Passwords have been the backbone of digital security since the 1960s. And yet, in 2025, they remain the single biggest reason people get hacked.
I find that a bit absurd, honestly. We've built extraordinary infrastructure around distributed systems, zero-trust architectures, and cryptographic protocols, but the average user is still guarding their bank account with a string of characters their dog could probably guess. If you work in or around the UK's tech space, this contradiction gets harder to ignore every year.
The conversation around biometrics, trust and safety, and stronger authentication has moved well past theory. What was once a niche developer concern is now squarely a public infrastructure problem.
The Numbers Behind the Problem
Half of UK businesses and around a third of charities reported experiencing some form of cybersecurity breach or attack in the last 12 months, according to the UK Government's Cyber Security Breaches Survey 2024.
Phishing was the most common attack type, accounting for 84% of all incidents, with an estimated 7.78 million cyber attacks targeting UK businesses in 2024 alone.
Here is the thing about phishing: it works precisely because passwords can be handed over. A convincing fake login page is all it takes. You cannot phish a fingerprint. You cannot socially engineer a face scan. That asymmetry is why phishing-resistant authenticators saw a 63% increase in adoption over the past year, while SMS-based authentication fell from 17.5% to 15.3% of usage across organisations. TechRadar — a quiet but real shift.
Why Passwords Keep Failing
The problem is not that passwords are weak in theory. It is that the way humans actually use them is structurally broken.
FIDO Alliance data found that users manually enter passwords nearly 1,639 times per year, around four to five times daily. Almost 60% of respondents admitted to abandoning an online service simply because they could not remember their password.
That friction has consequences beyond frustration. When people struggle to remember secure passwords, they reuse them. Researchers found that 2.8 billion passwords were available on criminal forums in 2024, and 94% of compromised credentials were reused or duplicated across multiple accounts.
Verizon's 2024 Data Breach Investigations Report found that more than 80% of breaches involve credential compromise. That is not a niche attack vector. That is the main road.
Biometrics and Trust: What the Shift Actually Looks Like
The term "biometrics" covers a lot of ground — fingerprints, facial recognition, iris recognition, and behavioural patterns. But the core idea is consistent: instead of something you know (a password), authentication uses something you are. That distinction matters more than it sounds.
FIDO-based biometric authentication is unphishable because there is nothing for attackers to steal. Even if a bad actor sets up a fake credential site, passkeys only function on the specific site or app where the public key is registered.
UK organisations and government bodies are starting to take this seriously at an institutional level. The NCSC has a stated objective for the UK to move beyond passwords in favour of passkeys, describing them as secure against common threats, including phishing and credential stuffing. The UK government's adoption of passkeys across its digital services was welcomed by the FIDO Alliance as setting a strong example for both the public and private sectors.
From a developer's perspective, this is the right direction. The underlying standard, FIDO2/WebAuthn, is already supported across all major platforms. Over 95% of iOS and Android devices are now passkey-ready, with full integration across Apple, Google, and Microsoft ecosystems.
Where Biometrics Sit in the Bigger Identity Picture
Authentication is only one piece of the digital identity stack. The question of who is authenticating — proving that a real, unique person is behind a login — is where things get more interesting for developers building at scale.
Proof of personhood is an area gaining real traction. Projects like World are exploring how biometric-backed identity protocols can establish that someone is a unique human without exposing their personal data, using zero-knowledge proofs to verify identity while preserving privacy. That approach is worth paying attention to if you are working in identity infrastructure, particularly as AI-generated accounts and bot traffic make user verification harder to trust at the application layer.
The point is not to promote any one tool. The broader design question matters: how do you build systems where identity is verifiable, trust is not just assumed from a shared secret, and the weakest link is not a password someone typed in 2019 and never changed?
Multi-Factor Authentication Is Not Enough on Its Own
Many UK teams have already moved to MFA. That is genuinely better than nothing. Okta data shows 70% MFA adoption across the industry, an all-time high. Within EMEA specifically, 69% of organisations have implemented MFA over the past three years.
But MFA built on top of passwords still inherits password vulnerabilities. If the first factor is compromised, the second factor becomes the only real barrier, and SMS-based second factors are themselves vulnerable to SIM swapping and real-time phishing interception.
Over half of FIDO's respondents reported an increase in suspicious messages and scams, with 52% noting those scams had become more sophisticated. AI-powered phishing now lets attackers converse convincingly in real time, making it harder to distinguish legitimate banking communication from a social engineering attempt.
MFA helps. But MFA paired with a phishing-resistant primary authentication layer helps significantly more.
What UK Developers Should Actually Be Thinking About
If you are building authentication flows today, a few things are worth keeping in mind.
The FIDO2/WebAuthn standard is stable and widely supported. Implementing passkey support is no longer an experimental move; it is table stakes for anything security-conscious. The UX case is also strong: some passwordless solutions reduce login time to under two seconds, compared to more than ten seconds with traditional passwords. After making passkeys available to all users, Amazon reported that sign-in success rates improved by 30%.
On the UK regulatory side, the ICO and NCSC both publish guidance on authentication standards under the UK GDPR framework. If you are handling user credentials, you already have obligations around how those are stored and protected. Moving toward biometric or cryptographic authentication reduces your exposure significantly.
The global passwordless authentication market was projected at USD 18.36 billion in 2024, with estimates suggesting growth to USD 86.35 billion by 2033, driven by escalating threats, remote work adoption, and the K. That growth reflects real enterprise spending decisions, not wishful thinking.
The Privacy Question Nobody Wants to Skip
Biometric data is sensitive in a way that passwords are not. If your password leaks, you change it. If your fingerprint data leaks, you cannot change your fingerprint.
This is why storage architecture matters. The FIDO2 model keeps biometric data on-device; nothing biometric is ever sent to a server. The cryptographic handshake happens locally. That design addresses most of the obvious concerns, and it is the reason the NCSC and ICO have generally been supportive of the approach.
The more complicated privacy questions arise when biometric data is held centrally, or when it is used for purposes beyond authentication. Those are valid concerns and worth building into your design reviews from the start, not retrofitted after launch.
Conclusion
The truth is that passwords were never designed for the internet we actually built. They made sense when a single system administrator had to share access to a mainframe. They make considerably less sense when a single credential, reused across forty accounts, is the only thing standing between an attacker and someone's financial history.
The UK's move toward passkeys at a government level, the NCSC's public stance, and the industry-wide shift toward biometrics and trust as a design principle are all pointing in the same direction. As developers and security professionals, the practical question is not whether to move beyond passwords. It is whether to do it now or wait until a breach forces the decision.
Building stronger authentication into your systems today is not a significant technical lift. The standards are solid, the tooling is mature, and the user experience is genuinely better. The only thing lagging is inertia.
FAQs
Why are passwords alone no longer considered safe for UK users?
Passwords are vulnerable to phishing, credential stuffing, and reuse across accounts. The UK Government's own research shows 84% of cyberattacks on businesses involve phishing, and the vast majority of compromised credentials are reused passwords. A single leaked password can grant access to multiple accounts simultaneously.
What is biometric authentication and how does it improve security?
Biometric authentication verifies identity using physical traits, such as fingerprints or facial recognition, rather than a memorised string of characters. Because biometric data stays on your device and is never transmitted to a server under the FIDO2 standard, it cannot be phished or stolen from a remote database. It also removes the friction of forgotten passwords entirely.
Is multi-factor authentication with passwords still worth using?
Yes, MFA is meaningfully better than passwords alone. However, if the primary factor remains a password, the system still inherits password-related vulnerabilities. SMS-based second factors are also susceptible to SIM swapping attacks. Pairing MFA with a phishing-resistant first factor, such as a passkey or biometric, is more robust than layering MFA on top of a password alone.
What is the UK government doing about password security?
The UK government has committed to deploying passkeys across its digital services and the NCSC has publicly stated its objective to move beyond passwords in favour of phishing-resistant authentication. Passkeys, based on the FIDO2/WebAuthn standard, are being positioned as the preferred approach for both public sector and private sector authentication in the UK.
What should developers prioritise when moving away from passwords?
Start with FIDO2/WebAuthn passkey support. It is widely supported across all major browsers and operating systems, and the UX improvement is measurable. Review how credentials are currently stored and whether your system has fallback paths that still expose password vulnerabilities. From a compliance angle, UK GDPR and NCSC guidance on authentication both support the direction of travel toward cryptographic and biometric methods.
Top comments (0)