Episode 85

full
Published on:

26th Nov 2025

The Death of Passwords: The Future of Authentication

Is passwordless authentication finally ready for prime time, or are we just replacing one set of problems with another?

Welcome to Razorwire, the podcast where we share our take on the world of cybersecurity with direct, practical advice for professionals and business owners alike. I'm Jim and in this episode, we're tackling one of the oldest challenges in information security: identity and access management.

I'm joined by David Higgins, CTO at CyberArk and Murtaza Hafizja, Senior Technical Product Marketing Leader from OneSpan, who bring decades of combined experience from the front lines of identity, authentication and access control. Together, we explore how the industry has evolved from simple username/password combinations to biometrics, passkeys and continuous authentication and where the technology is heading next.

Summary

We examine the persistent challenges around identity management, from the struggle between security and user convenience to the explosion of non-human identities that now need managing. David explains why privilege access management has evolved from credential vaulting to zero standing privileges and how cloud environments have created both opportunities and complexities with their tens of thousands of granular permissions. Murtaza tells us about the passwordless evolution, why risk-based authentication is making a comeback and the real barriers to rolling out modern authentication at scale.

Whether you're a CISO wrestling with third-party access, an IT manager trying to balance security with productivity or just someone interested in where authentication is heading, you'll get honest perspectives on what works, what doesn't and what's actually achievable.

Key Talking Points 

  1. The Passwordless Evolution and What It Really Means Learn why passwords are finally on their way out (mostly), how passkeys and biometrics have moved from niche to mainstream and why the technology that failed 20 years ago is now becoming the de facto standard for authentication.
  2. Zero Standing Privilege and the Cloud Permission Problem Discover how cloud environments have paradoxically made privilege management both more granular and more complex, why organisations are moving away from permanent permissions and how just-in-time access is becoming essential for modern infrastructure.
  3. Continuous Authentication and Behavioural Analysis Understand why a single login authentication isn't enough anymore, how attackers are owning identities by exploiting help desks and why monitoring user behaviour patterns might be the key to stopping credential-based attacks before they cause damage.

On the security of key documentation: 

"Attackers aren't breaking in anymore, they're logging in."

David Higgins, CyberArk

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen


In this episode, we covered the following topics:

  • The Evolution of Identity Management How authentication has cycled through different approaches over 30 years, from basic username/password to biometrics that failed, then succeeded and why we're finally at a point where passwordless is achievable at scale.
  • From Too Little Granularity to Too Much Why early operating systems forced an all-or-nothing approach to permissions, how cloud providers now offer tens of thousands of different roles and entitlements and why this has made principle of least privilege almost impossible to implement upfront.
  • Zero Standing Privilege as the New Normal How organisations are moving away from permanent permissions toward just-in-time access, why no one should have standing privileges anymore and how this approach aligns with modern cloud environments.
  • The Passwordless Movement Goes Mainstream What's changed to make passwordless authentication viable now, why passkeys are moving from hype to implementation and the real challenges of rolling out modern authentication to millions of users.
  • Third Party and Non-Human Identity Challenges The growing problem of managing identities for contractors, suppliers, automated systems and AI and why this volume of identities is creating new security and access control headaches.
  • Continuous Authentication and Risk-Based Approaches Why logging in once isn't enough anymore, how behavioural analysis can detect when an owned identity is being misused and why risk-based authentication is making a comeback after years of being overlooked.
  • The Help Desk as Attack Vector How attackers are purchasing stolen credentials then simply calling help desks to reset MFA tokens, why context matters as much as credentials and what this means for authentication strategies.
  • Balancing Security Friction with User Acceptance Why completely frictionless security is impossible, how to find the right balance between protection and productivity and why users will find workarounds if authentication becomes too painful.
  • Privilege Access Management Evolution How PAM has evolved from simple credential vaulting to addressing root causes, why managing secrets at scale remains challenging and the shift toward eliminating standing privileges entirely.
  • The Privacy vs Security Dilemma Concerns around government databases for digital ID verification, the risks of centralised identity storage and why securing authentication data is becoming more critical as we move toward digital-first validation.


Resources Mentioned 

CyberArk

OneSpan 

Gartner Hype Cycle for Digital Identity 

FIDO Alliance

Principle of Least Privilege

AWS (Amazon Web Services)

Microsoft Azure 

Google Cloud Platform (GCP)

WebAuthn 

CTAP (Client to Authenticator Protocol)

UK Digital ID Verification


Connect with your host James Rees


Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.


Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.

With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.

For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.

If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.


LinkedIn: Razorthorn Security

YouTube: Razorthorn Security

TikTok: Razorwire Podcast

Instagram: Razorwire Podcast

Twitter:   @RazorThornLTD

Website: www.razorthorn.com


All rights reserved. © Razorthorn Security LTD 2025

All Episodes Previous Episode

Listen for free

Show artwork for Razorwire Cyber Security Insights

About the Podcast

Razorwire Cyber Security Insights
Real conversations helping cybersecurity professionals sharpen their insights, strategy & leadership skills.
Cybersecurity is evolving — and so should you. Razorwire brings the open conversations that give you the edge.

Welcome to the Razorwire podcast — your resource for practical advice, expert insights, and real-world conversations on cybersecurity, information security (InfoSec), risk management, governance, security leadership, human factors, and industry trends.

Our mission is to help you build a stronger cybersecurity career while supporting a dynamic, agile community of professionals committed to continuous improvement.

Each episode brings you actionable advice and real experiences from your host, James Rees — an information security specialist with over 25 years of experience — and from a range of respected guests across the cybersecurity industry. Together, we explore everything from technical strategies and compliance challenges to security culture, communication skills, and leadership development.

James Rees is the founder of Razorthorn Security, providing expert consultancy and testing services to a wide range of organisations, including many Fortune 500 companies. His practical, no-nonsense approach helps organisations manage cybersecurity risks effectively while strengthening resilience.

The Razorwire podcast is designed for cybersecurity professionals who want to stay ahead, sharpen their skills, and confidently respond to the challenges of today's evolving threat landscape. We believe collaboration is key to stronger security — and Razorwire gives you the conversations that help you achieve it.

For more information about us, or if you have questions you'd like discussed on the show, email podcast@razorthorn.com or visit www.razorthorn.com.