The passwordless future has been promised for years. In 2025, we’re finally seeing real momentum with passwordless authentication solutions. Microsoft now defaults new accounts to passkeys, and 61% of organisations plan to implement passwordless authentication within the next year.
In this blog, AJ Thompson explores what “passwordless” really means in practice—and why most organisations still need to think in hybrid terms.
What “Passwordless” really means in practice
Let’s be honest about what we’re actually building. We haven’t eliminated passwords—we’ve just moved them around. What we call “passwordless” today usually means the user doesn’t type a password, but there’s still a shared secret somewhere in the chain. Your phone stores cryptographic keys, your recovery email needs a password, your backup codes are essentially passwords. The complexity hasn’t disappeared; it’s been redistributed across multiple systems.
Passwordless doesn’t mean no passwords—it means the complexity has just been redistributed. Share on XThat said, the momentum is real. With 87% of organisations either deploying or planning to deploy passkeys, this isn’t just another security trend that’ll fade away. We’re seeing genuine evolution in how authentication works, even if it’s not the password apocalypse some vendors promised.
The hidden vulnerabilities in “passwordless” systems
Having conducted countless security assessments for enterprise clients, we can tell you that while passkeys themselves are significantly more resistant to credential theft than passwords, they introduce new classes of vulnerabilities that most organisations haven’t considered.
The recovery process problem
The recovery process is where these systems fall apart. When your biometric fails or you lose your authenticator device, most platforms default to email-based recovery or security questions—both of which are often less secure than the password they replaced. Attackers know this and increasingly target these weaker fallback mechanisms.
I’ve seen sophisticated threat actors completely bypass “passwordless” systems by targeting the recovery flows. They’ll ignore the passkey entirely and go straight for the email account or social engineering the support team. It’s like bypassing a reinforced front door by sneaking in through a neglected back gate.
The centralisation risk
What keeps me up at night is the growing centralisation of authentication. Passkeys work brilliantly if you’re already embedded in Apple’s or Google’s ecosystem, but this creates new dependencies. We’re essentially trading distributed password vulnerabilities for potential single points of failure. That convenience comes at a cost: centralised risk we’re only beginning to fully grasp.
The fragmentation problem is real too. While Windows, macOS, iOS, and Android have decent passkey support, try implementing this on Linux systems or legacy enterprise infrastructure. These gaps create security inconsistencies that savvy attackers can and will exploit.
Why fallback passwords persist (and why they should)
Every client asks me the same question: “When can we eliminate passwords completely?” The answer is always the same—not yet, and here’s why that’s actually good news.
Transition management reality
Companies need time to migrate systems and users, and during that period, password fallbacks are necessary lifelines. Even Gartner recommends phasing this in gradually. I’ve never seen a large organisation successfully flip the switch to pure passwordless overnight without major disruptions.
The edge cases don’t go away
Real-world scenarios are messier than lab demonstrations. What happens when you’re using a public computer at an airport? How do you handle transferring credentials when switching from iPhone to Android? What about employees who work in secure facilities where personal devices aren’t allowed? These scenarios still need reliable fallbacks.
The permanent lockout problem
I’ve seen this firsthand in incident response—people lose devices, fingerprints change after injuries, and hardware fails. Without some form of recovery option, you’d be locking people out of their digital lives permanently. For mission-critical business systems, that’s simply not acceptable.
The reality is that until we address these fundamental challenges, hybrid approaches will remain the only practical path forward. And honestly, that’s probably fine.
The market reality: growth amid complexity
The numbers tell an interesting story. The global passwordless authentication market is projected to reach nearly $22 billion this year and approach $90 billion in the next decade. That growth reflects genuine enterprise demand, not just vendor hype.
But here’s what the market reports don’t capture: implementation complexity. Our clients typically spend 6-12 months on passwordless deployments, not because the technology is difficult, but because the organisational change management is substantial. Training users, updating security policies, and integrating with existing identity systems—it’s a bigger project than most CISOs anticipate.
What this means for your organisation
If you’re considering passwordless authentication for your organisation, here’s my practical advice based on real-world implementations:
Start with high-value, low-risk use cases. Deploy passkeys for customer-facing applications before rolling them out to critical internal systems. This lets you learn the operational challenges without risking business continuity.
Plan for hybrid authentication indefinitely. Your architecture should assume you’ll need multiple authentication methods for different scenarios. Pure passwordless is a goal, not a requirement.
Invest in the recovery experience. Most security teams focus on the primary authentication flow and treat recovery as an afterthought. In passwordless systems, recovery often becomes the primary attack vector.
Consider ecosystem dependencies carefully. Vendor lock-in feels different when it’s your authentication system. Make sure you understand the long-term implications of deep integration with specific platforms.
The verdict: evolution, not revolution
The passwordless future is happening, but it’s more evolution than revolution. We’re building better authentication experiences and stronger security postures, even if we haven’t eliminated every password from every system.
As someone who’s spent years helping organisations improve their security posture, I’m encouraged by the progress. Passkeys represent a meaningful step forward in user experience and security. But they’re not magic, and they don’t solve every authentication challenge.
The most successful deployments I’ve seen incorporate passwordless authentication as part of a broader identity strategy, rather than relying on it as a silver bullet. They acknowledge the limitations, plan for complexity, and focus on incremental improvements rather than wholesale transformation.
That’s not the breathless “passwords are dead” narrative you’ll hear at security conferences, but it’s the reality of how modern authentication actually works. And honestly, that reality is pretty promising.
If you’re planning your strategy, make sure it’s grounded in real-world challenges, not just vendor narratives. And if you’d like help navigating the complexity, we’re here to talk.