A future with no passwords: Why passwordless authentication is key for cyber-resilience

In a world where everything we do – from banking, to shopping, to socialising – is increasingly digital, simple passwords remain the gatekeepers of our information. With over 300 billion passwords in use globally, they're deeply entrenched in how we access our information online. But in 2025, as artificial intelligence, quantum computing, and cloud-native architectures redefine digital security standards, one question stands out: why are we still relying on technology created in the 1960s?

Despite their ubiquity, passwords are proving to be increasingly ineffective. In Australia alone, compromised passwords were responsible for a significant portion of cybersecurity incidents in FY2023–24. Despite decades of tweaks such as stronger password requirements, scheduled resets, and the addition of multi-factor authentication, passwords continue to remain an easy target for attackers. The risks and inefficiencies are growing too large to ignore.

As we mark World Password Day on 1 May, now is the time for organisations to critically assess whether their security strategies are future-fit or clinging to outdated conventions.

The high cost of an outdated system

While passwords have long served as the backbone of digital security, they've increasingly become one of its most targeted weaknesses – one which cybercriminals today continue to exploit. They remain the weakest link in the security chain, susceptible to hacking techniques such as phishing – attackers tricking individuals into revealing sensitive information – and "credential stuffing", where stolen username and password combinations are used in automated attacks to access multiple accounts.

The problem extends beyond cybersecurity and affects operations and finances as well. Managing passwords has become a significant business expense, with organisations globally spending an estimated US$1 million annually on activities like staff and infrastructure management, as well as passwords resets. As businesses grow, so too do the complexities and risks associated with password management, placing greater strain on IT teams and broadening the attack surface for potential breaches.

A better way forward: biometric authentication

While practices like regular password changes and multi-factor authentication (MFA) have traditionally been seen as effective safeguards, they are no longer sufficient to defend against increasingly sophisticated cyber threats. The solution lies in moving beyond passwords altogether. Passwordless authentication leverages public-key cryptography, allowing users to authenticate without ever sharing a password. Instead, a private key stored securely on the user's device works with a public key stored by the service provider to verify identity.

By removing passwords from the equation, businesses significantly reduce the chances of data breaches. There's no password to steal, intercept, or reuse. Authentication becomes tied to the device and, often, the user's biometrics or device PIN, creating a much stronger security posture.

Within Customer Identity and Access Management (CIAM) circles, passkeys - FIDO-aligned credentials stored on a user's device and unlocked with biometrics - are sparking debate about whether they should fully replace passwords. Passkeys still rely on public-key cryptography, yet they differ from app-based multifactor flows because they remove the "knowledge factor" entirely. That eradicates phishing risk and streamlines log-ins, but it also demands robust device-lifecycle policies to prevent lock-outs and lost-device headaches.

Ultimately though, adopting passwordless authentication helps close the gaps introduced by human behaviour, such as reusing passwords across multiple services or falling for phishing scams. It enables a more seamless and intuitive experience, without sacrificing security.

A pathway towards implementing passwordless security

Transitioning to a passwordless future requires a strategic, organisation-wide approach. To lay the groundwork, businesses need to assess whether their infrastructure can support modern authentication protocols. Are applications compatible with passwordless methods? Are user devices capable of secure biometric recognition?

Beyond the technical groundwork, educating your workforce is crucial as well. Internal and external education can help users understand the importance and advantages of passwordless authentication and how to navigate the new systems.

Flexibility is key. With remote and hybrid work models firmly established – more than a third of Australians worked from home at least once a week in 2024 – businesses must be able to deliver consistent, secure access not just in the office, but across all devices and locations. That means deploying scalable solutions that can adapt alongside changing business needs.

Inside Accenture's own passwordless journey

At Accenture, we've been on our own multi-phased passwordless journey for more than a decade, aiming to eliminate password dependency across every application and identity platform. Central to our strategy was moving our applications to Azure Active Directory (Azure AD) and deploying passwordless solutions like Windows Hello for Business. We've since eliminated the need for passwords in the user experience for our employees globally, improving login speed, reducing authentication failures, and strengthening our security posture. Crucially, our experience proves that passwordless isn't a theoretical ideal—it's a practical, achievable transformation.