2025-2026 Pub. 15 Issue 2

lack the infrastructure to support passwordless methods, which can prolong the transition. With the rise of artificial intelligence and deepfakes, biometric spoofing, such as fingerprints or facial recognition, poses a serious threat without proper countermeasures. Liveness detection and other countermeasures can help reinforce biometric authentication. Lack of secure recovery options can also make it challenging for users if they lose access to their accounts. Well-designed passwordless authentication processes should include secure account recovery methods. Steps For Building a Passwordless Ecosystem As passwordless technology comes to dominate the authentication landscape, strategic planning is critical to ensure your institution meets industry standards and future regulatory scrutiny. Consider these steps to help your institution prepare for the transition. 1. Assess Technology Readiness: Identify systems within your technology stack that rely on password-based methods. Plan for upgrades where needed to support a cohesive implementation across your systems. 2. Build Your Passwordless Technology Stack: Replace password-based controls across your systems with phishing-resistant authentication methods like biometrics, security keys or passkeys. FIDO2 passkeys — an authentication method that combines device-based authentication (smartphone, security key) with biometrics or another passwordless credential — is largely upheld as the benchmark for authentication standards. Understanding which combination of methods works best for your institution is critical to ensuring a successful and secure rollout. 3. Develop a Hybrid Transition Model: Develop a plan to phase in passwordless authentication while maintaining compliance with existing password policies. A phased approach can help ensure smoother adoption and set you up for a successful transition as regulatory policies are updated to reflect these new methods. 4. Review Internal Policies: Review your current security policies and audit practices to ensure they support a passwordless ecosystem. Updating policies and procedures can help signal the significance of adopting this type of authentication to employees and stakeholders. 5. Establish Trainings and User Education: A passwordless system only operates as securely as its users, which is why it’s critical to get your employees on board with your new system once in place. Providing trainings and user education for employees promotes smooth adoption and minimizes operational disruptions. A Passwordless Future Is Coming — Strategic Adoption Is Key In an increasingly complex and sophisticated cyberthreat landscape, passwords are no longer enough to protect the security of your data and systems. It’s important that you start the conversation within your institution and explore authentication methods that align with your systems and institution. Starting the process for going passwordless now will help you maintain compliance and resiliency in the long term. For more insights from our trusted advisors at Plante Moran, scan the QR code. https://www.plantemoran.com/explore-ourthinking?utm_source=cba2025&utm_ medium=email&utm_campaign=PENFSG-2025_CBA Passwordless authentication eliminates the risk of a credential-based attack, enhancing overall security, usability and compliance. 11 Colorado Banker

RkJQdWJsaXNoZXIy MTg3NDExNQ==