All the secrets of Cyber Security: Cyberoo's blog.

Passwordless Authentication: what it is and why it changes the attack surface

Written by CYBEROO Global | 2 July 2026

 

Every time a company asks a user to remember a password, it is making a gamble. It is gambling that the password will not be reused, stored in the wrong place, exfiltrated by infostealer malware, or entered on a phishing page crafted well enough to appear legitimate.

For years, we have accepted this gamble as a natural part of digital security. The problem is that attackers have learnt to win it all too easily. The reason is simple: a password is not just inconvenient; it is a shared secret.

Something the user knows, which a system verifies, and which an attacker can steal, buy, intercept or have handed over via a page that is credible enough.

FIDO2/WebAuthn-based passwordless, phishing-resistant implementations stem precisely from this realisation: not as yet another promise of faster logins, but as an attempt to strip attackers of one of the most lucrative tools in the entire cyberspace.

 

Passwordless authentication is changing the trust model

The first temptation, when talking about passwordless authentication, is to reduce everything to the user experience: fewer fields to fill in, fewer forgotten passwords, fewer helpdesk tickets.

That’s true, but it’s also the least interesting part. The real change lies deeper: authentication ceases to be based on something the user knows and begins to be based on proof that the device can generate.

In the model based on FIDO2/WebAuthn and passkeys, i.e. synchronisable or device-bound FIDO credentials, a key pair is created during registration: the public key is associated with the service, whilst the private key remains secure within the authenticator and is never transmitted to the service. Identity is no longer proven by revealing a secret, but by producing cryptographic proof.

This is where traditional phishing loses much of its effectiveness. A phishing page can perfectly mimic a service’s interface, copy a logo, create a sense of urgency and appear credible even to an experienced user.

However, it cannot satisfy the origin checks carried out by the browser and the authenticator. The authentication challenge is bound to the origin for which the credential was registered, in accordance with the principle of origin binding.

If the origin does not match, the browser and authenticator will reject the authentication process. In other words: the user is not expected to be infallible; rather, the margin within which their error could lead to an incident is reduced.

 

The blind spot of shared secrets

The problem with passwords is that they seem simple until you look at them from an attacker’s perspective.

For a company, they are a means of access. For an attacker, they are an asset: reusable, resellable, combinable with other data, often valid across multiple services and sometimes forgotten in archives, browsers, exported files or unmanaged tools.

Even when a password is stored securely, the risk does not disappear. This does not diminish the value of password managers, which remain the recommended solution where passwords are still necessary, but it does highlight that they do not eliminate the inherent risk of shared secrets. An encrypted container can be technically robust whilst, at the same time, forming part of a fragile process. Security does not lie solely in the algorithm, but in the lifecycle of the secret: where it is created, where it is copied, who accesses it, who synchronises it, who stores it, and who revokes it when a person changes role or leaves the organisation.

This is where many strategies begin to show cracks. Securing a repository well does not mean managing identity well.

If there is no centralised view of access, if obsolete copies remain in circulation, if revocation is manual, or if a compromised endpoint can still read what the user sees, the risk remains active. It simply becomes more subtle – and therefore more dangerous.

 

 

Real risks: what’s changing for strikers

Passwordless authentication is not a magic wand. And it is important to say this straight away, because any technology presented as a definitive solution ends up creating new blind spots.

What changes is not the existence of the risk, but its location. Techniques based on password theft and the reuse of codes lose their effectiveness; instead, certain control points that are often underestimated become more important:

  • account recovery;
  • enrolment of new devices;
  • abuse of valid sessions;
  • endpoint compromise;
  • fraudulent addition of authenticators.

In the traditional model, the attacker is after something very tangible: a credential to monetise. They can obtain it through phishing, infostealers, malware, social engineering, malicious extensions, compromised synchronisations or exported and forgotten archives. Once obtained, they can try it elsewhere, resell it, combine it with other information or use it to move laterally.

With FIDO2/WebAuthn-based, phishing-resistant passwordless implementations, the game changes. It is no longer enough to persuade someone to type in a password or hand over a one-time code.

The attacker must target the process itself: taking control of a session, compromising an endpoint, exploiting local malware, physically stealing a device, manipulating a recovery procedure, or forcing the enrolment of a new authenticator.

This is where identity security ceases to be merely a login screen and becomes continuous governance.

 

Business benefits: where passwordless technology adds value

The most obvious benefit of a passwordless approach is easy to explain: fewer passwords to remember, fewer resets, fewer support tickets, less friction.

But the real value is less immediate and far more strategic. Every password eliminated is one less secret to protect, one less credential to steal, one less lever for social engineering.

This is why the return on investment should not be measured solely in the minutes saved during login. It lies in the organisation’s ability to contain abuse, reduce escalations, shorten revocation times and prevent an individual error from becoming a systemic incident. In an ecosystem where attackers use legitimate identities, stolen sessions and active tokens, the quality of access control becomes a measure of resilience, not merely an administrative function.

 

When passwords are still necessary

Of course, no real-world organisation deletes all passwords at the flick of a switch. In many contexts, secret management remains an operational necessity, particularly where the following exist:

  • non-federated applications;
  • technical accounts;
  • isolated environments or industrial systems;
  • temporary access;
  • credentials that do not yet form part of modern authentication workflows.

The point is not to confuse the exception with the strategy. A residual password may only be acceptable if it forms part of a clear process, with:

  • defined responsibilities;
  • restricted access;
  • controlled backups;
  • documented revocation;
  • periodic audits;
  • secure endpoints;
  • precise rules on sharing.

If, on the other hand, the organisation accumulates secrets without a centralised overview, it is not reducing the risk. It is merely making it appear more organised.

The most mature approach is therefore clear: to progressively reduce reusable secrets, to retain passwords only where a viable alternative does not yet exist, and to rigorously govern what remains. The problem arises when what should be residual becomes the primary model once again.

 

Compliance and verifiable security

Even the most recent guidelines favour the adoption of more robust authentication controls that are proportionate to the risk, particularly in contexts vulnerable to phishing, credential theft and session hijacking.

Simply adding a second factor is not enough if that factor can be intercepted, bypassed or authorised out of fatigue. OTPs via SMS, temporary codes and push approvals have raised the bar compared to passwords alone, but they are not always sufficient in high-risk contexts.

A qualitative leap is needed: methods based on cryptographic proof, link to the source and controlled management of authenticators, not just an extra step in the login flow.

In Europe, this change forms part of a broader regulatory framework. NIS2, the GDPR and DORA do not mandate the adoption of passwordless authentication, but they do require security controls that are risk-appropriate, effective, verifiable and manageable over time. In this context, the principle of accountability set out in the GDPR also plays a central role: it is not enough to simply state that access is secure; it must be possible to demonstrate who gained access, using which authentication method, from which device or authenticator, with what level of assurance, with what privileges, and through which mechanisms for managing and revoking credentials.

Viewed in this light, passwordless authentication is not merely a technological fad, but one of the possible solutions for strengthening identity security and making it more verifiable.

 

It’s not enough just to protect your passwords

Passwords won’t disappear overnight, but they can no longer remain at the heart of corporate identity. The priority must be to gradually reduce everything that can be stolen, reused or monetised: personal passwords, shared credentials, legacy access, technical secrets and recovery procedures that are too weak.

To achieve this, a number of clear decisions are required:

  • adopt phishing-resistant implementations based on FIDO2/WebAuthn where the risk is highest;
  • start with privileged accounts and the most exposed users;
  • rigorously control device enrolment;
  • strengthen recovery procedures;
  • maintain continuous visibility over sessions, privileges and registered authenticators.

Passwordless authentication should therefore not be treated as a project to simplify the login process, but as a security and governance decision. Where passwords remain necessary, they must be few in number, tracked, revocable and incorporated into controlled processes. Where they can be eliminated, they must be eliminated. Because simply improving password security is no longer enough: we need to minimise the circumstances in which a credential can become the first step towards a breach.