Passwords continue to create security vulnerabilities, yet many organisations hesitate to move beyond them. Here's what you need to know in the passwordless vs passwords debate:
Despite decades of evidence showing that passwords create security problems, they remain the standard login method for most organisations. Microsoft's Digital Defense Report 2024 found that over 99% of identity attacks used stolen or guessed passwords. Yet passwords persist because decision-makers underestimate their actual costs and overestimate the difficulty of switching to alternatives.
Passwordless authentication has moved beyond the experimental phase. The European market is expected to reach €11.7 billion by 2030, and 92% of Chief Information Security Officers report their organisations are either implementing passwordless logins or planning to do so.
For regulated industries, European legislation including NIS2, eIDAS, and the Cyber Resilience Act now requires strong authentication beyond simple passwords.
Five common passwordless myths keep organisations stuck in the past, each reflecting outdated thinking that no longer matches current security threats or regulatory requirements.
The idea that complex password requirements provide real security falls apart when examined against actual breach data. An analysis of 800 million breached passwords found that 83% of compromised passwords still met standard length and complexity rules. Users aren't choosing weak passwords, the password system itself creates the vulnerability.
Password complexity requirements create a false sense of security while failing to stop actual attacks. Research on 193 million leaked passwords showed that 45% could be guessed in under a minute, and only 23% would survive longer than a year. Across a dataset of more than 19 billion exposed passwords, 94% were reused or duplicated.
When one password appears in a breach, every account using that password or a similar version becomes vulnerable.
Even strong passwords can't protect against phishing, social engineering, or credential theft. Attackers don't waste time breaking encryption when they can simply trick users into giving up their credentials. Once a password is stolen, its complexity doesn't matter.
A survey of more than 1,500 users in the Netherlands commissioned by itsme found that the majority want login methods that are impossible to hack, with privacy as the second priority. Ease of use ranked third. This shows a clear gap between what users want and what passwords actually deliver.
The claim that users will resist passwordless authentication contradicts actual user behaviour. Consumer trends across Europe show a clear move away from passwords, driven by direct experience with better options.
According to Thales Group's 2024–25 Cybersecurity Insights report, 75% of consumers say passwordless authentication is essential for feeling secure online.
FIDO Alliance research found that 42% of online shoppers abandoned a purchase because they couldn't remember their passwords, while 56% gave up accessing a service entirely.
Microsoft data shows that passkey logins achieve a 98% success rate compared to only 32% for passwords, while multi-factor authentication through itsme takes less than five seconds with 99% first-attempt success.
The itsme-commissioned survey found that the average person in the Netherlands uses five different login methods. In Belgium, over 80% of adults use itsme to log into banks, telecoms, insurance companies, and utilities without passwords, card readers, or one-time passcodes.
Microsoft found that 99% of users complete the passkey setup process once they start it, showing that users readily adopt passwordless authentication when it's implemented properly.
The idea that passwordless login increases compliance risk is outdated. It’s a common passwordless login misconception that actually creates more risk.
Every password in an organisation's system represents a potential security breach that must be monitored, changed regularly, and audited.
Studies show that between 20% and 50% of all IT help-desk tickets involve password resets, with each reset costing roughly $70. Companies using passwordless authentication report savings of up to $2 million in the first year.
A global survey found that 53% of organisations reported more identity fraud in the past 12 months, with each fraudulent transaction costing on average 3.9 times the lost value.
European regulations make passwordless authentication necessary. NIS2 requires strong authentication for critical systems. Under eIDAS, EU service providers in regulated sectors must implement strong electronic authentication.
The Cyber Resilience Act requires digital products to include appropriate security controls. The EU Common Criteria scheme evaluates technology products on their security properties, including identity verification.
Relying on simple passwords creates both a security weakness and a compliance liability with potentially substantial penalties.
The assumption that passwordless authentication only benefits frequent users misses where passwords cause the most problems. Infrequent logins, such as insurance claims or utility account access, are exactly where password-based systems fail hardest.
When users access insurance portals, pension accounts, or utility dashboards once or twice a year, password recall becomes nearly impossible. Users either write down credentials, reuse them from other services, or trigger password reset flows that increase abandonment and support costs.
Passwordless authentication using digital identities like itsme allows customers to complete critical tasks on their first attempt regardless of how rarely they access the service.
The belief that organisations can delay passwordless adoption until regulations mandate it ignores both the regulatory timeline and the mounting costs of waiting.
NIS2, eIDAS, the Cyber Resilience Act, and the EU Common Criteria scheme all require strong authentication that passwords alone cannot meet.
Password-based authentication accumulates help-desk expenses, increases exposure to attacks, and may violate regulations. When enforcement arrives, late adopters face compressed timelines, higher costs, and potential penalties.
Early adopters spread implementation costs over time and gain competitive advantages: better user experiences, lower operational costs, and fewer security incidents.
The 92% of Chief Information Security Officers implementing or planning passwordless authentication recognise it as a strategic necessity for reducing risk, controlling costs, and meeting regulatory standards.
Organisations that move beyond passwordless login misconceptions choose platforms that combine security, compliance, and user experience.
itsme provides digital identity that works across the entire customer journey, from onboarding to login to claims processing. Each identity is securely linked to a verified official document.
The platform offers strict data protection, strong authentication, and full eIDAS and GDPR compliance. It aligns with the upcoming European Digital Identity Wallet framework and works in all 27 EU member states.
Ready to move beyond passwords? Learn how itsme can help your organisation implement passwordless authentication that integrates with your existing systems and goes live in as little as one week.
Below we listed some of the most frequently asked questions. Don't see your question in this list? Feel free to contact us, we're happy to help!
Passwordless authentication in regulated industries means verifying user identity without shared secrets like passwords. Instead, authentication uses cryptographic keys, biometrics, or verified digital identities that cannot be guessed, stolen through phishing, or reused across services.
For regulated sectors, passwordless solutions must meet strong customer authentication requirements under eIDAS while maintaining audit trails and compliance documentation.
Yes, when implemented properly. eIDAS requires strong customer authentication using at least two independent elements from different categories: knowledge, possession, and inherence.
Passwordless solutions like itsme satisfy these requirements by combining device possession with biometric verification, while providing the assurance levels and audit capabilities that eIDAS requires. This approach meets regulatory requirements while eliminating password-related vulnerabilities.
Passwordless authentication works especially well for infrequent use cases. When customers access insurance portals or utility accounts once or twice yearly, password recall becomes nearly impossible. They either reset credentials repeatedly or abandon tasks entirely.
Passwordless methods using familiar digital identities allow customers to verify themselves successfully on their first attempt regardless of how long since their last login, reducing abandonment and support costs while improving completion rates for critical tasks.
Passwordless authentication eliminates the largest operational costs associated with password management: help-desk tickets for resets, fraud investigation and remediation, breach disclosure obligations, and customer recovery workflows. Studies show that 20–50% of IT help-desk tickets relate to password resets, costing approximately $70 each.
Enterprises implementing passwordless authentication report first-year savings of up to $2 million. Additionally, reducing credential-based fraud (which costs 3.9 times the transaction value on average) delivers measurable financial impact beyond user experience improvements.
Passwordless login refers to any authentication method that doesn't use passwords, including biometrics, hardware tokens, or one-time codes. Digital identity goes further by providing a verified, persistent identity that works across multiple services and use cases.
Platforms like itsme offer digital identity where each identity links to verified official documents and can be used for onboarding, login, transaction confirmation, and digital signing across different organisations. This eliminates the need for users to create and manage separate credentials for each service while giving organisations confidence in identity verification.