The end of passwords: 5 reasons companies must rethink authentication

 What’s the problem with passwords, anyway?  

Nothing... Unless you count the weak ones, the reused ones, the stolen ones, the guessed ones, and the fact that nobody actually likes them. For companies, passwords are a burden to manage and increasingly insufficient against modern attack techniques, translating into lost customers, higher support costs, and regulatory scrutiny. 

Companies need to move to more secure authentication methods, especially since even the most well-known organisations in the world are not secure enough. After surveying over 10,000 companies worldwide, the Business Digital Index found that 63% of those companies scored D or F in cybersecurity. This figure jumps to 84% for Fortune 500 companies, showing that many organisations are ill-prepared to protect sensitive accounts. 

This blog explores why passwords have become a liability for European businesses and why passwordless authentication, including multi-factor authentication, passkeys, FIDO2 (Fast IDentity Online 2) specifications, and biometrics, offer a more secure, user-friendly, compliant and competitive alternative. 

Despite being a default method of authentication, passwords are inherently vulnerable to breaches, theft, and automated attacks. This also applies to complex passwords: Specops Software’s Weak Password Report found that 83% of compromised passwords would satisfy standard compliance rules on length and complexity. In other words, password compliance metrics often give a false sense of safety while leaving systems vulnerable. 

Passwords are weakened not just by technology, but also by human behaviour: Users are forced to balance memorability against complexity, creating predictable patterns and high reuse rates. bandokbedf. As a result, a single leaked password can cascade into multiple account compromises, amplifying risk far beyond the individual breach. 

Therefore, it's not a surprise that stolen credentials are the root cause of over 80% of data breaches, and the scale of this threat is growing as attackers rely on advancing technology to continue to exploit vulnerabilities. Threat actors can exploit reused passwords across platforms in credential stuffing and brute-force attacks. 

While many organisations pair passwords with one‑time passcodes (OTPs) sent via SMS or email, the security gains behind this are rapidly eroding.  

Attackers are increasingly using phishing and social engineering to set up real-time relay attacks. Consider the following scenario: A victim is directed to a convincing fake login page, and enters their username and password. The attacker immediately uses these credentials to log in to the real site, which sends an OTP to the victim. Believing the fake page is legitimate, the victim enters the OTP, which the attacker relays instantly to complete the login and seize the account. 

OTP bots further undermine security, routinely bypassing two-factor authentication via social engineering or phishing. Between March and May 2024, Kaspersky intercepted over 650,000 phishing site attempts targeting OTP flows. Meanwhile, cybersecurity solution Resecurity reported phishing kits built to intercept both passwords and OTPs across European banks. 

Last but not least, SIM swap fraud is surging, whereby attackers impersonate users to take control of their phone numbers and intercept SMS-based OTPs. In the UK alone, unauthorised SIM-swap reports surged 1,055% in 2024, illustrating how rapidly phone-takeover attacks are scaling. Consequently, the European Union Agency for Cybersecurity (ENISA) classifies SMS‑OTP to be weak in contexts where SIM swap is feasible.

Prevent SIM-swap fraud with reusable digital identity from itsme^®

Between centralised storage, third-party exposure, and uncontrolled data flows, password-based authentication has become a systemic threat to user privacy; it depends on centralised databases of credentials that, even when encrypted, are prime targets for attackers. In July 2024, the RockYou24 leak exposed nearly 10 billion unique passwords from users across the world, the largest leak in history. Earlier that year, over 100 million records were exposed in a single month in Europe, which also impacted stored passwords. 

The privacy risk does not stop there: Once credentials are stored and shared with third-party providers, every link in the supply chain inherits exposure. According to SecurityScorecard, 78% of Europe’s large financial firms suffered a breach involving a service provider between 2022 and 2023. 

Credential reuse further magnifies the problem: In 2024, 94% of 19 billion passwords that were leaked in a breach were reused or duplicated, meaning that one stolen credential can open multiple accounts across different services. Even added layers like OTPs often rely on personal channels, such as SMS or email, spreading sensitive data through third parties, and creating new points of privacy failure.

At the same time, end-users are becoming increasingly aware of the importance of the privacy of their data. A Europe-wide survey by KPMG showed that 72% of respondents said they are more worried about their privacy, up from 59% five years earlier. This underscores the need for companies to look for alternatives to passwords that meet modern expectations of digital privacy.

In a crowded digital market, convenience is a defining competitive edge, and passwords increasingly stand in the way: Every forgotten password, reset email, and blocked login is a small moment of friction that adds to real business impact.

According to the FIDO Alliance, 42% of online shoppers abandoned a purchase during one month because they couldn’tremember their passwords, and 56% gave up accessing a service online altogether for the same reason, with this figure jumping to 66% among users under the age of 35. In contrast, a survey of over 1.17 billion users and 500 brands found that passwordless login showed a customer return rate of 42.43%, which is the highest compared to other authentication methods.

Users also increasingly expect seamless access that feels secure by design. According to Thales Group’s Cybersecurity Insights, 75% of consumers indicated that passwordless authentication, such as biometric login, is important to them.

Beyond user friction, frequent password resets also create internal challenges. Thales reports that around two in five users reset their passwords once or twice each month. Resets can trigger help desk tickets, verification checks, and user downtime, all of which can translate directly into support costs.

Companies are responding to this shift. Dashlane reports a 400% increase in passkey authentications (a type of passwordless authentication) in 2024, with e-commerce platforms such as eBay, Amazon, and Target now accounting for around 42% of all passkey logins. Dashlane also found that passkey sign-ins deliver a 70% higher success rate than traditional passwords, reinforcing why both businesses and users are embracing passwordless authentication.

Give your users access in one tap with passwordless authentication from itsme^®

European regulation is tightening the screws on weak authentication. The Payment Services Directive 2 (PSD2) and the Network and Information Security Directive (NIS2) require companies operating in the EU to adopt strong customer authentication (SCA) and phishing-resistant methods. According to these frameworks, password-based systems do not count as a SCA, and cause risks related to credential theft, phishing, and large-scale data compromise.

NIS2 extends expectations for organisations to implement “state-of-the-art” security measures to critical and essential entities, such as FSIs, telcos, the energy sector, and healthcare. This requires authentication methods that verify both the individual and their device using asymmetric cryptography. For instance, EU-based digital identity platform itsme^® provides multi-factor authentication that is fully compliant with PSD2 and recognised as SCA under EU recommendations. 

Additionally, the European Banking Authority clarified in 2023 that unlocking a mobile phone with a biometric or PIN cannot count as an SCA factor if the mechanism is not under the control of the payment issuer. This interpretation effectively rules out many consumer-level authentication flows that rely only on device-based security, which underscores the importance of issuer-managed, cryptographically verifiable credentials.

The age of passwords is ending, replaced by strong, phishing-resistant authentication methods that combine security with usability. Weak or absent multi-factor authentication leaves accounts highly vulnerable: according to Microsoft, more than 99.9% of compromised accounts lack MFA, exposing them to password spray, phishing, and credential reuse. 

This urgent need for stronger protection is driving rapid market growth: The European passwordless authentication market was valued at USD 5.3 billion in 2024, and is projected to reach USD 13.6 billion by 2030. Moreover, the shift away from passwords is no longer experimental. Major technology providers, like Microsoft and Amazon rolled out passkey-based sign-ins to allow users to log in securely without passwords. 

Across Europe, several solutions are already transforming how passwordless authentication works:

• Passkeys, which enable secure sign-in through cryptographic key pairs stored on the user’s device, ensuring the private key never leaves it. ENISA recognises passkeys as “the strongest solution of phishing-resistant multi-factor authentication,” aligning with the cybersecurity goals of PSD2 and NIS2. 

• Hardware security keys, like YubiKeys, offer strong device-bound authentication for high-risk environments.

• One-tap mobile single sign-on (SSO) streamlines access across platforms without relying on stored passwords. This is available, for instance, via digital identity platform itsme^®, which links a user’s verified identity to secure device-based credentials, allowing consumers and organisations to log in, approve transactions, and access services securely and conveniently.

Speak to a passwordless authentication expert