Orgs Move to SSO, Passkeys to Solve Bad Password Habits TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadVulnerabilities & ThreatsPatch Now: Microsoft Flags Zero-Day & Critical Zero-Click BugsPatch Now: Microsoft Flags Zero-Day & Critical Zero-Click BugsbyJai Vijayan, Contributing WriterNov 11, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryIdentity & Access Management SecurityCyber RiskCybersecurity OperationsCybersecurity AnalyticsNewsOrgs Move to SSO, Passkeys to Solve Bad Password HabitsIn 2025, employees are still using weak passwords. Instead of forcing an impossible change, security leaders are working around the problem.Nate Nelson, Contributing WriterNovember 13, 20254 Min ReadSource: 1800 designer491 via Alamy Stock PhotoNew survey data indicates that organizations are pushing hard for passwordless authentication.A significant chunk of online account passwords in 2025 remain basic and easy to crack — a fact that will surprise few. But last month, Dark Reading asked readers how their organizations are handling password security these days. The results were, perhaps surprisingly, optimistic.As we enter the second quarter of the 21st century, rather than applying new Band-Aids to the problem, organizations finally appear to be moving toward a future with few to no passwords at all.Passwords Don't WorkIn the half century or so since personal computers first proliferated, users have had plenty of time to come up with novel, difficult passwords. But they seem to have spent that time on other pursuits instead.Researchers from Outpost24's SpecOps recently analyzed a trove of 800 million leaked passwords. Instead of just tallying up all of the typical, most common ones we all know — "password," "abc123," etc. — they searched only for basic holiday-themed passwords. Even with this narrow parameter, ignoring the vast majority of other easy guessable passwords in the sample, they found around 750,000 culprits.Nearly 100,000 accounts used "santa," and north of 200,000 were protected by, simply, "snow." Holiday shoppers used "blackfriday" or "cybermonday," and while thousands went with "xmas," "rudolph," etc., other account holders represented their own faiths with "kwanzaa" or "hannukah."Related:On the Road Again: Hackers Hijack Physical Cargo FreightThe point, of course, is that weak passwords will never go away. For a while — and even, too often, today — organizations ignored that fact, and tried simply forcing better password practices. The first, worst solution: dragooning employees into crafting complex strings of symbols, numbers, and variously cased letters.Multifactor authentication (MFA) was a better idea, until attackers kept undermining its weaker forms. Now security leaders are reticent. Access control vendor Portnox, through Wakefield Research, recently highlighted that in a survey of 200 chief information security officers (CISOs) from major US organizations. A whopping 96% of those CISOs said they believe that MFA "can't keep up with today's threat landscape."Lately, the shortcomings of "password hygiene" have inspired organizations to move en masse toward a different solution: getting rid of passwords altogether.Companies Adopt More Secure AuthenticationIn October, Dark Reading asked readers how their organizations handled password security, and their responses indicate positive trends.Related:1Password Addresses Critical AI Browser Agent Security Gap Source: Dark ReadingJust over a quarter of respondents worked at organizations that force employees to come up with passwords so labyrinthine that they'll inevitably have to be stored in Excel spreadsheets and iPhone Notes apps.Around 17% of respondents were made to use more secure passphrases, with ideally random but also potentially simple to remember words.Another fifth of respondents used password managers — a significantly more secure and user-friendly solution for password authentication.The single largest cohort of survey respondents — one third of the total — reported that they now use single sign-on (SSO) or passkeys to get into their accounts, which severely limit or fully remove the use of the static password.Though it already represents the biggest slice of the pie, Sectigo senior fellow Jason Soroko tells readers to "expect the mix to move steadily toward SSO with passkeys, as platforms ship passkeys by default and as real time phishing keeps eroding confidence in passwords and one-time codes. The password manager and passphrase slices will convert over time, and the traditional slice should shrink fastest in cloud heavy and regulated environments."Headwinds to Passwordless AuthenticationRelated:Philippines Power Election Security With Zero-Knowledge ProofsReader polls have their limitations, and it could be that cybersecurity news junkies disproportionately represent cybersecurity-forward organizations. Yet the results of Dark Reading's poll are conservative compared to findings by other analysts.In Portnox's CISO report, a full 92% of respondents indicated that they're implementing passwordless authentication. That figure sat at 70% just one year ago. Similarly, in a Keeper Security report from early 2025, 80% of organizations reported that they've adopted, or are at least planning to adopt, passkey authentication."This isn't just about checking a security box," says Portnox CEO Denny LeCompte. "The move is being driven by real business impact. Fifty-two percent [of respondents] cite reduced risk of phishing, password reuse, and credential exploits. Forty-one percent report improved productivity due to fewer login failures and reset tickets. Thirty-nine percent say user experience has improved [with passwordless authentication] — a key factor in driving adoption."In this light, there actually appears to be a gap between how universally security leaders want to implement passwordless authentication, and how many organizations have already done so. Fletcher Davis, senior security research manager at BeyondTrust, blames three strong headwinds: "Lack of support for modern authentication methods within legacy applications and infrastructure, user resistance rooted in workflow disruption, and upfront costs to securely adopt and implement modern authentication methods. These barriers often compound each other, with legacy systems driving up migration and implementation costs, which delay rollouts and extend the period of user friction."He says that "the result of these barriers is organizational paralysis, since the team remains reliant on password-based authentication, not because it’s secure or efficient, but because the path forward demands simultaneous coordination of technical migration, financial allocation, and cultural adoption."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry ReportsOrganizations Require a New Approach to Handle Investigation and Response in the Cloud2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceApplication SecurityOWASP Highlights Supply Chain Risks in New Top 10 ListOWASP Highlights Supply Chain Risks in New Top 10 ListbyJai Vijayan, Contributing WriterNov 10, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersAutomated Cloud Forensics for AWS ExplainedSmarter Cloud Security Starts with Darktrace and AWSUltimate Guide to Incident Response in AWSPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Organizations are shifting toward Single Sign-On (SSO) and passkeys as a solution to the pervasive issue of weak and insecure passwords. This trend reflects a recognition of the limitations of traditional password-based authentication, driven by increasing cyber threats and a desire to improve user experience.

In 2025, a significant number of employees still utilize basic, easily-guessed passwords, a situation that continues to pose a substantial security risk. However, Dark Reading’s survey of its readership revealed a growing optimism among security leaders regarding the transition away from passwords. This shift is characterized by a move toward a future predominantly devoid of static passwords.

The underlying rationale for this change stems from the long-standing shortcomings of password practices. Despite decades of advice, users have largely relied on simple, predictable credentials. Researchers, specifically from Outpost24's SpecOps, analyzed a massive dataset – 800 million leaked passwords – and found astonishingly prevalent basic holiday-themed passwords such as “santa,” “snow,” and “blackfriday.” These findings underscore the continued prevalence of insecure password habits.

Security leaders are increasingly adopting a more proactive approach, driven by industry insights and concerns regarding the escalating cyber threat landscape. Portnox, through a Wakefield Research study, found that 96% of CISO respondents believe MFA is inadequate to combat modern threats. This sentiment has spurred organizations to explore alternative authentication methods.

Dark Reading’s poll indicated a strong movement toward passwordless authentication. Just over a quarter of respondents worked for organizations forcing employees to create complex passwords stored in spreadsheets or notes apps. Roughly 17% utilized more secure passphrases, while a further fifth employed password managers – a significantly more secure and user-friendly solution. However, the largest segment – one-third of respondents – were leveraging SSO or passkeys, marking the most substantial adoption of these newer technologies.

This shift is not without its challenges. Vendors like Portnox emphasize the tangible business impact of this transition. Fifty-two percent of respondents cited a reduced risk of phishing, password reuse, and credential exploits. Forty-one percent reported improved productivity due to fewer login failures and reset tickets, while thirty-nine percent noted an enhanced user experience.

Despite the widespread desire for passwordless authentication, several headwinds remain. Lack of support for these methods within legacy applications and infrastructure, user resistance stemming from workflow disruption, and the upfront costs associated with secure adoption and implementation are significant barriers. These challenges have resulted in organizational inertia, as teams remain reliant on password-based authentication due to the complex coordination required for migration, financial allocation, and cultural adoption.

Key insights from industry analysts, such as Fletcher Davis of BeyondTrust, highlight three main obstacles: the incompatibility of legacy systems, user resistance, and the financial investment needed. This combination creates a “paralysis” effect, preventing organizations from fully embracing modern authentication methods.

The transition to SSO with passkeys is expected to continue as platforms default to these technologies. Jason Soroko, a senior fellow at Sectigo, predicts that the mix will steadily move toward SSO with passkeys. He believes that as platforms ship passkeys by default and as phishing attacks erode confidence in one-time codes, the password manager and passphrase segments will eventually convert, with the traditional password segment shrinking fastest in cloud-heavy and regulated environments.