When it comes to numbers, nothing catches one’s attention quite like “billions.” The world population, national budgets, and industry market values number in the billions. “Millions” no longer has the shock appeal it used to have.
When the news hit in June 2025 that 16 billion compiled leaked credentials were briefly exposed, people took notice. News reports said the 16 billion credentials, from across 30 unsecured, public-facing databases, likely were unintentionally left open to the Internet. Parties unknown quickly closed the exposed resources after researchers from Cybernews discovered them.
The credentials came from multiple breaches and infostealer logs. Certain records, likely from infostealers, used a structured format showing a URL, username or email, and password. Some credentials from recent infostealer logs include session tokens or cookies, which attackers can use to bypass multi-factor authentication if the session is still valid.
Passwordless technology offers a solution to this. Passwordless logins, especially those using biometrics and Fast Identity Online 2 (FIDO2) and WebAuthn technologies, counter credential-based attacks that count on usernames and passwords. FIDO2 is an open standard for authentication from the FIDO Alliance in partnership with the World Wide Web Consortium (W3C). It uses the WebAuthn API, enabling browsers and apps to use FIDO2.
Passwordless authentication for the Web and Web apps requires standards like FIDO2/WebAuthn, which can use device-based biometrics as part of the process, according to Passkeys, an educational resource from OwnID, an identity management company.
So, what’s keeping organizations from upgrading to passwordless authentication?
Companies often count on legacy systems that use password-based authentication; it’s difficult and expensive to replace these with passwordless options. Organizations may lack the skills and teams to implement passwordless authentication effectively. Any upfront investment in new infrastructure, vendor support, and training is also a hurdle.
“The most common obstacle [to passwordless deployment] is legacy systems that are tightly coupled with traditional password-based authentication,” said Tom Richards, systems, storage, and security practice lead for Northdoor, a London, U.K., IT consultancy.
Retrofitting legacy systems with FIDO2/WebAuthn often requires custom integration or re-platforming projects, which can take six to 12 months, even with a dedicated team, Richards said.
Legacy systems embed software code for authentication into the core system. They lack APIs for FIDO2/WebAuthn, which use public-key cryptography with paired public and private keys to encrypt and decrypt data. Retrofitting legacy systems involves using custom APIs for FIDO2/WebAuthn or replatforming onto a cloud-native architecture.
“Organizations without dedicated identity teams often struggle to evaluate passwordless solutions properly, let alone deploy them securely,” said Richards.
Even something as fundamental as handling account recovery or lost authenticators (such as security keys) can become a blind spot if an organization doesn’t own it internally, he said.
‘We’ve seen cases where gaps in skills led to insecure fallback methods that undermined the whole effort,” said Richards.
“Passwordless isn’t just a software rollout; it touches identity infrastructure, endpoint security, user workflows, and support operations,” he added.
According to Richards, this means that multiple teams must align, and the upfront costs of platform upgrades, vendor integration, and staff training can be substantial.
While passwordless authentication can simplify user experiences and avoid the pitfalls of passwords, it presents a complex and costly effort for organizations to undertake. Everything that passwordless authentication requires and touches incurs costs.
Real-World Passwordless Success
“We work with people [who are] often left out of traditional finance, so making logins safer without making them harder is something I care about personally,” said Jeffrey Zhou, founder of Fig Tech, a New York City-based alternative lender.
“We started by keeping our backend auth logic in place and adding a passwordless layer for specific login flows. It handled biometric-based FIDO2 authentication, but still fell back to passwords when needed. This lets us test without redoing everything,” said Zhou.
Rather than removing and replacing password-based authentication systems and adding complexity, Fig Tech was able to test a passwordless approach and correct any issues first.
“We prioritized the accounts that were costing us the most. Fraud was happening on repeat accounts using stolen credentials. We rolled out passwordless to that segment first. After three months, takeover attempts on those accounts dropped by 64%. Our support team flagged a noticeable drop in recovery requests, too,” said Zhou.
One way to mitigate the risks of passwordless deployment is to focus on achieving a significant return on investment while addressing a single, well-defined issue. Fig Tech kept specific metrics to prove success.
“We treated support like part of the launch, not an afterthought. We wrote custom scripts for agents to help users transition, especially those with older phones or spotty device access. Support call times on login issues dropped 17%, which honestly surprised me,” Zhou said.
Senior Care Community Deployment
“Protecting sensitive resident data, family communications, and internal systems is part of how we maintain trust, so exploring passwordless authentication became a priority for us,” said Moti Gambard, chief executive officer of Raya’s Paradise, a senior care community in California.
“One primary obstacle was integrating passwordless logins with older healthcare management systems that still rely on traditional passwords. It wasn’t just about cost; it was the fear of downtime during the transition. We overcame this by working with a vendor that offered phased deployment, allowing some systems to run biometrics and others to stay password-based temporarily until a full migration was possible,” said Gambard.
Healthcare facilities and providers are always concerned about the quality and continuity of care for patients. Life-saving systems must stay up.
“The first systems we transitioned to biometrics were non-critical ones; [they were] primarily internal administrative tools and staff scheduling platforms,” Gambard said. “We deliberately avoided touching any systems tied directly to patient care during the early rollout. This ensured there was zero disruption to resident services, and it gave us time to work through technical and training hurdles safely.
“Training was another hurdle,” he said. “Our team isn’t made up of IT specialists, so the shift to FIDO2-compatible hardware keys and device-based biometrics needed to be simple.”
The team worked to minimize user pushback and lower the learning curve.
“We kept the shift simple by focusing on what was familiar,” Gambard said. “Most of our staff were already using smartphones with fingerprint or face recognition, so we leaned into that comfort level. Our vendor customized training in small group sessions, focused only on the tools each team actually used. That minimized overload and allowed everyone to adapt at their own pace without tech anxiety.”
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment