The rise of passwordless technology 

The 2025 changes to Cyber Essentials Requirement for IT Infrastructure version 3.2 reflect the changes to login methods that are rapidly becoming more widespread.

The future is password free

Authentication methods that do not require a password at all are becoming increasingly commonplace, and Cyber Essentials has had to address this technology. For years, passwords have been the default method of authentication for a wide range of accounts and services, both at home and at work. And while passwords are accessible, cheap, and portable, they are also frequently reused, forgotten, guessed, brute-forced, and stolen. Many commodity attacks* aim to steal passwords as a way of gaining unauthorised access to systems. The inherent vulnerabilities of passwords were a key reason behind the 2022 update to Cyber Essentials, which mandated the additional use of multi-factor authentication (MFA) for all accounts and services accessible over the internet.

True passwordless authentication eliminates the need for passwords altogether, providing alternative forms of authentication to allow secure access. This technology will always use more than one factor of authentication, and although there is no password, the other two or more factors can involve a digital certificate (which is like a digital ID card) working behind the scenes, encryption methods, or additional biometric checks combined with codes from authentication apps.

Defining Passwordless Authentication in Cyber Essentials

Passwordless technology is now included in Cyber Essentials and is defined as “an authentication method that uses a factor other than user knowledge to establish identity“.

There are numerous methods of verifying identity without using traditional passwords. Here are some common examples; sometimes these are used in combination:

• Biometric Authentication: Uses biological traits of the person logging in, such as fingerprints or facial features, to confirm their identity.

• Security Keys or Tokens: Involves physical hardware devices like USB security keys or smart cards.

• One-Time Codes: Temporary codes sent via email, SMS, or a mobile app.

• Push Notifications: Prompts on a smartphone to approve or deny a login attempt.

• An app on a trusted device: This could be an authenticator app provided by Microsoft or Google.

• Use of a ‘trusted’ or ‘known’ device or network : As you login, the server you are connecting to will use a range of different methods to uniquely identify your device or the network you are connecting from. This will enable it to recognise it on future logins and alert you if a login is detected on an unknown device.

• QR codes: These can be scanned by a camera on a connected device. The user will then simply follow the instructions on the screen to finish signing in.

Read the full NCSC guidance about trusted authentication methods

Adapting to the Future

As we look to the future, the shift towards passwordless authentication represents a significant step forward in cyber security. By eliminating the vulnerabilities associated with traditional passwords, organisations can enhance their security posture and reduce the risk of cyber incidents.

*What is a commodity attack?

When talking about cyber attacks, the term ‘commoditised’ refers to the process by which certain types of cyber attacks become standardised, widely available, and relatively easy to execute, often due to the availability of tools and services that can be purchased or accessed with minimal effort or expertise. This commoditisation can lower the barrier to entry for cyber criminals, making it easier for a larger number of individuals or groups to carry out attacks.

The commoditisation of cyber attacks can lead to an increase in the frequency and variety of attacks, as more people are able to participate in cyber crime. It also means that defences need to be continually updated to keep pace with the evolving threat landscape.