”
NEXT Biometrics also referred to research showing that around 42% of people who had been hacked used passwords containing letters and numbers with personal meaning, making those passwords easier to guess.
Grossman said, “Any organisation that still depends solely on passwords isn’t secure; it’s just been lucky so far. A truly secure future is one without passwords. Anything less is a compliance and risk management failure waiting to happen.”
What Happens After Passwords Disappear?
Businesses are now dealing with another issue as AI systems gain access to workplace software and company data.
Ravi Soin, CIO and CISO at Smartsheet, said, “Every year, World Password Day arrives with the same advice. This year, the conversation needs to shift to the identity challenges that come with AI reshaping how work gets done.”
Soin also said, “Passwordless authentication like multi-factor authentication, biometrics and passkeys are rapidly becoming the norm, and for good reason: they’re stronger, faster and harder to compromise. This progress is real and worth celebrating.”
He added, “Every day, employees access dozens of apps to do their jobs. Behind them, a growing number of non-human ‘workers’ like automations and AI agents are operating across your environment, often carrying elevated privileges with far less scrutiny than a human login would receive. Even as AI takes on more of the workload, accountability still sits with people.”
Soin said organisations must now monitor every identity inside their systems. He said, “The organisations that get this right will ensure every identity in their environment – human or not – is governed, traceable and held to the same standard. That’s what modern identity security actually demands.”
Our Experts:
- Rishi Kaushal, CIO, Entrust
- Tim Chase, Field CISO & Principal Technical Evangelist, Orca Security
- John Cannava, CIO, Ping Identity
- Ashish Jain, CTO, OneSpan
- David Lee, Field CTO, Saviynt
- Chris Gunner, vCISO, Thrive
- Danny de Vreeze, VP of Identity and Access Management, Thales
- Luis Corrons, Security Evangelist, Norton
Rishi Kaushal, CIO, Entrust
“Compromised credentials remain the most common attack vector in data breaches, yet according to recent research, 74% of U.S. banking customers continue to rely on passwords as their primary login method. As fraudsters increasingly target authentication flows and account takeover attacks surge, verification strategies must evolve. Security cannot be compromised for convenience when money, accounts, and personal data are on the line.
“The key is to use authentication methods that consumers already trust, like biometrics, to reduce resistance, support adoption, and help create secure experiences that feel familiar rather than disruptive. In practice, biometric authentication should act as a “trust anchor,” not only verifying identity, but also confirming that the individual attempting to access or transact is the same person who originally opened the account.
“This continuity of identity is critical for confirming that legitimate account holders, not bad actors, are initiating sensitive actions and is essential as AI-powered fraud techniques become more accessible and harder to detect.”
Tim Chase, Field CISO & Principal Technical Evangelist, Orca Security
“Passwords used to be the backbone of security, but they are starting to show their age. They were not built for a world where identities include not just people, but also apps, services, and now AI agents acting on their own. That shift makes identity the real control point. It is no longer enough to protect a login.
“You need to know who or what is accessing your environment, what they are allowed to do, and whether that behavior actually makes sense. Passwords can still play a role, but only as part of a bigger picture. Strong authentication, least privilege access, and continuous monitoring are what actually keep things in check. As AI becomes more embedded in day-to-day operations, the focus has to move from just securing credentials to managing and understanding every identity in the system.”
John Cannava, CIO, Ping Identity
“As AI continues to evolve and cyberattacks become increasingly sophisticated, much of our digital security still hinges on a single weak point: the password. It’s telling that 39% of people say AI-powered phishing is the threat they fear most, yet less than a quarter feel highly confident in spotting what’s real versus a scam. This gap highlights a growing vulnerability and a critical opportunity to rethink how we secure identities.
“Authentication must evolve to meet today’s threat landscape. Passwordless solutions are rapidly replacing traditional passwords with stronger, more user-centric methods like biometrics, authenticator apps, and digital certificates. These approaches significantly reduce the risk of phishing and credential theft while improving the user experience.
“World Password Day shouldn’t just be about updating passwords. It should spark a broader shift. To stay ahead of modern threats, organisations and individuals need to move beyond passwords and adopt more resilient authentication strategies that put control back in the hands of users.”
More from News
- Wolverhampton HealthTech Leader Wins Digital Healthcare Award At Medilink Midlands 2026
- Is Uber’s New Data Mining Strategy Exploitative As Drivers Lose Their Jobs To Self-Driving Vehicles?
- Vision 2030 Promised A Tech Economy – Are MENA Founders Actually Benefiting?
- Behind The UK Government’s £50 Million Investment To Manage Illegal Drones
- Could Apple’s Chip Plans And OpenAI’s Phone Compete With TSMC?
- Open Source Wallets Could Change How We Verify People Online – How Will It Work?
- Booking.com Data Breach: How Can Travellers Stay Protected From Scams?
- Big Tech Is Spending $725 Billion On AI This Year – And Even Record Profits Aren’t Calming The Markets Down
Ashish Jain, CTO, OneSpan
“World Passkey Day is a reminder that there’s a more secure alternative to passwords, which have long been a point of vulnerability. AI is amplifying phishing schemes at scale to target traditional access credentials. Passkeys represent a step towards a more resilient digital infrastructure that emphasises both security and usability by replacing reusable credentials with cryptographic keys, whether bound to a single device or synced across a user’s trusted platforms. They’re especially valuable for securing high-risk interactions, such as financial transactions, where strong, phishing-resistant authentication is critical.
“FIDO passkeys are the industry standard, backed by the world’s leading technology platforms — Google, Microsoft, and Apple — whose native support has accelerated adoption at scale. Going above and beyond traditional authentication, passkeys verify user identities and strengthen authentication across desktops and mobile devices, creating a more secure digital environment.
“As both cyber threats and passkey adoption grow, I’m confident they will become the underpinning of digital trust and online transactions. The standard exists. The ecosystem is maturing. The window to get ahead of user expectations and regulatory pressure is narrowing fast. The question is no longer whether to adopt passkeys, but how fast you can get them into production.”
David Lee, Field CTO, Saviynt
“World Password Day is a good reminder that passwords alone are no longer enough to protect modern organisations. As AI makes it easier for attackers to scale credential-based attacks, the real challenge is ensuring the right users have the right access at the right time.
“That means organisations need better visibility into who has access to what, and stronger controls to manage and adjust that access as risks change. Ultimately, reducing reliance on passwords starts with taking a more proactive approach to managing identity and access across the business.”
Chris Gunner, vCISO, Thrive
“World Password Day is still certainly a useful reminder on the importance of password hygiene – ensure passwords are unique across different accounts, incorporate a mix of letters and characters and don’t use any personal information. However, the key priority for organisations in today’s cyber landscape, should be reducing dependence on passwords as a single control.
“With evolving phishing and social engineering techniques being used to obtain the credentials of legitimate users and bypass security controls, even a strong password can be undermined if the wider identity and access environment is not properly managed.
“Passwords must therefore complement a broader identity-led strategy. They’re perfect as a first line of defence, but a second identification step is needed so accounts continue to stay protected if a password is breached. Multi-factor authentication requires an additional form of verification such as a code provided to the user via an app or biometric proof before an account can be accessed. Biometric protection in particular is nearly impossible for hackers to get past.
“MFA controls should then be joined by identity governance and endpoint protection so gaps between systems are reduced. A broader Zero Trust and secure access model should revolve around users and devices being verified before access is granted, and then continuously validated thereafter, rather than trusted by default.
“Businesses should also never forget the importance of education. People should be trained to recognise suspicious messages, avoid handing over sensitive information, stay current on threat trends and act as a stronger line of defence alongside controls such as MFA and other security tools.
Danny de Vreeze, VP of Identity and Access Management, Thales
“The industry has spent decades trying to improve passwords, but the reality is that people have long moved on. When 68% of consumers say they trust companies more when passkeys are used, it’s clear that authentication is no longer just a security control but a key part of the overall customer experience.
“The Thales Digital Trust Index shows that trust in businesses to protect data remains low, with most industries struggling to earn the confidence of even half their customers. People are looking for clear reassurance that their data is protected, and passkeys are one simple, seamless way to provide that.
“The challenge is that while 87% of IT decision makers recognise the importance of passkeys, only around half have actually implemented them. Consumers are ready for passwordless, but businesses are lagging behind.
“Closing that gap isn’t just about reducing risk, it’s about building trust from the very first interaction and turning security into a competitive advantage. Customers are officially over passwords, and businesses need to keep up.”
Luis Corrons, Security Evangelist, Norton
“World Password Day has served an important purpose for years, encouraging people to think more seriously about how they protect their online accounts. But the bigger question now is whether we are reaching the point where passwords themselves should no longer be the centre of that conversation.
“The threat landscape has changed. AI is making fake messages, cloned websites and phishing lures more convincing, while stolen credentials remain one of the most common starting points for account takeover and identity theft. Even a strong password can be phished, reused in the wrong place, or exposed in a data breach.
Passkeys address that problem in a very different way.
“Instead of typing a password that can be stolen or handed over to a fake site, the user unlocks a passkey on their own device using something familiar, such as a fingerprint, face scan or device PIN. Behind the scenes, passkeys use public key cryptography, which means the service never needs to store a reusable password and there is nothing useful for a phishing site to capture.
“That does not mean passwords will disappear overnight. Passkeys are gaining momentum, but they are not yet universal, and many consumers will continue to live in a hybrid world for some time. For accounts that still rely on passwords, the best practical defence remains using long, unique passphrases, a trusted password manager, and multi-factor authentication through an authenticator app wherever possible.”
