Passwordless adoption is accelerating
Recent coverage says passwordless authentication is rapidly maturing — biometric, behavioral, and device-centric methods are replacing passwords to measurably reduce credential-based breaches. Detection teams are already being asked to track fallback-to-password events and step‑down attacks as part of identity posture monitoring. (techtimes.com)
Okta’s 2025 Secure Sign‑in Trends Report measured a 63% year‑over‑year increase in adoption of phishing‑resistant authenticators and reported overall workforce MFA adoption at roughly 70%. (okta.com) A FIDO Alliance study tied to World Passkey Day 2025 found more than two‑thirds of consumers were familiar with passkeys, while a separate survey of 400 IT professionals reported two‑thirds rated passkey deployment as a “high or critical” priority for employee sign‑ins. (fidoalliance.org) (biometricupdate.com) Proofpoint published a proof‑of‑concept showing an Evilginx‑based phishlet can force an authentication downgrade by spoofing browser user‑agent strings to bypass FIDO support in Microsoft Entra ID, with researcher Yaniv Miron detailing the Safari‑on‑Windows spoofing technique. (proofpoint.com) (cybernoz.com) Academic research on “Browser‑in‑the‑Middle” and BitM+ attacks demonstrated practical methods that can defeat FIDO2/CTAP2/WebAuthn in controlled experiments, highlighting real‑time interception and DOM manipulation as viable research vectors. (link.springer.com) Detection playbooks now include specific signals such as failed WebAuthn enrollment or attestation anomalies, explicit fallback‑to‑password events, and auth‑flow downgrade indicators; Rulehound documents a detection for failed WebAuthn enrollments and Splunk’s public detections catalogue already lists Duo and other auth‑provider anomalies that can be repurposed for fallback‑and‑stepdown monitoring. (rulehound.com) (research.splunk.com) Splunk’s solution guide maps platform capabilities to DoD Zero Trust pillars — including the User pillar and Visibility & Analytics — and Splunk Enterprise Security supports finding‑based detections and risk scoring while Splunk SOAR automation rules can trigger playbooks such as account resets or conditional access changes when fallback or downgrade findings occur. (splunk.com) (help.splunk.com 1) (help.splunk.com 2) DoD policy milestones relevant to passwordless and identity posture include DTM 25‑003 (effective July 17, 2025) which formalized Chief Zero Trust Officer roles, and DoD ZT guidance plus the User Pillar maturity document that define measurable identity controls and maturity levels useful for mapping passwordless controls and fallback monitoring to DoD Zero Trust assessments and the 2027 target‑level roadmap. (esd.whs.mil) (dodcio.defense.gov) (media.defense.gov)
