The password — that string of characters you type dozens of times every day — is a technology from the 1960s. Conceived in an era when computers filled entire rooms and cybercrime did not exist. Six decades later, the password remains the dominant authentication method, despite overwhelming evidence that it no longer works.
The numbers do not lie: more than 80% of all data breaches are related to weak, stolen or reused passwords. The question is not whether the password will disappear, but how quickly — and what will replace it.
Why passwords fail
The fundamental problem with passwords is that they combine two contradictory requirements: they must be complex enough not to be guessed and simple enough to remember. Humans are bad at this.
Research shows time and again that the most commonly used passwords worldwide are variations of "123456", "password" and "qwerty". Even when organisations impose complexity requirements — minimum 12 characters, uppercase, numbers, special characters — employees choose predictable patterns: "Welcome2026!", "CompanyName1!" or a variation on their name and date of birth.
Password reuse is another major problem. The average employee manages more than 100 online accounts. Even the most disciplined user cannot remember a unique, complex password for each account. The result: the same passwords are reused across personal and business accounts. A single data breach at an external service potentially compromises your entire organisation.
Passkeys: the successor to the password
Passkeys are the most promising successor to the traditional password. Based on the FIDO2 standard and supported by Apple, Google and Microsoft, passkeys offer a fundamentally more secure alternative that is simultaneously more user-friendly.
How do passkeys work? Instead of a password that you remember and type, a passkey uses cryptographic key pairs. The private key never leaves your device; only a mathematical signature is sent to the server. There is therefore nothing to steal in a server-side data breach.
The user experience is seamless: you unlock the passkey with your fingerprint, facial recognition or device PIN. No password to remember, no code to type, no risk of phishing. Because even if an attacker lures you to a fake website, the passkey simply does not work on a different domain.
Major platforms are adopting passkeys at rapid pace. Google, Apple, Microsoft, Amazon and dozens of other services now support passkey authentication. Critical mass has been reached.
FIDO2: the standard behind the revolution
Behind passkeys lies the FIDO2 standard — an open authentication protocol developed by the FIDO Alliance, a consortium of more than 250 technology companies. FIDO2 consists of two components: WebAuthn (the browser API) and CTAP (the communication protocol with external authenticators).
The power of FIDO2 is that it is phishing-resistant by design. Authentication is bound to the specific domain of the website. A fake website on a different domain cannot trigger FIDO2 authentication. This is a fundamental difference from passwords and even from traditional MFA methods such as SMS codes or authenticator apps, which are vulnerable to advanced phishing attacks.
For organisations, FIDO2 also offers operational benefits: fewer password resets (a costly helpdesk activity), fewer account compromises and a better user experience that improves compliance with security policies.
Biometrics: your body as the key
Biometric authentication — fingerprints, facial recognition, iris scans — is not new, but the technology has reached a maturity level that enables broad adoption. Modern smartphones and laptops have biometric sensors that are reliable, fast and secure.
The strength of biometrics is undeniability: your fingerprint cannot be forgotten, lost or shared. But biometrics also has limitations. Biometric data is not replaceable — you cannot "reset" your fingerprint like a password. That is why biometric data in modern implementations is stored and processed locally on the device itself, never sent to a central server.
The combination of biometrics with cryptographic keys — as in passkeys — offers the best of both worlds: the user-friendliness of biometrics with the cryptographic certainty of FIDO2.
Measuring password behaviour: guiding the transition
The transition from passwords to passkeys and biometrics is not a matter of flipping a switch. Organisations must understand their current password behaviour before they can formulate a migration strategy.
How do employees currently handle passwords? How many use a password manager? How many reuse passwords across accounts? How quickly are compromised passwords changed? What is the adoption level of existing MFA solutions?
These insights are essential for a successful transition. An organisation where 90% of employees already use a password manager is ready for a quick switch to passkeys. An organisation where employees still write passwords on post-it notes needs a culture change first.
Behavioural measurement also helps identify risk groups. Which departments or roles have the worst password behaviour? Where is the urgency greatest? Where should additional support be provided during the transition?
The way forward
The future of authentication is passwordless, but the path there is a gradual process. Organisations that start now with inventorying their authentication landscape, measuring password behaviour and piloting passkeys have a head start.
The first step need not be grand. Begin by rolling out passkeys for the most critical systems and the highest-risk user groups. Measure adoption, evaluate the experience and scale up.
Nexus-7 helps organisations map their authentication risks, measure password behaviour and develop a pragmatic roadmap towards passwordless authentication. Not as a big bang but as a controlled transition that fits your organisation.
