Moving beyond passwords

For years, passwords have been treated as the first line of defence in cybersecurity. Yet despite increasingly complex password policies and multi-factor authentication (MFA) requirements, password-related breaches continue to dominate the threat landscape, with phishing and stolen credentials remaining common attack methods. For manufacturing and engineering businesses operating across complex digital environments that span production systems and distributed supply chains, the authentication challenge is particularly acute.

According to IBM’s X-Force Threat Intelligence Index, manufacturing accounted for 27.7 per cent of all cybersecurity incidents globally in 2025, retaining its position as the world’s most targeted industry for the fifth consecutive year. The figures highlight how cybercriminals continue to exploit weak, stolen and reused credentials as one of the easiest ways to gain access to corporate systems.

As organisations look for more phishing-resistant alternatives to traditional passwords, passkeys are increasingly emerging as a practical solution. As the NCSC explains, passkeys “only require user approval rather than needing to input a password”, making them “quicker and easier to use and harder for cyber attackers to compromise”. As a result, passkeys are increasingly being viewed as an important step towards strengthening identity protection and reducing password-related risk.

No password, no problem

A passkey is a cryptographic credential tied to a specific device and verified through something the user already does naturally: a fingerprint scan, a face recognition check or a device PIN. When a user authenticates with a passkey, a private key stored securely on their device signs a challenge from the server, without that key ever leaving the device. There is no shared secret to steal or phish.

The NCSC's new technical report confirms that passkeys are “at least as secure as, and generally more secure than, pairing the strongest password with two-step verification (2SV)”. Critically, the NCSC found that passkeys are highly resistant to phishing attacks and cannot be intercepted, reused or guessed in the way that passwords can. 

They also dramatically improve the user experience. Passkey logins can be completed significantly faster than the traditional username, password and verification code workflow. This removes the traditional trade-off between security and convenience.

Raising the Cyber Essentials baseline

The growing adoption of passkeys also aligns closely with frameworks like Cyber Essentials, which place increasing emphasis on access control, authentication integrity and protection against common attack techniques. While passkeys are not currently mandated within the certification itself, they directly support many of its underlying security principles by reducing organisational exposure to credential theft, and account compromise.

Manufacturing and engineering businesses contend with particularly wide authentication landscapes, where digital access spans everything from ERP and supply chain platforms to increasingly connected operational technology networks, creating multiple entry points for credential-based attacks.

For organisations pursuing Cyber Essentials or Cyber Essentials Plus, identity security is becoming increasingly crucial as threat actors continue to target authentication layers rather than attempting to breach infrastructure directly. Traditional password policies and MFA remain important controls, but they still rely heavily on user behaviour and can be undermined through phishing or credential reuse. 

Many organisations still treat MFA as the end goal for identity security, when in reality attackers have already adapted their tactics around it. Security teams are therefore placing greater emphasis on limiting exposure to authentication methods vulnerable to credential compromise and social engineering.

This becomes particularly significant within hybrid and cloud-centric environments, where identities increasingly act as the gateway to critical systems and applications. In these environments, passkeys offer a more phishing-resistant authentication model that strengthens cyber resilience while supporting a more mature and forward-looking approach to governance and identity assurance.

The end of the password era

Passwords are unlikely to disappear entirely overnight, particularly as many manufacturing and engineering organisations continue to operate legacy systems and mixed authentication environments. However, the direction of travel is becoming increasingly clear. As identity-based attacks continue to rise and phishing techniques become more sophisticated, organisations are being forced to reconsider whether traditional passwords remain fit for purpose as a primary security control.

Passkeys reflect a wider shift towards phishing-resistant authentication and a more resilient security posture built around today's threat landscape. For manufacturing and engineering organisations serious about cyber resilience, moving beyond passwords is rapidly becoming a strategic priority, one that compliance pressures and the growing frequency of credential-based attacks are only accelerating.

Martin Wegrostek is cyber security portfolio manager at OryxAlign

www.oryxalign.com