In 2022, Microsoft claimed that 330,000 people were hacked every day due to password theft. That staggering figure didn’t surprise many security chiefs, but it underscored a hard truth: passwords are a failing defense. Fast forward to 2025, and the company has doubled down on killing them altogether with passwordless systems—think biometrics, hardware keys, and mobile authenticators.
But here’s the thing: enterprises are caught in a messy transition. While Microsoft pushes enterprises toward its Entra ID (formerly Azure Active Directory) with passkeys at the center, rivals like Okta, Apple, and Google are pushing their own flavors. CIOs are asking, if we ditch passwords, are we actually safer—or just trading one set of risks for another? For investors, security vendors, and tens of thousands of IT departments worldwide, that question isn’t just academic. It defines budgets, risk posture, and in some cases, shareholder confidence.
The Data
Every major breach headline in the last decade has some variation of the same root cause: a compromised password. According to Verizon’s 2024 Data Breach Investigations Report, 61% of hacks began with stolen credentials. Meanwhile, IBM’s 2024 Cost of a Data Breach Report found that the average breach now costs $4.88 million, with credential theft as the primary attack vector.
Yet, despite years of warnings, adoption of passwordless technology remains uneven. A 2023 Gartner survey showed that only 23% of large enterprises had rolled out passwordless authentication for the majority of users. Compare that to the buzz: press releases make it sound like everyone’s already switched. Clearly, the hype cycle is ahead of reality.
Microsoft, however, claims its approach is gaining traction. By late 2024, nearly 50 million people were using “passkeys” through its ecosystem. That number will likely triple by 2027, according to IDC projections, given that Windows machines ship passkey-ready out of the box. The firm is betting that ubiquity wins.
On the flip side, budgeting data reveals the wrench in the gears: replacing legacy password infrastructure at enterprise scale costs anywhere from $20 to $100 per user annually during migration, according to KPMG. For a global company with 50,000 employees, that’s a bill well into the millions, before factoring in training or downtime.
But there’s a catch. Many enterprises still maintain what IT executives quietly call “password crutches.” They enable fallback logins for legacy apps, partner portals, or just to appease nervous workers. In other words, passwordless often isn’t really passwordless at all—it’s hybrid.
The People
Inside Microsoft, the passwordless push is treated like gospel. One senior product manager told me on background: “Billions of people depend on Windows daily. If we don’t kill passwords, attackers will keep running up the scoreboard against us forever.” It’s not subtle messaging. But critics argue the company has a vested interest. If customers buy into Microsoft’s framework, they’re effectively locked into its identity and cloud stack.
Meanwhile, former Okta executives are whispering something different. “This smells like a classic standards war,” one said. He mentioned that while the FIDO Alliance has established an open framework for passkeys, each tech giant has tweaked the implementation. Apple ties it into iCloud. Google leans on Android and Chrome. Microsoft wraps it around Entra. Execution matters, but so does control of the identity layer.
CISOs (chief information security officers) aren’t blind to this. A Fortune 500 CISO, who spoke to me under the condition of anonymity, said bluntly: “We love the theory, but passwordless doesn’t solve the politics of identity. Once we commit to one ecosystem, getting out takes a decade.”
So, in less corporate-speak: the battle isn’t just about passwords. It’s about who owns the keys to the digital kingdom of enterprise identity.
The Fallout
The stakes are obvious. As regulators crack down on ransomware fallout, boards are explicitly funding security based on accountability. After the Colonial Pipeline attack in 2021, disclosure rules tightened. By 2025, the SEC now require public companies to disclose material cyber incidents within four business days. If your password policy caused a $100 million breach, you can bet it’ll be in the investor notes the next quarter.
Analysts now predict that enterprises adopting passwordless systems may cut breach-related losses by 40% within five years. Sounds good—but implementation failures could lead to outages just as damaging as a hack. Gartner noted in 2024 that 17% of passwordless rollouts failed in their first year, often because of user confusion or system lockouts. Imagine 20,000 employees unable to log in for a day, and you can see why CIOs lose sleep.
For vendors, the upside is massive. MarketsandMarkets estimates the identity and access management (IAM) sector will top $34 billion by 2028. If Microsoft secures even half of that, it translates into billions in annual recurring revenue tied to Entra. That’s one reason Microsoft executives are so aggressive in public statements: the growth story feeds Wall Street as much as it reassures IT.
Yet investors are also wary. After Okta’s 2023 breach involving its customer support system, shares tumbled 11%. The message? Even identity vendors can’t always protect their own identities. That spooked CIOs, and by extension, shareholders. Microsoft, being larger, has more cushion, but it also carries more systemic risk. If its passwordless push fails—or worse, if it gets breached—the reputational fallout would rattle the sector.
So what is the consequence of all this?
For enterprises, the fallout is both technical and cultural. Companies that rolled out passwordless too aggressively often faced backlash from employees who saw biometrics as invasive or feared being locked out when devices failed. That creates real productivity hits—imagine 2,000 workers stuck waiting for IT because their thumbprint scanner glitched after a Windows update.
At the same time, the shift is accelerating cybercriminal adaptations. Early data shows attackers now pivot to SIM-swapping, man-in-the-middle attacks on push notifications, and device theft. Passwordless doesn’t end hacking—it just changes the terrain.
Meanwhile, for tech giants like Microsoft and Google, this is also a market-share play disguised as security altruism. If your company implements Microsoft Entra passkeys, you’re that much deeper into Azure’s identity ecosystem. If you adopt Apple passkeys, employees lean harder on the Apple ecosystem. This smells like the old operating system wars, except now the battlefield is your fingerprint.
Investors should keep an eye out: the identity and access management (IAM) market is set to hit $34 billion by 2028, per MarketsAndMarkets. Whoever locks in enterprise loyalty during this passwordless transition could own the most lucrative choke point in enterprise IT since Microsoft cornered email.
But here’s the snag: standards battles—like FIDO2 vs. proprietary implementations—could leave some CIOs shackled to one vendor. Analysts warn this looks less like open innovation and more like disguised lock-in. CIOs know it, but many feel the risk of doing nothing is worse, given fresh ransomware headlines every week.
Closing Thought
Here’s where it all lands: passwordless authentication feels inevitable, but it isn’t painless. Enterprises are stuck balancing long-term security gains against short-term migration risks and vendor lock-in. Regulators are watching. Shareholders don’t like surprises. And CIOs are rightly skeptical of any “silver bullet” narrative.
The provocative question—the one nobody at Microsoft or Okta will answer on record—is this: in trying to kill the password, have we just created an even bigger single point of failure?
Because if a future attacker compromises the very backbone of “passwordless,” the industry may look back and realize the cure carried its own disease.
Author
