Is a passwordless future just a myth?

Last updated: 27 June 2025
Historical figures with a password authenticator.
Image by Cybernews

Passwordless logins sound secure, but hidden risks remain. Experts say that fallback methods and tech lock-in mean true passwordless authentication isn’t here just yet.

If you’ve ever done something digitally bureaucratic, you’ll know there’s a growing industry trend toward passwordless logins – think passkeys and biometrics.

The word “passwordless” gets bandied about, but often just hides the complexity rather than eliminating it.

ADVERTISEMENT

As Microsoft now defaults new accounts to passkeys, just because we can’t see a password doesn’t mean cryptographic secrets don’t exist behind the scenes.

The term can mislead users into overestimating security.

A safe box collection.
Image by Craig F. Walker via Getty

The complexity hasn’t disappeared – it's just moved

AJ Thompson, CCO at Northdoor and a member of IBM’s Worldwide Security Advisory Council, isn’t buying the hype around “passwordless” just yet.

“We're not getting rid of passwords – we're just moving them around. What we call 'passwordless' today usually means the user doesn't type a password, but there's still a shared secret somewhere in the chain… The complexity hasn't disappeared; it's been redistributed across multiple systems,” Thompson told Cybernews.

When face scans or fingerprint logins fail, systems often resort to old–school methods like email or security questions.

These recovery steps are easier for hackers to exploit, and don’t always include two-factor protection.

ADVERTISEMENT

So the weak point isn’t gone – it’s just hiding in a new place.

Black and white photo of office workers and a cop.
Image by Ira Gay Sealy via Getty

Big tech lock-in creates new risks

Passkeys often depend on Apple or Google accounts, meaning that you’re stuck in their ecosystems.

If a system goes down (or you switch phones), you might lose access.

That’s a lot of power in very few hands, and it’s risky if something breaks or gets hacked.

Marcus Walsh profile Niamh Ancell BW justinasv jurgita
Don't miss our latest stories on Google News
Google News Follow us

Hybrid is the reality – for now

Companies can’t go fully passwordless just yet, as Thompson pointed out:

“Reality bites. People lose phones, biometric sensors fail, and corporate IT departments need reliable ways to recover accounts at scale… Until we solve these fundamental challenges, hybrid approaches are the only practical path forward.”

ADVERTISEMENT

Also, there’s the question of what happens if someone shares a work computer or loses their phone?

Until recovery methods and device switching become seamless, passwords still fill the gaps.

For now, a mix of methods is the only thing that works at scale.

Share
Post
Share
Share
Share
More from Cybernews
Google may drop its latest devices at the end of this summer
Modern misogyny: AI advises women to seek lower salaries than men
Meta AI leak gave access to AI prompts and answers from other users
TikTok, AliExpress, and WeChat violate EU privacy laws, data protection group claims
Three-person IVF helps prevent inherited diseases, scientists say
China-linked hackers ramp up attacks on Taiwan’s chip industry, researchers report
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked