Bylines

Passwords Are Now Material Cyber Risk 

Despite Years of Security Investment, Passwords Remain the Most Common Point of Failure in Enterprise Environments

Cyberattacks today rarely start with sophisticated exploits. More often, they begin with passwords.

Despite years of security investment, passwords remain the most common point of failure in enterprise environments—and one of the easiest ways for attackers to gain access. As phishing, credential reuse, and identity-based attacks continue to rise, relying on passwords as the primary gatekeeper is no longer just outdated. It is a business risk.

This matters because the conditions passwords were designed for no longer exist. Modern organisations operate across sprawling SaaS environments, remote and hybrid workforces, and constant third-party integrations. Access happens everywhere, all the time, and often under pressure. When authentication slows people down or fails outright, employees look for workarounds—and those shortcuts create openings attackers are quick to exploit.

Across APAC, employees lose an average of 1.33 workdays per month to IT issues, and half say digital friction has delayed critical business operations or projects. In markets like India, nearly two-thirds of workers have already turned to personal devices as workarounds. In that environment, authentication friction doesn’t just hurt productivity. It pushes risk into the hands of users who are simply trying to get their jobs done.

The Real Problem with Passwords

Passwords fail not because employees are careless, but because the model itself places too much responsibility on individuals. Complex requirements, frequent rotation, and layered prompts increase friction without meaningfully reducing exposure.

Predictable behaviours follow: passwords are reused, stored, shared, or entered into convincing phishing pages.

From a security perspective, passwords also lack context. A correct password reveals nothing about whether access is coming from a trusted device, a managed environment, or an unusual location. Security teams are left compensating with additional controls layered on top—monitoring, alerts, conditional access rules—while the core weakness remains.

The result is a widening gap between how access is secured and how attacks actually occur.

Identity Is Now the Frontline

As the traditional network perimeter has eroded, identity has become the primary control point. Every user, device, and application connection represents a potential entry path. That makes authentication decisions foundational to both security and resilience.

Single sign-on is a necessary starting point, but it is only effective when applied consistently. Gaps created by exempted applications or fragmented identity systems are difficult to see and even harder to manage. Treating identity as a partial solution leaves organisations exposed in precisely the places attackers look first.

Moving Beyond Shared Secrets

Modern authentication approaches—such as passkeys and platform-based credentials—address the structural weaknesses of passwords by design. They replace shared secrets with cryptographic credentials tied to a specific device and often verified biometrically. The credential itself is never transmitted in a form that can be intercepted or reused.

This significantly reduces exposure to common attack techniques, including real-time phishing attacks that capture passwords and one-time codes. It also improves the user experience by eliminating resets, lockouts, and repeated prompts that disrupt work.

Just as importantly, these approaches allow organisations to factor device trust directly into access decisions. Whether a device is known, managed, or compliant becomes part of authentication itself—not an afterthought.

Security Decisions Are Business Decisions

Authentication failures don’t just create security incidents. They disrupt operations, slow onboarding, and increase recovery time when something goes wrong. Strong identity foundations make access more predictable and incidents easier to contain.

That’s why identity security can’t be treated as a purely technical issue. Boards and senior leaders need visibility into identity risk in business terms: resilience, continuity, and the ability to restore access quickly under pressure.

Security leaders, in turn, have a responsibility to communicate clearly—setting realistic expectations, aligning security controls with how people actually work, and reducing reliance on fragile models that fail under stress.

The Risk Is Avoidable

Passwords persist because they are familiar, not because they are effective. But as attackers continue to scale phishing and credential abuse, relying on passwords as the primary authentication mechanism introduces unnecessary exposure. This shift is reflected in zero trust guidance, which increasingly emphasises phishing-resistant authentication as a baseline.

The tools to move beyond passwords already exist. The challenge is applying them consistently and aligning security, compliance, and business priorities around a shared understanding of identity risk.

Authentication today is no longer just about verifying who someone is. It’s about establishing trust in how and from where access occurs—every time. Passwords alone are no longer sufficient for that task.

Jan Bee

Jan Bee is the Chief Information Security Officer at TeamViewer and has worked in information security for more than twenty years. Before this role, he led Product Security and helped shape Trust and Safety initiatives. He also spent around ten years at Google working on secure software development and data protection at scale. His experience centres on building security that supports real business needs while creating team environments based on trust and collaboration.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *