London Daily

Focus on the big picture.
Wednesday, Oct 22, 2025

Why passwords don't work, and what will replace them

"Sarah", an actor based in London, had her identity stolen in 2017. "I got home one day and found my post box had been broken into," she says.

"I had two new credit cards approved which I hadn't applied for, and a letter from one bank, saying we've changed our mind about offering you a credit card."

She spent £150 on credit checking services alone trying to track down cards issued in her name.

"It's a huge amount of work and money," says Sarah, who asked the BBC not to use her real name.

Identity theft is at an all-time high in the UK. The UK's fraud prevention service CIFAS recorded 190,000 cases in the past year, as our increasingly digitised lives make it easier than ever for fraudsters to get their hands on our personal information.

So how should we keep our identities secure online? The first line of defence is, more often than not, a password.

But these have been in the news lately for all the wrong reasons. Facebook admitted in April that the passwords of millions of Instagram users had been stored on their systems in a readable format - falling short of the company's own best practices, and potentially compromising the security of those users.

Late last year, question-and-answer website Quora was hacked with the names and email addresses of 100 million users compromised. And Yahoo! recently settled a lawsuit over the loss of data belonging to 3 billion users, including email addresses, security questions and passwords.

No wonder that Microsoft announced last year that the company planned to kill off the password, using biometrics or a special security key.

IT research firm Gartner predicts that by 2022, 60% of large businesses and almost all medium-sized companies will have cut their dependence on passwords by half.

"Passwords are the easiest approach for attackers," says Jason Tooley, chief revenue officer at Veridium, which provides a biometric authentication service.

"People tend to use passwords that are easy to remember and therefore easy to compromise."

Not only would getting rid of passwords improve security, it would also mean IT departments would not have to spend valuable time and money resetting forgotten passwords.

"There is an annual cost of around $200 (£150) per employee associated with using passwords, not including the lost productivity," says Mr Tooley.

"In a large organisation that's a really significant cost."


'New risks'

Philip Black is commercial director at Post-Quantum, a company designing powerful encryption systems for protecting data.

He agrees that passwords are already a weak point. "You have to create and manage so many passwords. That's unmanageable, so people end up using the same passwords, and they become a vulnerability."

New rules laid down by the EU are designed to deal with that issue. The updated Payment Services Directive, known as PSD2 , require businesses to use at least two factors when authenticating a customer's identity.

These can be something the customer has in their possession (such as a bank card), something they know (such as a PIN), or something they are, which includes biometrics.

Overlooked in the past in favour of tokens, passwords, and codes sent by SMS, interest in biometrics is growing. According to the 2019 KPMG International Global Banking Fraud Survey, 67% of banks have invested in physical biometrics such as fingerprint, voice pattern and face recognition.

This year, NatWest began trialling debit cards with a fingerprint scanner built directly into the card itself.

Biometrics offer a more frictionless consumer experience, but has been held back by the need for specialised equipment. With the latest smartphones, many of us now carry the necessary hardware in our pockets. Research by Deloitte has found that a fifth of UK residents own a smartphone capable of scanning fingerprints, and that number is rising fast.

Yet just as our personal data is vulnerable to thieves, biometric information can also be stolen. In September, Chinese researchers at a cybersecurity conference in Shanghai showed it was possible to capture someone's fingerprints from a photo taken from several metres away.

If you think resetting your password is difficult, try changing your fingerprints.

To boost security, companies are increasingly relying on multiple factor authentication (MFA) which seeks to identify people using as many different ways as possible.

This can include not just explicit measures such as PINs and fingerprint scans, but background familiarity checks such as your location, purchase history, keystrokes, swiping patterns, phone identity, even the way in which you hold your phone.

"Is biometrics going to replace passwords? No, a combination of factors is going to replace passwords, we are and we should be moving toward this," says Ali Niknam, chief executive of Bunq, a mobile banking service.

Yet there is a risk of that this sort of multi-factor authentication, while secure, will make the authentication process even more opaque. If you don't know what is being used to identify you online, how can you protect that information?

"I'm careful about internet security - my date of birth isn't anywhere, my address isn't anywhere," says Sarah.

"I'm 33, relatively young and tech-savvy, but I'm not sure I'd know how to be more careful."

She does remember, however, that one bank initially refused to cancel the account the thief had opened in her name, because she didn't know the password.

Newsletter

Related Articles

0:00
0:00
Close
‘Frightening’ First Night in Prison for Sarkozy: Inmates Riot and Shout ‘Little Nicolas’
White House Announces No Imminent Summit Between Trump and Putin
US and Qatar Warn EU of Trade and Energy Risks from Tough Climate Regulation
Apple Challenges EU Digital Markets Act Crackdown in Landmark Court Battle
Nicolas Sarkozy begins five-year prison term at La Santé in Paris
Japan stocks surge to record as Sanae Takaichi becomes Prime Minister
This Is How the 'Heist of the Century' Was Carried Out at the Louvre in Seven Minutes: France Humiliated as Crown with 2,000 Diamonds Vanishes
China Warns UK of ‘Consequences’ After Delay to London Embassy Approval
France’s Wealthy Shift Billions to Luxembourg and Switzerland Amid Tax and Political Turmoil
"Sniper Position": Observation Post Targeting 'Air Force One' Found Before Trump’s Arrival in Florida
Shouting Match at the White House: 'Trump Cursed, Threw Maps, and Told Zelensky – "Putin Will Destroy You"'
Windows’ Own ‘Siri’ Has Arrived: You Can Now Talk to Your Computer
Thailand and Singapore Investigate Cambodian-Based Prince Group as U.S. and U.K. Sanctions Unfold
‘No Kings’ Protests Inflate Numbers — But History Shows Nations Collapse Without Strong Executive Power
Chinese Tech Giants Halt Stablecoin Launches After Beijing’s Regulatory Intervention
Manhattan Jury Holds BNP Paribas Liable for Enabling Sudanese Government Abuses
Trump Orders Immediate Release of Former Congressman George Santos After Commuting Prison Sentence
S&P Downgrades France’s Credit Rating, Citing Soaring Debt and Political Instability
Ofcom Rules BBC’s Gaza Documentary ‘Materially Misleading’ Over Narrator’s Hamas Ties
Diane Keaton’s Cause of Death Revealed as Pneumonia, Family Confirms
Former Lostprophets Frontman Ian Watkins Stabbed to Death in British Prison
"The Tsunami Is Coming, and It’s Massive": The World’s Richest Man Unveils a New AI Vision
Outsider, Heroine, Trailblazer: Diane Keaton Was Always a Little Strange — and Forever One of a Kind
Dramatic Development in the Death of 'Mango' Founder: Billionaire's Son Suspected of Murder
Two Years of Darkness: The Harrowing Testimonies of Israeli Hostages Emerging From Gaza Captivity
EU Moves to Use Frozen Russian Assets to Buy U.S. Weapons for Ukraine
Europe Emerges as the Biggest Casualty in U.S.-China Rare Earth Rivalry
HSBC Confronts Strategic Crossroads as NAB Seeks Only Retail Arm in Australia Exit
U.S. Chamber Sues Trump Over $100,000 H-1B Visa Fee
Shenzhen Expo Spotlights China’s Quantum Step in Semiconductor Self-Reliance
China Accelerates to the Forefront in Global Nuclear Fusion Race
Yachts, Private Jets, and a Picasso Painting: Exposed as 'One of the Largest Frauds in History'
Australia’s Wedgetail Spies Aid NATO Response as Russian MiGs Breach Estonian Airspace
McGowan Urges Chalmers to Cut Spending Over Tax Hike to Close $20 Billion Budget Gap
Victoria Orders Review of Transgender Prison Placement Amid Safety Concerns for Female Inmates
U.S. Treasury Mobilises New $20 Billion Debt Facility to Stabilise Argentina
French Business Leaders Decry Budget as Macron’s Pro-Enterprise Promise Undermined
Trump Claims Modi Pledged India Would End Russian Oil Imports Amid U.S. Tariff Pressure
Surging AI Startup Valuations Fuel Bubble Concerns Among Top Investors
Australian Punter Archie Wilson Tears Up During Nebraska Press Conference, Sparking Conversation on Male Vulnerability
Australia Confirms U.S. Access to Upgraded Submarine Shipyard Under AUKUS Deal
“Firepower” Promised for Ukraine as NATO Ministers Meet — But U.S. Tomahawks Remain Undecided
Brands Confront New Dilemma as Extremists Adopt Fashion Labels
The Sydney Sweeney and Jeans Storm: “The Outcome Surpassed Our Wildest Dreams”
Erika Kirk Delivers Moving Tribute at White House as Trump Awards Charlie Presidential Medal of Freedom
British Food Influencer ‘Big John’ Detained in Australia After Visa Dispute
ScamBodia: The Chinese Fraud Empire Shielded by Cambodia’s Ruling Elite
French PM Suspends Macron’s Pension Reform Until After 2027 in Bid to Stabilize Government
Orange, Bouygues and Free Make €17 Billion Bid for Drahi’s Altice France Telecom Assets
Dutch Government Seizes Chipmaker After U.S. Presses for Removal of Chinese CEO
×