Passwordless authentication progresses but bad password habits hang on

We are now well into 2026, and while passwords have taken a lot of abuse, they’re still far from dead. Depending on perspective, the journey to a passwordless future could be nearing its end – or miles away from its destination. Regardless, the quest to bury the password continues, as biometrics-adjacent firms respond with integrations, analyses and assessments of the past decade of progress.

Oloid extends Workday partnership for passwordless authentication

Passwordless authentication provider Oloid has announced a “reinforced partnership” with Workday, through the integration of its Oloid Passwordless Authenticator product. A release says the partnership will help enterprises strengthen workforce security, simplify access, and improve efficiency for frontline employees.

“Frontline employees rely on dependable and secure access to workplace systems every day,” says Mohit Garg, CEO of Oloid. “Our partnership with Workday enables enterprises to modernize workforce access with passwordless authentication, strengthening security, reducing friction, and driving measurable efficiency at scale.”

For identity verification, time and attendance and access control, enterprises including Tyson Foods, Flex, Elevance Health and SRS Distribution deploy Oloid Passwordless Authenticator.  Unified digital and physical identity means reduced credential management costs, improved compliance, and consistent, secure access across multiple facilities and workforce environments.

Oloid Certified Passwordless Authentication for Workday is now available on the Workday Marketplace, and integrates directly or through an organization’s identity provider (IdP), such as Okta or Microsoft Entra ID.

Microsoft Entra rolls out passkeys on Windows

A post from Microsoft says it is introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. “This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” says the post.

It will be rolling out from mid-March 2026 through late April 2026.

Separate articles from Microsoft list steps to enable and enforce use of passkeys in Authenticator for Microsoft Entra ID and authentication methods in Microsoft Entra ID using FIDO passkeys.

Organizations now understand identity, but execution lags: Hypr

Identity assurance firm Hypr has released its sixth annual State of Passwordless Identity Assurance report. The study argues that the identity sector has entered “the Age of Industrialization,” where “innovation is tested by reality.”

“Organizations are moving from identity awareness to understanding, but have not yet achieved broad, enterprise-wide execution,” it says. According to Hypr’s data, meeting the demands of industrialization requires intuitive user experience that prioritizes the user across all workflow paths, integrated governance across HR, IT, Legal and Security, and high operational efficiency.

But the ecosystem also faces new risks: in what the report calls “a seismic shift in the threat landscape,” for the first time, generative AI and agentic AI have displaced stolen credentials as the primary identity security concern. Eight-seven percent of organizations have encountered audio or video deepfakes in identity-based attacks, and while 65 percent of attacks are detected within hours, AI automation allows data theft before manual intervention. Forty-five percent of surveyed organizations identify prerecorded video deepfakes as a primary concern. Call center voice cloning attacks and deepfake job candidates are also high on the list.

This shift, says the report, “signifies that the industry is no longer fighting a human-scale battle of leaked passwords, but an industrial-scale battle against automated agents and synthetic media.”

“Technical literacy is no longer the bottleneck; the challenge now lies in the mechanics of scaling across the enterprise,” says Bojan Simic, CEO of Hypr. “In 2026, automated agents will leak more passwords than people, shifting identity risk from human-scale errors to industrial-scale machine automation. We must move past point-in-time security and make identity verification a permanent part of how we manage every employee, from onboarding to offboarding.”

On passkeys, the report shows increased literacy at 64 percent, but enterprise-wide adoption “stalled at 43 percent.” Seventy-six percent of organizations still rely on legacy passwords, but 71 percent are moving toward passwordless adoption. Three quarters are likely to invest in passkeys or passwordless tools in 2026.

Password security: what changed from 2015 to 2025

What a difference a decade makes. Or does it? For ExpressVPN, cybersecurity researcher Jeremiah Fowler reflects on his discovery, in late 2025, of a massive exposed database containing 149 million logins, emails, usernames and passwords.

“I have often wondered if password security has improved or declined over the last decade, considering all the attempts to enforce stronger password rules (from companies with stricter rules or 2FA, password managers, journalists, experts, etc.),” Fowler writes. “The extended exposure time of this database allowed me to have a rare look at millions of credentials.”

Fowler’s diagnosis is not good: “my overall assessment is that between 2015 and 2025, the ‘lesson learned’ wasn’t that passwords got easier or more complex. It boils down to the fact that secure passwords that meet both modern standards and human memory are not compatible.”

In short, people aren’t doing what they’re supposed to to keep passwords secure. Convenience reigns; “in 2015 plain numeric strings dominated while in 2025 it appears that passwords are more often attached to names combined with numbers and a single special character.” Meanwhile, keylogger malware and infostealer malware have become a bigger threat.

“In the last 2 years I have seen an increase in infostealer data that has been publicly exposed through a misconfigured database,” says Fowler. “The value of stolen credentials combined with the advancement of criminal technologies, and easy access to AI make the threat landscape a very dangerous place at the present time.”

Article Topics

biometric authentication  |  biometrics  |  HYPR  |  Microsoft Entra  |  Oloid  |  passkeys  |  passwordless authentication  |  passwords