Director of product management at One Identity, Nicolas Fort gives his take on the future of identity and access management.
The term ‘passwordless authentication’ has gained something of a mythic quality in boardrooms over in the last few years. With tech giants pushing FIDO2 standards, device manufacturers embedding passkeys and enterprises eager to reduce credential theft, the concept of a password-free future has become the holy grail for many of those dealing with identity and access management (IAM).
It’s a compelling prospect. A passwordless system eliminates one of the weakest links in security, streamlines the user experience and reduces an overreliance on credentials that are easy to phish and…
Director of product management at One Identity, Nicolas Fort gives his take on the future of identity and access management.
The term ‘passwordless authentication’ has gained something of a mythic quality in boardrooms over in the last few years. With tech giants pushing FIDO2 standards, device manufacturers embedding passkeys and enterprises eager to reduce credential theft, the concept of a password-free future has become the holy grail for many of those dealing with identity and access management (IAM).
It’s a compelling prospect. A passwordless system eliminates one of the weakest links in security, streamlines the user experience and reduces an overreliance on credentials that are easy to phish and vulnerable to brute force attacks. What’s not to like?
The catch is that most enterprises tend to operate in diverse environments, where legacy systems must co-exist with modern applications, and where different user groups – from employees to contractors to third-party partners – interact with identity systems in quite distinct ways. For these enterprises, going fully passwordless is more than difficult – it’s impractical.
Passwordless authentication isn’t a security strategy in and on itself. Too often, it’s positioned as a silver bullet, when in reality it’s just another brick in the wall – one element in a broader approach to identity management.
If security controls introduce friction, adoption rates suffer and users inevitably seek workarounds that weaken protection. In this sense, passwordless adoption alone cannot be a mark of IAM maturity. The real benchmark of maturity is whether organisations can deliver authentication experiences that are both resilient and intuitive across a diverse and often fragmented ecosystem.
No passwords does not mean no risks
One recent exploit underscores how even the most advanced authentication features can be undermined when usability and design weaknesses are exploited. At the DEF CON 33 security conference in August 2025, researchers demonstrated a technique known as DOM-based extension clickjacking, which targeted popular browser password-manager extensions.
By overlaying a seemingly harmless pop-up, like a cookie consent banner, the attack tricked users into a single click that triggered the extension to autofill sensitive information. In one stroke, attackers could harvest not just credentials but also two-factor authentication codes and stored credit card details. It illustrated perfectly why eliminating passwords does not necessarily eliminate risk.
Without thoughtful design and resilient controls across the entire authentication flow, even passwordless mechanisms can be manipulated, leaving organisations exposed.
It’s also important to recognise that the biggest risk in credential abuse isn’t just the password itself, but the level of authorisation it unlocks. That’s why privileged access management (PAM) plays such a critical role alongside newer mechanisms such as passkeys.
While standards such as FIDO2 and WebAuthn are highly effective at reducing phishing and password-based attacks, they are not an ultimate shield against credential-driven compromise. Residual risks remain in several areas – post-authentication session theft, endpoint compromise, gaps in legacy systems and protocols, and weaknesses in recovery or fallback processes. A robust privileged strategy addresses these challenges by pairing MFA with PAM controls, such as just-in-time access, privilege elevation and delegation management, session isolation and secrets governance, while also hardening legacy authentication pathways.
Why usability is the real security slam dunk
IAM has traditionally been built around a security-first mindset. Stronger controls, more layers of defence, and an assumption that users will simply have to adapt and get on with it. But in practice, this approach doesn’t work.
When security controls create confusion or friction, users push back. They find shortcuts, reuse old credentials or avoid adopting new methods altogether. Getting around a difficult authentication check becomes a small win to celebrate, met with a sigh of relief.
In part, this is simply down due to human nature. We automatically take the path of least resistance when it comes to getting something done. Expecting humans to stop what they’re doing and grapple with clunky security checks that interrupt and impede their work is basically the organisation pushing the security burden onto its employees – ‘You didn’t set up X and Y and you failed to do Z, so now we’re vulnerable and it’s your fault’.
The truth is any security strategy that demands too much from employees is no security strategy at all. Security should be invisible. Part of the network furniture. It should be so seamlessly aligned with how people actually work that it’s difficult for them not to act securely. Compliance and adoption will then follow naturally.
The hybrid reality
In security, user experience almost matters more than the security protocol itself. We see this in all environments – even consumer-facing ones. A bank that forces customers through cumbersome authentication steps, even after setting up fingerprint verification, risks abandonment. A piece of software that requires users to check their phones for messages and punch in a code even after they’ve selected ‘trust this browser from now on’ will lead to untold frustration. And it’s the same for employees. While passwordless authentication may sound like a solution to these problems, there’s a risk that it will become a crutch for organisations and lead to more barriers and friction.
Biometric push notifications or adaptive MFA that only escalates when risk signals are present are far more user friendly. And that’s true of administrators too. If policies are hard to configure, or if provisioning and deprovisioning workflows are clunky, identity sprawl and misconfigurations creep in.
In short, usability doesn’t mean ‘easy at the expense of secure’. It means designing IAM systems where the secure choice is also the simple, obvious choice – and sometimes that’s as simple as a password.
It isn’t always clear cut, however. In another recent example of how biometric systems can be compromised, security researchers revealed a critical flaw in Windows Hello for Business, codenamed the ‘Windows Hell No’ vulnerability, that allows an attacker with local administrator access to tamper with the device’s biometric database. By injecting their own facial or fingerprint template, the attacker can trick the system into recognising them as a legitimate user, effectively bypassing biometric authentication entirely. Though Microsoft offers enhanced sign-in security (ESS) as a mitigation, its adoption remains limited due to hardware and platform constraints, meaning this is still a very practical attack vector for those minded to abuse it.
For enterprises managing thousands of applications across multiple geographies, a one-size-fits-all approach such as moving to a passwordless system simply isn’t possible. Instead, authentication must be applied contextually – choosing the right method for the right situation.
A highly sensitive system may justify stronger, adaptive MFA, while a legacy internal tool might continue using passwords until modernisation makes a shift to passwordless more feasible. Consider a hospital scenario, for instance. Doctors might access patient records on tablets using biometrics for speed and assurance, while legacy back-end systems in the same hospital still require passwords due to vendor constraints. Both exist within the same security ecosystem, and both need to be managed with equal attention. Forward-thinking IAM strategies acknowledge this complexity rather than trying to simplify it away.
That’s why passwordless for its own sake is not a strategy. And security leaders who insist on these ‘all or nothing’ objectives risk alienating users and stalling their IAM programs before they ever reach maturity.
Finding the Goldilocks zone
What organisations need to find is the sweet spot between security and usability – the ‘Goldilocks’ zone. Ideally, security should be so seamless that employees aren’t always conscious of it. That requires designing identity systems that anticipate human behaviour, minimise unnecessary steps and deliver the right level of security assurance at the right time.
Adaptive authentication is one of the clearest examples: by assessing contextual risk signals such as device type, geolocation or behavioural patterns, systems can decide when to step up security and when to let users pass through with minimal friction. This approach avoids bombarding users with MFA prompts at every login, while still maintaining high assurance in moments of potential risk. In effect, security becomes invisible until the situation calls for it.
The same principle applies to administrators and developers. A security control that’s difficult for IT to configure or manage often becomes a weak link. Automating provisioning and deprovisioning, integrating policy management into central identity fabrics, and providing easy-to-use tools for secure credential issuance reduce the temptation for shortcuts that lead to identity sprawl. On both sides of the user equation, usability is about engineering systems that align with natural workflows so that secure behaviour becomes the default, not the exception.
Looking further ahead, two emerging developments will shape how usability and authentication evolve: non-human identities (NHIs) and the European Digital Identity Wallet (EUDIW). Unlike human users, NHIs, such as service accounts, APIs and autonomous agents, are inherently ‘UI-less’, meaning they cannot rely on passkeys or MFA as we know them today. They will require dedicated authentication models designed for machine-to-machine trust.
At the same time, Europe’s push for verifiable credentials through eIDAS 2.0 and the rollout of EUDIW signals a long-term shift toward citizen-held, strongly authenticated digital identities. By linking these credentials with robust verification mechanisms and reinforcing them under regulations such as NIS2 and the Cyber Resilience Act, organisations will be expected to apply the same strong identity assurance not only to employees but across their entire supply chain.
By Nicolas Fort
Nicolas Fort is director of product management at One Identity, where he focuses on delivering expertise in product management, cybersecurity and market analysis. Previous roles include product strategy consultant at Promon and participant in the National ID Verification Framework for Norway, contributing to the development of identity verification frameworks aligned with European directives. Fort holds an MBA from KEDGE Business School and various qualifications in computer science and international business.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.