The future customer and the move towards passwordless

Management18 Sep 2025

We’ve heard for years that a passwordless future is coming – and users are starting to expect it. However, the reality on many websites and services still lags behind. While biometrics and passkeys are becoming more common, passwords remain the default for many, with little support or guidance for users to make secure decisions.

The latest UK Cyber Security Breaches Survey painted a worrying picture of cyber-security and our direction of travel. More than four in 10 (43 per cent) businesses reported experiencing a cyber-security breach or attack in the past 12 months, with phishing attacks remaining the most prevalent type of breach (85 per cent).

With passwords, as with other aspects of cyber-hygiene, these results highlight a need to educate users in the basic principles of creating secure passwords. Security leaders should not be making assumptions about this level of knowledge.

Password choices remain problematic

Users are frequently the root cause of cyber-security issues, but this is often because they haven’t been properly shown how to do the right things. The core issue when choosing a password has always been ensuring users select a strong one, yet in practice many people frequently make poor choices. Users are opting for weak passwords without realising – but where do they get the support to understand what a strong password looks like?

Simple choices such as “password” remain among the most common, suggesting little has changed in the past decade. It topped SplashData’s 2012 list, was overtaken for several years by “123456” and has now returned to the number one spot. Unfortunately, the assistance available for users when choosing passwords on major websites is often inconsistent.

In recent years, some websites have implemented alternative approaches – including passkeys and biometrics – to help combat the problems. Supplementary methods such as keychains and autofill features have also offered support by easing the memory burden of remembering multiple passwords. However, these can only help if their features are properly implemented and good password hygiene is continued.

Each approach plays its part in improving protection, although these are far from ubiquitous. On many leading websites, passwords remain the basis for sign-up, and whether other options are available or signposted once accounts are set-up varies.

Additionally, many sites are supplementing passwords with multi-factor authentication (MFA) which adds another layer of security instead of relying solely on password or password-less authentication. As a result, the end-user’s experience of security can involve multiple approaches – with some systems and services using traditional passwords, some using MFA and some being passwordless. So, while they may aim to improve protection, inconsistencies such as these can confuse users and complicate the process.

They are not only off-putting for individuals, but if someone decides to eliminate these elements altogether, it could further compromise security. Websites should focus on authentication methods which can easily support users, provide guidance and avoid giving users the freedom to choose poor passwords that not only put the user at risk – but also the whole platform.

The future of authentication: complexity and transition

Moving beyond traditional passwords comes with its challenges – the adoption of any approach requires effort and investment, which might explain why many organisations haven’t advanced beyond these. Some have only recently begun to implement multi-factor authentication (MFA) and this could mean they are less inclined to transition to a password-less system, despite the potential for improving the user experience.

Many organisations still enforce mandatory password complexity requirements and don’t follow best practice, despite both the National Cyber Security Centre and National Institute of Standards and Technology advising against this. Such requirements often increase the burden on users without making any significant improvements to password protection. Some may remain reliant on traditional passwords because they are unable to update their custom or legacy systems.

Where traditional passwords are used, there needs to be tangible guidance on how to choose and use them securely, accompanied by appropriate checks to enforce good practice. Without this, users could be allowed to get away with making choices that would be regarded as weak. Indeed, regardless of the authentication method, there is always a place for awareness and guidance to support effective use.

Towards a more secure digital future

While some may see password security as the user’s responsibility, people still need clear guidance on how to protect themselves. If organisations don’t provide it, it’s not obvious where they can turn for reliable advice. And if a site allows weak passwords without warning, many users may not realise there’s any risk at all.

The awareness message should not only be directed at users, who often have no choice but to use passwords anyway. It must also be aimed at the websites and providers that still require them to do so.