How to "Go Passwordless" Without Getting Rid of Passwords

With every credential breach that hits the news, CISOs and security professionals continually reach the same conclusion: passwords are insecure, and we should abandon them in favor of less risky authentication factors. But, secure or not, passwords are stubborn. The 2025 Verizon DBIR rated the likelihood of this being the year we finally eliminate passwords as being on par with "this being the year of the Linux desktop."

Any IT or security pro who has had to explain passkeys to their coworkers can tell you that 2025 isn't going to be the year we do away with passwords. Frankly, that year's not likely to come any time soon. Even if it were technically feasible (it often isn't) to transition every single login at a company to passkeys or biometrics, that would take years of concentrated effort. In the meantime, security leaders can't afford to sit on their hands and ignore the credential risks currently facing their company.

We need a new approach to thinking about secure authentication. To achieve that, we first need to answer the question: what is it, specifically, that makes passwords so high-risk?

Of course, it's the user.

The human element is a complicating factor in every aspect of cybersecurity, and it's particularly challenging when it comes to securing credentials. In fact, the 2025 DBIR reported that the human element served as a "gating factor" in 60% of breaches last year. The most surprising thing about that statistic is that it's not 100%. After all, users are the ones who:

1. Create weak and duplicated passwords.
2. Share unencrypted passwords with coworkers.
3. Give up their passwords in social engineering attacks.

To be clear, this isn't because users are problematic; it's because passwords are problematic as a knowledge factor. Users are tasked with remembering passwords for multiple tools and systems, and sharing those passwords across teams and apps is incredibly complex from a security perspective.

It goes without saying that IT and security teams need to manage credential risk. And passwordless authentication should certainly be the eventual goal. While we work towards a passwordless future, we can take steps to secure passwords as they're being used now.

That begins by figuring out where passwordless authentication can and can't be used at your company:

1. Discover what authentication methods are in use across your apps and systems. Identify any areas with weak authentication and credential risks.
2. Identify and prioritize the systems and apps where you can immediately transition from passwords to passwordless authentication methods.
3. Create clear and enforceable policies for passwordless. Guide end-users to set up passwordless authentication on the apps you're prioritizing.

There are various tools that can support this effort. For instance, 1Password's free Passkeys Directory indexes apps and services that support passkeys.

The 1Password Enterprise Password Manager (EPM) provides a clear overview of which authentication methods are being used across your company. You can identify any areas with weak authentication methods or compromised credentials. It can even guide users to transition any critical apps to passwordless logins.

That's sufficient for systems that can support passwordless. But what about the ones that can't? For those, it's not enough to focus on removing passwords from authentication. As much as possible, we need to be removing users from the authentication flow.

Passwordless' greatest strength is how it lets users authenticate without any phishable knowledge factors. But for those apps that can't support passwordless, there are other ways to obfuscate that information from the end-user.

Even when users must log in with passwords, there are methods to ensure that they don't handle them directly. Tools like SSO are one common example of this practice in action, but their complexity (not to mention the infamous SSO tax) tends to limit the number of SaaS applications that they can manage.

Beyond that, teams can remove users from the equation by requiring the use of password managers. These solutions allow admins to ensure that:

1. Each password used in their company is strong and unique.
2. Teams can securely share encrypted passwords with coworkers.
3. Passwords are randomly generated and obscured from the users themselves.

Removing users from the authentication flow is often the more user-friendly security option. For example, 1Password Enterprise Password Manager is designed to work with users, making it easy to adopt and enforce secure password practices across teams. Admins have the ability to provision and revoke access to SaaS applications as needed, and to then oversee which users have access to which applications. Users can create and autofill strong passwords without ever having to see them. They're also given simple tools allowing them to share encrypted passwords with other team members. At all times, the passwords to those apps stay encrypted and out of the hands of the human element.

Every team should strive to implement passwordless authentication factors. While we wait for a future where we can fully eliminate credentials, we must manage the risks of today. That means securing passwords from their most potent risk factor – the user.

About the Author: Jason Meller is a vice president of product at 1Password, the founder of Kolide, and the author of "honest.security." Jason began his security and product career at GE's elite computer incident response team. From there, he moved to Mandiant, quickly working his way up to becoming the chief security strategist in 2015. He later founded and served as the CEO of Kolide until its acquisition by 1Password in 2024.