Why passwordless isn’t the security holy grail

According to Silicon Republic, One Identity’s director of product management Nicolas Fort argues that passwordless authentication has become an overhyped “holy grail” in identity management circles. He points to recent exploits like DOM-based extension clickjacking demonstrated at DEF CON 33 in August 2025, where attackers bypassed advanced authentication by tricking browser extensions. The reality is most enterprises operate in hybrid environments where legacy systems must coexist with modern applications, making full passwordless adoption impractical. Security controls that create friction lead to poor adoption and workarounds, while biometric systems like Windows Hello face their own vulnerabilities. The real benchmark of IAM maturity isn’t password elimination but delivering resilient, intuitive authentication across fragmented ecosystems.

<h2 id="the-passwordless-trap”>The passwordless trap

Here’s the thing about passwordless: it sounds amazing in theory. No more forgotten passwords, no more credential stuffing attacks, no more phishing vulnerabilities. But we’re basically trading one set of problems for another. That DOM-based clickjacking attack demonstrated at DEF CON shows how even the most sophisticated authentication can be undermined by design weaknesses. A single click on a fake cookie banner could expose everything from credentials to 2FA codes and credit card details.

And let’s talk about the enterprise reality. Most companies aren’t running on shiny new infrastructure. They’ve got legacy systems that will never support FIDO2 standards, contractors who need temporary access, and third-party partners using different authentication methods. Trying to force passwordless across this mess? It’s like trying to fit a square peg in a round hole while someone’s actively trying to steal the peg.

Why usability actually matters

Security teams have been getting this wrong for years. They build these fortress-like systems that assume users will happily jump through whatever hoops they create. But humans don’t work that way. We take the path of least resistance. When security becomes too annoying, people find workarounds – and those workarounds create bigger security holes than the original problem.

Think about it: how many times have you seen someone reuse an old password because the new system was too complicated? Or watched colleagues celebrate when they find a way to bypass an annoying MFA prompt? That’s not user failure – that’s design failure. Security should be like the electrical wiring in your house: always there, always working, but you only notice it when something goes wrong.

The hybrid reality

So what actually works? Contextual authentication. A doctor might use biometrics to quickly access patient records on a tablet, while the legacy backend system still requires passwords. That’s not inconsistency – that’s practical security. Adaptive MFA that only kicks in when risk signals appear? That’s the sweet spot. Bombarding users with authentication prompts for every single login just trains them to click through without thinking.

And let’s not forget about the administrators. If policy configuration is a nightmare, or provisioning workflows are clunky, you’re going to get identity sprawl and misconfigurations. The weakest link isn’t always the user – sometimes it’s the IT team taking shortcuts because the security tools are too difficult to manage properly.

Finding the sweet spot

The goal shouldn’t be passwordless for its own sake. It should be making the secure choice the easy choice. Sometimes that means passwords. Sometimes that means biometrics. Sometimes that means adaptive authentication that’s invisible until you actually need it.

Looking ahead, we’ve got even bigger challenges coming with non-human identities and Europe’s digital identity wallet. Machines can’t use passkeys or respond to MFA prompts. They need completely different authentication models. The companies that succeed will be the ones that focus on usability across their entire identity ecosystem, not just chasing the latest buzzword.

Basically, if your security strategy depends on users behaving perfectly, you don’t have a security strategy. You have a wish list. And in the real world, wishes don’t stop breaches.