Why passwordless authentication is taking over

Alex Laurie, GTM CTO, Ping Identity

  • Monday, 6th July 2026 Posted 8 hours ago in by Katy Hill

Earlier this year, the UK’s National Cyber Security Centre (NCSC) issued a definitive directive: where passkeys are available, they should immediately replace passwords. The guidance reflects a fundamental recognition that traditional passwords are defenceless in today’s modern threat landscape. 

The timing of this shift is critical. Cybercrime has matured into a highly efficient, AI-driven software enterprise. Equipped with industrial-scale AI tooling, threat actors can now automate, orchestrate, and deploy hyper-realistic phishing campaigns, credential-stuffing attacks, and account takeovers at machine speed. 

Yet, industry data reveals a staggering gap: only 9% of organisations are actively prepared to defend against these AI-driven identity threats. Moving away from passwords is no longer a long-term digital transformation goal; it is a race against sophisticated adversaries to preserve digital trust.

Compromised security and broken UX

To understand why we must move away from passwords, we have to look at the severe friction they introduce to the enterprise. For years, identity security was treated as a back-office problem. Today, it sits at the absolute center of customer experience and corporate revenue.

Passwords force a broken trade-off: making users create increasingly complex strings of characters results in severe password fatigue and, in many cases, account abandonment altogether. When security kills conversion, the business model is broken.

Furthermore, public skepticism is at an all-time high. Research shows that 76% of Brits are genuinely worried about identity theft and fraud, yet only 17% fully trust the organisations managing their identity data. Passkeys directly resolve this trust deficit through cryptographic authentication. Because private keys stay securely on the user's local device and are never shared with a central server or application, there is no central database for hackers to breach. Because passkeys are cryptographically bound to a specific, verified domain name, they are inherently phishing-resistant, completely neutralising the human error that social engineering exploits.

Expanding beyond human identities

The case for passkeys extends far beyond human convenience. As we navigate the explosive rise of Agentic AI - autonomous digital proxies, personal shoppers, and synthetic workflows executing transactions and querying databases on behalf of humans. 

This shift completely shatters traditional authentication models. Passwords were fundamentally built for human brains to remember. An autonomous AI agent cannot "remember" a password without creating severe vulnerabilities, such as hardcoded credentials or shared session tokens that expose permanent risks. If an agent inherits over-privileged human credentials, a compromised or rogue process can exfiltrate sensitive data at machine speed - vastly outpacing the response time of a traditional human Security Operations Center.

Passkeys and decentralised, cryptographic credentials offer the only viable path forward. By giving AI agents their own distinct, first-class machine identities with task-specific, time-bound permissions, enterprises can securely verify and audit machine-to-machine actions without exposing underlying human credentials. 

Overcoming the complexities of adopting passkeys 

Despite the clear benefits, transitioning away from passwords presents real-world complexities. Passwords remain deeply embedded within legacy architectures, core IT systems, and critical compliance infrastructure. Replacing them requires careful orchestration, and many IT leaders fear that updating these systems will demand massive code rewrites and extensive specialist development resources.

This is where advanced identity orchestration becomes a critical business enabler. Modern, low-code or no-code identity platforms allow organisations to visually map, test, and deploy sophisticated authentication journeys seamlessly. This abstraction layer enables businesses to introduce modern passwordless options like passkeys or biometric prompts progressively, without ripping and replacing underlying legacy systems or disrupting the active user workflow. 

Simultaneously, the broader industry momentum is making this shift inevitable. Tech giants like Google and Amazon are rapidly positioning passkeys as their default authentication standard. Organisations that delay moving toward passwordless frameworks are left defending a perimeter built for an entirely different era. 

Securing the future through continuous digital trust  

The NCSC’s call to drop passwords is much more than a tactical upgrade; it is a strategic mandate to rethink digital trust. In an era dominated by automated threats, deepfakes, and autonomous software, the concept of static, point-in-time logins is officially obsolete.

By adopting an identity-first approach centered on passkeys and robust identity orchestration, enterprises can eliminate the friction that drives away customers, secure their expanding synthetic workforce, and build the foundation of continuous trust required to scale safely in a digital-first world.

By Ricardo Arroyo, Principal Product Manager at WatchGuard
In an exclusive interview with Rik Ferguson, VP of Security Intelligence at Forescout, it becomes clear that effective cybersecurity now demands more...
By Tobie Morgan-Hitchcock, CEO & co-founder, SurrealDB.

Before MSPs Adopt AI, They Need a Thesis

Posted 6 days ago by Sophie Milburn
By Adam Winston, Vice President of Endpoint Security & MDR, WatchGuard
By Brett Candon, VP International at Dropzone AI
In this Q&A, Kristian Györkös, Senior Vice President and Global Head of Channel at WSO2, discusses how the rise of agentic AI is reshaping...
By Tracey Hannan-Jones, information security consulting director at UBDS Group

The infrastructure behind the UK’s AI ambitions

Posted 1 week ago by Sophie Milburn
Chris Carreiro, Chief Technology Officer at Park Place Technologies, examines how sovereign compute ambitions and accelerating AI adoption are...