パスワードを使わない認証とは何か？

Passwordless authentication verifies user identities without passwords or other knowledge-based factors or information. Instead, the security team verifies a user’s identity using either a “something-you-have” type of authentication factor, which is an object that uniquely identifies the user (e.g. a mobile passkey or hardware security key) or a “something-you are” type of factor (e.g. biometrics, including a fingerprint or facial scan). When used to complete 多要素認証 (MFA) requirements and with シングル・サインオン （SSO）と併用することで、パスワードレス認証はユーザ・エクスペリエンスを向上させ、セキュリティを強化し、IT運用のコストと複雑さを軽減することができます。 Additionally, by removing the need to issue, rotate, remember, or reset passwords, passwordless authentication reduces lowers help desk volume, increases productivity by accelerating login times, and frees up IT teams for higher-value tasks.

Both MFA and passwordless authentication increase security by requiring users to provide more than just a password to verify their identity. But they are different in one important way: MFA increases security by requiring users to provide two or more independent factors to verify their identity—but one of those factors is very likely to be a password.

On the other hand, passwordless authentication avoids passwords entirely, thereby completely eliminating the vulnerabilities that passwords pose, along with the management hassles and help desk burdens they often create.

ハッキングされやすい

Unlike possession and inherent factors, traditional authentication is based solely on something the user knows, such as a password, that is by nature vulnerable to reuse, theft, and phishing. The 2025 Verizon Data Breach Investigations Report found that 2.8 million passwords were leaked or compromised publicly in 2024, and 54% of ransomware was tied directly to password.

継続的な管理

Both IT staff and users must constantly manage passwords. For the average user, keeping track of ever-multiplying passwords of varying complexity is at minimum a hassle, and often a challenge. Forgotten passwords can delay work or trigger account lockouts. To aid memory, users often reuse passwords across accounts or write them down, further compromising an already weak system. Password reuse can also multiply the impact of hijacking, phishing, and data breaches, making it possible for an attacker to unlock multiple accounts with a single stolen password.

The high cost of passwords

IT担当者にとって、正当なユーザのパスワードリセットを管理することは、高額で時間のかかる作業となります。大企業では、ITヘルプデスクのコストの最大 50％ がパスワードリセットに充てられており、従業員のパスワードリセット対応だけで年間100万ドル以上の人件費がかかることもあります。また、パスワードリセット対応に時間を割くことで、より価値の高いデジタルトランスフォーメーションの推進や高度なサイバー攻撃への防御に注力できなくなるという問題もあります。Translated

セキュリティ

Weak or stolen credentials are among the most frequent and most damaging threat vectors that organizations face. The IBM Cost of a Data Breach Report found that phishing was one of the most frequent causes of data breaches, costing an average of $4.88 million and taking an average of 261 days to contain. Given that phishing attacks target credentials generally and passwords specifically, this statistic underscores the significant cybersecurity risk that passwords create for organizations, as well as the importance of implementing passwordless solutions.

When passwords are compromised, organizations face serious risks that could lead to data theft, financial losses, and damage to their reputation. Prioritizing secure credential policies and moving to passwordless are essential steps to guard against these frequent and avoidable vulnerabilities.

ユーザ・エクスペリエンス

ユーザ・エクスペリエンスの観点から見ると、平均的な企業ユーザは 業務関連のアカウントで煩雑な87個, creating both a burden and a security risk. The 2025 RSA ID IQ Report found that more than 51% of all respondents had to input their passwords six times or more for work every day. Remembering and keeping track of multiple passwords can lead to poor practices, such as reusing passwords or storing them insecurely, which further increases organizations’ cybersecurity risks. Simplifying user authentication not only enhances security but also improves the day-to-day experience for employees, reducing frustration and encouraging better password hygiene.

トータルコスト　（TCO)

The total cost of ownership for password management is high, with password reset requests accounting for up to 50% of IT help desk call volume. Each reset request consumes time and resources that could otherwise be used on more strategic IT initiatives. Reducing the number of password resets through more secure and efficient authentication methods can cut costs and improve operational efficiency, freeing up IT staff for more impactful work.Translated

パスワードレス認証は、ユーザのアイデンティティを一つの強力な方法で保証します。組織にとって、これは以下のことを意味します：Translated

• Translatedより良いユーザ・エクスペリエンス：ユーザはもはや複雑なパスワードやユーザ名の組み合わせを覚えたり更新したりする必要がなくなり、生産性を高めることができます。認証が簡素化されることで、ユーザはストレスを感じることなく、より速くログインできるようになります。
• Translatedより強固なセキュリティ体制：ユーザが管理するパスワードがないため、ハッキングされるパスワード自体が存在せず、これにより一連の脆弱性とデータ侵害の主要な原因が排除されます。
• Translatedトータルコスト（TCO）の削減：パスワードは高コストであり、ITスタッフによる継続的な監視と管理が必要です。パスワードを廃止することで、発行、保護、変更、リセット、管理の手間がなくなり、サポートチケットの数も減少します。また、IT部門はより緊急性の高い課題に集中できるようになります。
• TranslatedITの管理と可視性：フィッシングやパスワードの使い回しや共有は、パスワード保護されたシステムでよく見られる問題です。パスワードレス認証を導入することで、ITはアイデンティティとアクセス管理に対する完全な可視性を取り戻すことができます。

Translated

名前が示す通り、パスワードレス認証（パスワード不要認証）は、本人確認のために記憶されたパスワードを必要としません。その代わりに、ユーザは以下のようなより安全な方法で身元を認証します：

• Generated one-time passcodes (OTPs)
• Mobile passkey
• QR code
• Code matching
• FIDO2 セキュリティキー
• 認証プロセスを完了するための生体認証

パスワードレス認証は、さまざまな認証や暗号化プロトコルを使用します。パスワードレス認証と従来の認証の大きな違いの一つは、従来の認証とは異なり、パスワードレスの認証情報は固定されず使い回されない点です。その代わりに、各セッションの開始時に新しい認証データが生成されます。Translated

Cybersecurity standards and regulations are vital in validating modern authentication approaches. They can help teams determine which authentication or sign-in methods are worth investing in, building, and rolling out. In government agencies, banks, and other highly regulated, complex environments, they can also guide system design and audit checklists.

Organizations seeking to implement passwordless authentication successfully can look to a variety of frameworks to guide procurement, architecture, and implementation in regulated or security-first environments. Zero Trust optimal and advanced stages, for example, call for phishing-resistant passwordless authentication, such as a passkey or security key.

NIST 800-63 Compliance

• NIST SP 800-63-3 outlines Digital Identity Guidelines for US federal agencies and critical infrastructure sectors.
• Passwordless authentication supports Authentication Assurance Levels (AAL2 and AAL3).
• RSA supports multi-factor authentication with phishing-resistant authenticators that meet AAL3.
• Methods like FIDO2, biometrics, cryptographic tokens can be mapped to NIST recommendations.

FIDO2 and Phishing Resistance

• RSA supports FIDO2 and WebAuthn standards for hardware and software authenticators.
• FIDO2 eliminates shared secrets (no stored passwords)
• FIDO-certified hardware (e.g., RSA iShield Key 2) meets enterprise-grade requirements.
• Supported use cases include workstation login, web apps, and cloud SSO.

Zero Trust Architecture (ZTA) Alignment

• Zero Trust assumes no implicit trust in users or devices—identity is verified continuously.
• Phishing resistant passwordless (device-bound passkeys and security keys) support continuous authentication, device binding, and contextual access.
• RSA integrates risk scoring, behavioral analytics, and adaptive authentication to enforce Zero Trust access decisions.
• ZTA ties into broader IAM/GRC and endpoint security strategies.

Governance, Risk, and Compliance (GRC) Readiness

• Strong authentication is a requirement across HIPAA, PCI-DSS, CJIS, and other compliance regimes.
• Passwordless helps reduce audit scope and control overhead by eliminating password rotation, reset logs, and storage policies.
• RSA provides audit trails and identity assurance metrics.

Translated

すべてにパスワードを使う方法からパスワードレスの未来へ移行するには、一歩ずつ進めることが重要です。 以下のベストプラクティスを活用して実装を進めてください：:

1. ユーザに負担をかけない段階的なアプローチを取ってください。まずは一つのアクセス地点やユーザグループから始め、徐々に拡大していくことで、ユーザがシステムを学ぶ時間を確保できます。
2. セキュリティと同じくらい利便性にも注力しましょう。認証方法が使いやすいほど、ユーザがそのルールを守る可能性が高まります。
3. まずは脆弱な箇所に強力な認証を適用しましょう。従来の認証で最も危険にさらされている場所はどこですか？そこから始めてください。
4. 目標を見失わないでください。着実な改善が積み重なります。

Organizations working in complex IT environments that span cloud, hybrid, on-premises, and legacy infrastructure should ask the following questions while evaluating passwordless solutions:

How can passwordless authentication scale across hybrid and multi-cloud environments without forcing a complete rebuild of existing infrastructure?

To enhance security and control costs, organizations that span complex environments should prioritize passwordless solutions capable of supporting every user everywhere that they work. Without an enterprise-grade solution, organizations would need to implement point passwordless capabilities for individual user groups and environments. These niche solutions leave security gaps, are cumbersome for users to manage, and are inefficient for security and finance teams to manage.

Enterprise-grade passwordless solutions remove these inefficiencies. By deploying one passwordless solution across environments, organizations enhance their security by gaining comprehensive visibility into all authentications and enforcing policies at scale. The best passwordless solutions will allow organizations to maintain the legacy and on-premises investments without “rip-and-replace” initiatives.

Can a passwordless solution provide consistent security and user experience across a remote and on-site workforce?

To provide consistent security and user experience, organizations need an enterprise-level solution capable of supporting every user in every environment. Lacking a cross-enterprise solution will result in organizations needing to deploy point capabilities for individual user groups and environments. These point solutions will not provide a consistent user experience and will create security gaps.

Customizable policy controls for governance and compliance

A successful passwordless strategy depends not only on using strong authentication methods that identify who has access, but also tailoring access policies to organizational needs, to make sure the user has access to the right resources. Many passwordless solutions offer configurable policy engines that allow security and compliance teams to define role-based permissions, enforce separation of duties, and adapt access controls to specific governance requirements. These controls are essential in regulated environments where auditability, least-privilege access, and conditional authentication must align with internal policies and external standards.translated

Many organizations rely on mission-critical infrastructure associated with on-premises identity providers such as Active Directory or LDAP. A flexible passwordless solution should be able to integrate with these legacy systems while also supporting cloud directories. This interoperability ensures a smoother transition by extending modern authentication to existing infrastructure, thus minimizing disruption and allowing IT teams to unify identity access without a full system replacement.translated

Resiliency is critical for passwordless solutions, to ensure they can continue to operate reliably even when threatened by attacks or other potential interruptions to operations. Regulatory frameworks like DORA and <a href="”https://www.rsa.com/resources/blog/zero-trust/nis2-identity-it-and-ot-stay-operational-stay-resilient/”">NIS2</a> set forth guidance for this in areas such as incident reporting, business continuity, and third-party security.translated

RSAは、世界で最も広く導入されている多要素認証（MFA）機能を提供しており、セキュリティ重視の組織からオンプレミスやクラウド環境で利用され、信頼されています。RSAのMFAには以下が含まれます：

• FIDO認定のRSA iShield Key 2シリーズや、iOSおよびAndroid向けのRSA Authenticator App 4.5をはじめとする、多様な パスワードレス認証 options, including the FIDO-certified RSA iShield Key 2 series and RSA Authenticator App 4.5 for iOS and Android mobile devices; push-to-approve, code matching; fingerprint and facial biometrics; “bring your own authenticator”; and hardware tokens that represent the gold standard for Each of these solutions delivers phishing-resistant capabilities that allow users to log into cloud/SaaS or web-based applications, as well as Windows and macOS machines.
• RSA Readyパートナーシップにより、 FIDO認証のリーダー企業, ensuring out-of-the-box interoperability with FIDO-based passwordless solutions.
• Risk scoring informed by advanced AI and machine learning that calculates access risk based on various signals like business context, device attributes, and behavioral analytics, then steps up or blocks authentication accordingly. The RSA passwordless environment also integrates with SOC tools like Splunk.
• Protected self-service credential management options that eliminate password-dependent workflows to shore up security in onboarding, credential recovery, and emergency access.
• Always-on strong authentication, with 99.99%+ availability and a unique multi-platform ハイブリッドフェイルオーバー capability that ensures secure, convenient access even when network connectivity is interrupted

translated

What does it mean to go passwordless?

Going passwordless means eliminating passwords as a method of authentication and verifying user identities through more secure factors like biometrics (something you are) or possession-based factors (something you have) such as registered mobile devices or hardware tokens. Passwordless authentication removes the need for users to remember, reset, or manage passwords, while providing a stronger defense against phishing and credential-based attacks. With RSA, organizations can deploy passwordless authentication gradually, starting with high-risk areas and expanding to enterprise-wide coverage.

What technology is commonly used in passwordless authentication?

Passwordless authentication solutions use a combination of secure technologies, including FIDO2 security keys, biometrics (fingerprint or facial recognition), mobile push notifications, device-bound credentials, and one-time passcodes (OTPs). RSA passwordless options include the RSA iShield Key 2 Series for phishing-resistant hardware authentication, as well as mobile passkeys through the RSA Authenticator App. These technologies are aligned with frameworks like NIST 800-63, FIDO2, and Zero Trust Architecture to ensure secure and scalable deployment across hybrid environments.

Is passwordless really more secure?

Yes, passwordless authentication is significantly more secure than traditional password-based methods. Passwords are often the weakest link in security, as they can be phished, stolen, reused, or brute-forced. By eliminating passwords entirely, RSA passwordless solutions remove a major attack vector, protecting against phishing, credential stuffing, and man-in-the-middle attacks. Phishing-resistant authenticators, device-bound credentials, and biometric translatedverification ensure that access is granted only to verified users, dramatically reducing the risk of credential-based breaches.