FoxPointe Security Hub

Introduction and Abstract

In an era of evolving cyber practices and new technology, the way we authenticate users must evolve as attackers do.  For decades, passwords have been the standard defense, yet today they are the weakest link in securing any system.  Recognizing this, the National Institute of Standards and Technology (NIST) has updated its guidance to emphasize longer, more usable passphrases, and to discourage frequent forced resets.  At the same time, the security industry is accelerating a transition to passwordless and keyless authentication methods, including passkeys, biometrics, and device-bound credentials that significantly improve usability and reduce risk.

This article explores how the future of authentication is unfolding, why passwordless security matters, how it works, and how organizations can align with both NIST’s updated guidance and emerging authentication technologies.

Why Traditional Passwords Are Falling Short

Passwords remain ubiquitous because they are simple and universal, but that universality is now a major liability.  Recent reports estimate that stolen or reused passwords drive the overwhelming majority of breaches.  The challenges surrounding traditional passwords include:

• Users creating short or easily guessable passwords, or reusing the same password across multiple accounts, both business and personal.
• Password databases and credential caches being targeted frequently through phishing, credential stuffing, brute-force, and password-spraying attacks.
• Recovery and reset mechanisms relying on weak secondary factors or organizations lacking universal MFA, which allows attackers to exploit password security gaps with ease.

What NIST’s Updated Guidance Means

NIST has moved away from older password rules (short length, frequent forced resets, overemphasis on complexity) and towards guidance that is more security-effective and user-friendly.

Looking at all the new guidance, a few new nuances and guidelines include:

• Longer passphrases – NIST recommends a minimum length of eight (8) characters for user-generated passwords but strongly prefers 15 characters or more for high-security accounts.  Maximum length guidance goes up to 64 characters.

Realistically, most organizations should sit in the 12-16 character range.

• Less emphasis on character complexity alone – Instead of forcing special symbols, uppercase/lowercase patterns, the focus is on length, uniqueness, and memory-friendly constructs.

Requiring only one special character and emphasizing password “phrases” that are easy for users to remember is encouraged.  One example that I gave at a conference recently was for a user who likes to fish, so their password could be RainbowTr0utTastesGood23.

• Avoid routine forced resets – Password changes should only be required if there is evidence or suspicion of compromise, not on a fixed periodic schedule.  This is probably the biggest and most notable shift in guidance.

Very commonly in the past, high-risk organizations, such as those dealing with healthcare and financial information, were encouraged to institute very short password ages, anywhere from 45 – 90 days.  This new guidance suggests that passwords should only be changed upon notice of breach or compromise, rather than on a regimented schedule.

A nice middle ground with which many organizations are seeing success is to increase password age to at least 180 or 365 days.  This larger time gap is meant to encourage users to change their passwords to unique and different phrases every cycle rather than making only slight changes to existing passwords. Since low password ages cause users to be overwhelmed with frequent password resets, users often reuse passwords across accounts or only modify existing passwords slightly.  Using the example above, a user is probably taking RainbowTr0utTastesGood23 and changing it to RainbowTr0utTastesGood22 since they struggle to remember a new passphrase every 45 days.  This increases the risk that passwords will be compromised to the attacks described above, such as brute force and rainbow table attacks.

• Discourage insecure recovery methods and encourage use of password managers – Security questions, hints, and similar recovery tools are discouraged; instead, stronger methods such as secure email/phone-based codes, and ideally multi-factor authentication (MFA), should be used.  NIST also encourages the use of password managers to manage passwords across multiple platforms.

Phone (SMS) and email-based authentication are great starting points.  However, they are known to be the least secure form of MFA, with many organizations moving towards app and push-based notifications with geolocation, such as Duo and Microsoft Authenticator, and biometrics such as fingerprint and face recognition.

Regarding password managers, enterprise-grade password managers are available for use for all users of mainstream environments. NIST has previously denounced these as they did not have proper security measures in place to protect password hashes. As the modern tools have become more secure and inexpensive, NIST has adjusted their guidance accordingly. Password managers allow users to institute different passwords across platforms, reducing the effects of a password breach while simultaneously taking the memory-burden off users, who may feel that a variety of passwords is too much to handle.

It is important to reconcile with the ever-evolving cybersecurity landscape on a regular basis.  With the addition of security tools and practices within standard instances of Google Workspace and M365 environments, these changes to authentication will continue to evolve.  NIST has concluded that the risk associated with infrequent password changes is less than the risk associated with password reuse with modern attack methods and the modern threatscape, hence this new guidance.

The Rise of Passwordless and Keyless Authentication

Though improved password practices are vital, the real long-term leap forward is authentication methods that do not rely on a user-created password at all.  These passwordless and keyless technologies are rapidly becoming practical and mainstream as organizations modernize their identity and access frameworks.

What Is Passwordless/Keyless Authentication?

In a passwordless environment, authentication uses cryptographic credentials tied to a device or to user biometrics rather than something the user remembers.  For example:

• A private key stored securely on a device, paired with a public key stored on the server; when the user authenticates, the device proves possession of the private key without transmitting it.
• Biometric verification (fingerprint, facial recognition) or behavioral biometrics (typing rhythm, gesture patterns) that verify the user’s authenticity based on who they are rather than what they know.
• Device-bound credentials embedded in hardware or in secure modules within mobile devices or laptops (Trusted Platform Module, Secure Enclave), which removes the need for physical tokens.

Keyless authentication further removes the need for physical keys or tokens, replacing them with software or hardware-embedded credentials inside trusted devices.  These methods deliver a more frictionless user experience and stronger protection against phishing, credential theft, and reuse.

Why Passwordless Methods Matter

When you are considering a transition to passwordless or keyless authentication, consider the potential benefits of moving in this direction, which include:

• Phishing resistance – Because private keys are never transmitted and cannot be ‘entered’ like a password, attackers cannot intercept or trick users into revealing them.
• No password reuse or weak passwords – The elimination of user-created credentials removes common human risk factors.
• Stronger cryptographic foundations – Public-key cryptography provides stronger defense than user-typed secrets.
• Reduced attack surface – Removal of stored password hashes, password reset flows, and shared secrets simplifies the threat model.
• Improved user experience – Users enjoy faster logins, fewer resets, and less friction, which drives adoption and reduces help-desk workload.
• Better alignment with Zero Trust principles – Authentication becomes continuous and context-aware rather than relying solely on a static credential.

Integrating Both Approaches: A Balanced Strategy

For organizations seeking to modernize authentication without disruption, the best approach is phased:

1. Update password policy – Immediately adopt NIST’s guidance: longer passphrases, no forced resets or longer password ages, compromised-password screening, and secure recovery options.

2. Implement robust MFA everywhere – Even before full passwordless rollout, enforce strong multi-factor authentication to mitigate password risk.  This is a standard must-have for most organizations. Not having MFA is considered a high-risk choice, which could drive up cyber insurance premiums and increase your attack surface.

3. Pilot passwordless authentication – Select privileged users, IT personnel, or high-risk systems to deploy passkeys, hardware security keys, or device-bound credentials.

4. Monitor, evaluate, and refine – Track adoption, user satisfaction, login success/failure rates, help-desk impact, and security outcomes.

5. Expand broadly – After pilot success, extend passwordless authentication across the organization, ensuring compatibility with business apps, cloud services, and hybrid environments.

6. Maintain fallback and recovery plans – Ensure secure, user-friendly recovery options (device replacement, secure onboarding) and retain a hardened password system as backup during the transition.

7. Educate users – Communicate why authentication is changing, how new methods improve both security and usability, and what users should expect.

Conclusion

Passwords have served as the bedrock of authentication for decades, yet they are no longer completely sufficient for the threats of today or tomorrow.  With NIST’s updated guidance emphasizing longer passphrases, fewer forced resets, and enhanced recovery processes, organizations must elevate password-based systems.  At the same time, the rise of passwordless and keyless authentication, leveraging cryptography, biometrics, and device-bound credentials offers a future that is both more secure and more usable.

If your organization needs guidance on updating authentication policies or implementing passwordless solutions, or if you have general questions regarding new authentication,  please reach out to me at dbrugno@foxpointesolutions.com or to one my colleagues and we would be happy to assist!