When a recent news story circulated about billions of passwords leaking onto the Internet, IT administrators everywhere likely let out a groan.
Credential theft remains a key challenge facing businesses. In this case, multiple reports have stated that this reported exposure is likely just a collection of previously compromised credentials. But whether the credentials were new or not, the incident is a stark reminder of how pervasive credential theft is and the importance of providing other forms of authentication.
Identity is the cornerstone of security in the age of AI, cloud services, distributed architectures, and remote workforces. It should come as little surprise to most that user identities are a primary target of attackers. In Okta's recent Customer Identity Trends Report, research revealed that 32% of respondents were "very concerned" about identity fraud. Additionally, in 2024, an average of 46% of all registration attempts across the Auth0 platform met the criteria of a signup attack. The median proportion of daily login attempts that exhibited clear malicious behavior was 16.9%.
As attackers swirl, many users aren’t making their lives any easier. Nearly 7 in 10 consumers (68%) admitted to reusing the same password for multiple accounts, with 53% explaining that unique passwords were too hard to remember. This reality leaves enterprises in a bind. From a security standpoint, passwords — even unique, strong ones — are seen as hard to remember and remain the target of phishers and infostealers. However, they remain ubiquitous and popular among consumers.
"Old habits die hard," says Chitra Dharmarajan, Vice President of Security and Privacy Engineering at Okta. "Users have decades of experience with passwords. Entering a password feels simple and familiar."
She added that this familiarity comes with a potential tradeoff. Passwords are less secure and easier to crack than other methods of authentication. Weak passwords can be brute-forced, and phishing is both pervasive and increasingly sophisticated. Even with multifactor authentication, which offers additional protection, techniques such as MFA fatigue attacks and adversary-in-the-middle (AiTM) attacks can enable attackers to circumvent it. Brute-force login attacks remain a threat. According to data from the latest Customer Identity Trends Report, while MFA attacks are declining, the daily median proportion of MFA events across the Auth0 platform that were determined to be malicious was 7.3%.
"MFA reduces the risk of account takeovers, and can act as a canary in a coal mine," Dharmarajan says. "Unsolicited MFA prompts may indicate an attack is underway."
That may come as cold comfort to anyone who has had their password stolen.
"As long as passwords remain common, there are certain steps users and businesses have to take to reduce the risk of accounts being compromised," she says. "Not reusing passwords is one, and choosing strong passwords with 12 characters or more is another. Avoid using dictionary words and sequential numbers like 1234, and mix up the character types — some uppercase and lowercase letters, some symbols, and so forth."
Enforcing those rules falls to password management systems and help desk employees.
"Think about the time help desks spend doing password resets alone," she adds.
A passwordless world
Getting users to try something different will require focusing on education and user experience, Dharmarajan says. Users need to know that a passwordless approach will be seamless and secure, and can potentially prevent them from the data breaches they often read about.
However, there is still some work to be done in convincing consumers in their journey toward a passwordless approach. The Customer Identity Trends Report revealed that 73% of respondents rated passwords as "convenient" (33%) or "very convenient" (40%). Meanwhile, the number of those who felt the same regarding fingerprint biometric technology and FaceID was lower, with Baby Boomer and Gen X respondents rating them lower than Gen Zers and Millennials. However, 71% of respondents overall felt fingerprints were a "very secure" or "secure" login method, and 62% overall said the same of FaceID.
The numbers show that many consumers are open to passwordless authentication. Inside corporate environments, enterprise leaders should take an incremental approach to internal adoption, focusing on individual applications. Before rolling out passwordless technologies, they should start by asking some key questions, Dharmarajan says.
"Is there a centralized identity provider that can handle SSO for each application in the enterprise? Can user provisioning and de-provisioning be automated? Will the same identities and privileges stay in place when a new authentication method is introduced? These questions need to be answered before you can proceed," she says.
Passwordless solutions also have to integrate with legacy systems.
“Enterprise leaders should strive for broader adoption of passwordless technologies across the business,” she adds.
Whether it is consumers or company employees, winning over support for passwordless methods will take a focus on education and user experience. Anything that increases user friction too much will be rejected. According to the Customer Identity Trends Report, almost a quarter of respondents said they “always” or “often” abandon online purchases when they encounter sign-up or login problems, and 40% said they “sometimes do.”
“As security leaders, we often see a tension between robust security and seamless user experience,” says Dharmarajan. “However, achieving widespread adoption of more secure practices hinges on minimizing friction. Our goal must be to engineer security solutions that are inherently easy to use, making the safer choice the path of least resistance for our consumers."
Read the full Customer Identity Trends Report 2025 for more insights on password hygiene, signup and login experiences, and the threats facing customer identity today.
