Passwordless authentication isn’t the problem, the myths around the technology are

1. Pro

Passwordless authentication isn’t the problem, the myths around the technology are Opinion By Martin Lee published 3 December 2025

Debunking myths about passwordless authentication and security

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

Most online applications today require a password. According to recent research, the average person must juggle 168 passwords.

For many online users, remembering and resetting these is a recurring annoyance.

So, while passwords have become the norm, they’re neither the most secure nor the most practical option.

You may like

• What is biometric AI and how does it work?
• The new identity paradigm must be hybrid, not just human
• These are still the most popular passwords around - and surely, we can do better than this as a species

Martin LeeSocial Links Navigation

Martin Lee is Technical Lead, Security Research for EMEA at Cisco Talos.

The reality is that passwords don’t last as long as they used to and they have become easy for adversaries to subvert.

Password fatigue means many users often reuse and recycle their passwords, typically making small changes to already weak credentials.

This leaves online users vulnerable to password-related attacks, such as credential stuffing, phishing or push-bombing attacks.

Thankfully, a better alternative exists: passwordless authentication. Passwordless lets you prove who you are without typing a password. Instead, it uses methods such as your fingerprint, face, or a security key on a device.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Not only does that ease the sign-in process, but it also makes it more difficult for attackers to fake. Despite its benefits, however, myths about passwordless authentication continue to persist.

Replacing myths with facts

The first common myth about a passwordless approach is the assumption that it is less secure than multi-factor authentication (MFA).

Many believe doing away with a password means skipping an important layer of protection. In reality, a passwordless approach is MFA, but in a slightly different way.

You may like

• What is biometric AI and how does it work?
• The new identity paradigm must be hybrid, not just human
• These are still the most popular passwords around - and surely, we can do better than this as a species

Traditional MFA relies on something you have, such as a mobile device, and something you know, like a password. Passwordless authentication combines the ‘something you know’ element with something you are, for example facial recognition or your biometric.

Removing the need for a password results in a frictionless login experience, and significantly reduces risks for users, and for the platforms and enterprise applications they are accessing.

It makes it nearly impossible for attackers to steal or fake a login, as they’d need to guess the correct pin and also have access to biometric data.

A secondary benefit of passwordless authentication is also the reduced burden on IT teams to resolve password-related incidents.

Considering U.S. based organizations allocate over $1 million for password-related support costs, adopting passwordless authentication could see significant time and budget freed up for more complex projects.

A password is not a pin

Another common myth about passwordless authentication is that a pin can have the same points of security failure as a password. That’s not true. A pin may look like a password, but it doesn’t work in the same way.

Password data is typically sent over the internet and often stored on a company server, exposing user credentials to external adversaries.

On the other hand, a pin is used to unlock a device locally meaning there is nothing for attackers to access remotely. Not only would an attacker have to physically possess a device to even attempt to access it, but even if a device is stolen, a pin can only be entered incorrectly so many times before the device is locked.

This makes pin access far more secure than passwords, and combined with biometric data, users can feel confident that their device is very unlikely to be compromised.

Passwords safer than biometrics?

A third common myth is the idea that passwords are inherently safer than biometrics. This myth was borne out of the early days of biometrics, when the technology was still in its infancy and headlines reported devices being fooled by fake faces or fingerprints.

Thankfully, those days are behind us, and many of the flaws associated with biometrics have been resolved. Today’s systems use features such as 3D mapping, infrared light and “liveness” detection to make spoofing extremely difficult.

Much like a pin, biometrics work locally. When a user attempts to authenticate via biometrics, they unlock a private key stored on a device. That key never leaves the device it is stored on, and nor can it be transferred to another device or site.

This makes biometric safe from remote access and attacks, and means attackers would have to possess a device and coerce its owner into unlocking it to access any data.

Passwordless: the key to frictionless sign-in experience

As with every new technology cycle or advancement, passwordless authentication is subject to myths and skepticism. For many organizations, passwordless is an important building block towards a zero-trust security strategy.

It can help organizations, both big and small, establish a single, strong user identity and trust, and can significantly transform the sign-in experience for customers.

But adopting passwordless authentication doesn’t happen overnight, and while the promise of better user experience, reduced IT time and cost, and stronger security posture seem like the ideal trifecta, organizations need to think carefully about how it is implemented.

Establishing a clear understanding of an organisation’s application landscape is an important starting point—thinking about which applications need protecting. This will help IT and security teams define the pre-requisites to get towards a fully fledged zero-trust strategy.

From there, IT teams should think about adopting a piecemeal approach with pilot deployments of passwordless authentication that can help iron out early issues, and address any user concerns.

Passwordless isn’t just a new, easier way to log-in, it has the ability to transform an organization's security credentials and its journey towards zero-trust. Taking the passwordless plunge is the first step towards the future of authentication.

We've featured the best private browser.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS AI Martin LeeSocial Links Navigation

Technical Lead, Security Research – EMEA at Cisco Talos.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more What is biometric AI and how does it work?    The new identity paradigm must be hybrid, not just human    These are still the most popular passwords around - and surely, we can do better than this as a species    Remote work and the big breaches of 2025: Cause or convenient excuse?    Why our own clicks are often cybercrime's greatest allies    Phishing emails are now so good the majority of people believe they are written by humans or are unsure - and that can't be good news    Latest in Pro Squarespace’s Cyber Week continues - grab 20% off before it’s gone    Over two-thirds of retailers have already partially deployed AI agents for efficiency    Amazon is testing out private on-premises 'AI Factories'    AWS wants to be a part of Nvidia's "AI Factories" - and it could change everything about how your business treats AI    "The world is not slowing down" - AWS CEO says AI agents will be bigger than the Internet, so act now    New data centers will need almost triple the current energy demand by 2035    Latest in Opinion Passwordless authentication isn’t the problem, the myths around the technology are    ChatGPT users furious as even $200 a month Pro subscribers are hit with app suggestions    How much will the Galaxy Z TriFold cost? I’m a Samsung expert and here’s my prediction    Forget Prime – Amazon starts 30-minute deliveries to show good things come to those with zero patience    Microsoft's warning on 'security implications' of AI agents is causing panic    The Samsung Galaxy Z Trifold's folding mechanism looks odd, but it's the right call on a crucial design decision    LATEST ARTICLES

1. 1Eureka Ergonomic Nox office chair review
2. 2NYT Connections hints and answers for Thursday, December 4 (game #907)
3. 3NYT Strands hints and answers for Thursday, December 4 (game #641)
4. 4Quordle hints and answers for Thursday, December 4 (game #1410)
5. 5Apple is pushing iOS 18 users to upgrade to iOS 26, but many are still wary