According to Silicon Republic, One Identity’s director of product management Nicolas Fort argues that passwordless authentication has become an unrealistic “holy grail” for many enterprises. Despite tech giants pushing FIDO2 standards and device manufacturers embedding passkeys, most organizations operate in diverse environments where legacy systems must coexist with modern applications. Recent exploits like DOM-based extension clickjacking demonstrated at DEF CON 33 in August 2025 show that eliminating passwords doesn’t eliminate risk. The real benchmark of IAM maturity isn’t passwordless adoption but whether organizations can deliver authentication that’s both resilient and intuitive across fragmented ecosystems.
Sponsored content — provided for informational and promotional purposes.
The usability imperative
Here’s the thing about security: when it becomes too cumbersome, people will find ways around it. And that’s exactly what happens with poorly designed authentication systems. Users celebrate finding shortcuts like they’ve won a small victory against corporate bureaucracy. But is that really their fault?
I think Fort hits on something crucial here. Security shouldn’t feel like security. It should be “invisible” – part of the background furniture that people don’t even notice. When employees have to constantly stop what they’re doing to deal with clunky authentication checks, you’re basically pushing the security burden onto them. Then when something goes wrong, it becomes “your fault” for not following the cumbersome procedures.
The hybrid reality
Look, most enterprises aren’t working with clean slates. They’ve got decades of legacy systems, vendor constraints, and diverse user groups from employees to contractors. Going fully passwordless just isn’t practical in these environments. Basically, you might have doctors using biometrics to access patient records on tablets while legacy backend systems in the same hospital still require passwords.
The recent DOM-based extension clickjacking attack perfectly illustrates why passwordless doesn’t mean risk-free. Attackers tricked users with seemingly harmless pop-ups that triggered password manager extensions to autofill sensitive data. In one click, they could harvest credentials, 2FA codes, even credit card details. So much for eliminating the password risk.
Finding the sweet spot
What organizations really need is what Fort calls the “Goldilocks zone” – that perfect balance between security and usability. Adaptive authentication seems like the way forward here. Instead of bombarding users with MFA prompts at every login, systems can assess risk signals like device type, location, or behavior patterns. Security becomes invisible until the situation actually calls for it.
But here’s where it gets tricky. Even biometric systems have vulnerabilities, like the “Windows Hell No” flaw that let attackers bypass Windows Hello for Business by tampering with the biometric database. Microsoft’s mitigation requires enhanced sign-in security, but hardware constraints limit adoption. So we’re stuck with practical attack vectors that aren’t going away anytime soon.
The bottom line? Passwordless for its own sake isn’t a strategy. Security leaders pushing “all or nothing” objectives risk alienating users and stalling their IAM programs before they ever reach maturity. Sometimes the most secure choice is also the simplest one – and yes, sometimes that’s still a password.
Continue Reading: Related Articles
Software
Technology
Software
Software
Software
