We hear a lot about the urgent need for phishing resistance, and to be sure, phishing does pose a significant threat—as recent attacks on Change Healthcare また、 Fidelity Investments demonstrate. We also hear a lot about the importance of passwordless authentication in making organizations phishing-resistant, with directives like M-22-09, Executive Order 14028, and M24-14 requiring more than just multi-factor authentication (MFA). OMB – M-22-09 states “Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems.”
But the need for passwordless goes beyond fighting phishing to more broadly creating authentication environments that offer real-world protection to repel cyberattacks of all kinds. As the Gartner® レポート Migrate to Passwordless Authentication to Enhance Security and Optimize UX points out, “Organizations that continue to rely on passwords—even as part of multifactor authentication (MFA)—are less safe than those that have migrated to passwordless methods.”translated
At RSA, we often wonder why more organizations haven’t made greater strides toward adopting passwordless authentication. The Gartner レポート takes a deep dive into the factors holding organizations back, shares practical recommendations for moving forward, and sets out a phased approach for taking every opportunity to move to passwordless authentication.
Given the adjustment to culture and systems that need to be considered when moving to passwordless, it might be reasonable for organizations to seem hesitant about making significant moves toward passwordless. But given the demonstrated risk of credential theft, taking action sooner rather than later makes sense. The more passwords your users have in your environment, the greater the risk.
If CISOs or identity and access management (IAM) leaders are worried about investing in new passwordless technology too soon, then in the meantime they will face the very real risk of being the victim of a credentials-based attack. Those cybersecurity risks seem to outweigh most organizations’ hesitation. The 2025 RSA ID IQ report found that 61% of organizations had plans to implement passwordless capabilities in the next year. The FIDOアライアンス reports that 87% of companies are either deploying or plan to deploy passkeys to enhance security and UX. And it’s not just businesses: consumers are increasingly moving toward passwordless authentication, with more than 175 million Amazon customers now using passkeys to log in.translated
The Gartner レポート notes that organizations can successfully implement passwordless in manageable increments, stating that “IAM leaders should follow a phased approach.” The report proposes four specific steps organizations must take to implement passwordless:
- Identify use cases, starting with an inventory of where passwords are used.
- Agree on target states based on security and UX goals.
- Identify preferences among different methods and flows.
- Create a roadmap for workforce and customer use cases.
At RSAC Conference 2025, I explained that passwordless is a journey that requires as much auditing of current authentication methods and MFA deployment as it does planning for the future. Organizations may find that if they currently have strong authentication in place, they may already be halfway to getting to passwordless.translated
The Gartner レポート states that “IAM leaders should implement passwordless methods where they are readily supported and take further action to extend passwordless authentication to other use cases.”translated
For organizations looking to implement passwordless solutions, RSA offers a wide variety of specific passwordless capabilities and resources, all available within the AI-powered RSA Unified Identity Platform.
- Passkeys: RSA supports passkeys through the RSA Authenticator アプリ, which allows users to register a device as a passkey and use it for passwordless authentication.
- App-based push notifications: RSA offers app-based push notifications that allow users to approve or deny authentication requests from their mobile devices.
- Device-based factors: RSA identity verification capabilities include linking identity to a specific device, not a set of credentials that can be targeted by phishing and other attacks.
- Hardware-based authentication: アメリカの RSA iShield Key 2 Series of authenticators and the RSA DS100 authenticator both offer FIDO2-based passwordless authentication for use cases where biometrics or mobile phones may not be suitable, like when healthcare professionals need to wear plastic gloves and masks, or in clean rooms that don’t permit internet-connected devices.
- Biometrics: RSA supports fingerprint and face recognition on both Android and iOS devices. We also support Windows Hello as a biometric authentication method for Windows users.
Learn more about the passwordless capabilities available as part of RSA ID Plus、 sign up for a free trial to see for yourself how RSA can help speed your journey to passwordless authentication.translated
Gartner, Inc. Migrate to Passwordless Authentication to Enhance Security and Optimize UX. Ant Allan, James Hoover. Originally published 30 August 2024
GARTNER is a registered trademark and service mark of Gartner, Inc., and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
