REDEFINING TRUST: WHY CREDENTIALS, NOT PASSWORDS, WILL SECURE ENTERPRISE

A survey found that 87% of IT professionals believe moving to passwordless authentication is essential for improving security. Yet 56% of organisations still rely on SMS-based onetime passcodes (OTPs) for logins, a method that still depends on passwords and is vulnerable to SIM-swapping and phishing attacks. This contradiction isn't just ironic; it's risky—and it exists in the gap between intent and implementation. Most IT teams understand the need for stronger authentication, but many remain tied to legacy systems that keep them exposed. Modern infrastructures are evolving faster than the authentication models that protect them, and attackers have long mastered exploiting user-managed secrets.

For years, the IT industry has agreed that passwords are obsolete, yet only a few organisations have taken decisive action to move beyond them. Enterprises have upgraded interfaces and layered in new controls, but the foundation—static, human-managed authentication—has largely remained untouched.

The UAE's decision to phase out OTPs by 2026 will accelerate the change to passwordless methods. By mandating the adoption of advanced authentication methods such as Emirates Face Recognition, biometric verification, and mobile-based soft tokens, the Central Bank of the UAE (CBUAE) is accelerating a transformation that much of the world has been too cautious to take on.

The UAE is forcing a long-overdue conversation: trust cannot depend on something users remember or receive, it must be something systems can prove. This shift will expose just how much password dependence truly costs enterprises today, not only in terms of security risk but also in everyday operations and user behaviour.

Hidden operational and behavioural costs