Skip to main content

7,000 Password Attacks a Second: Why Passwordless Finally Has a Deadline

Nick Ross3 min read

TL;DR

  • Microsoft's 2024 Digital Defense Report counted 7,000 blocked password attacks per second over the past year.
  • More than 99 percent of identity attacks are password attacks; token theft and AiTM attacks are growing fast but remain a tiny fraction of attacks in the wild.
  • As of January 2025, MFA adoption covers only 41 percent of Entra sign-ins.
  • Passkey setup through Microsoft Authenticator recently left public preview, but the QR-code sign-in flow is still clunkier than a number-matching MFA prompt.
  • Hybrid environments, onboarding SOPs built around passwords, and device replacement remain the biggest barriers to passwordless adoption.

The death of passwords has been announced annually for at least five years, usually around the time someone demos a YubiKey. The skepticism is earned. What has changed is the data: Microsoft's Digital Defense Report (2024) (opens in new tab) and the company's recent user-experience research both point at a vendor preparing to push, not nudge. This post breaks down both, then gets honest about what the passwordless experience actually feels like for an end user as of January 2025.

What the attack data says

Microsoft Digital Defense Report statistics on password-based identity attacks

The Digital Defense Report's identity numbers are stark:

  • 7,000 password attacks were blocked per second over the past year
  • More than 99 percent of identity attacks are password attacks
  • Token theft and AiTM attacks have grown significantly in popularity and frequency, yet still represent a tiny fraction of attacks seen in the wild
Chart showing password attacks dwarfing token theft and AiTM attack volume

And then the number that genuinely surprises: MFA adoption still covers only 41 percent of Entra sign-ins. Microsoft's response to that gap has been steadily mounting pressure, security defaults, managed policies, registration campaigns. We expect the same playbook for passwordless in the near future, given the volume and continual growth in password attacks.

What Microsoft's passkey UX research found

In December 2024, Microsoft published "Convincing a Billion Users to Love Passkeys (opens in new tab)," which repeats the attack statistics and sketches a hypothetical journey toward passwords no longer being supported at all:

Microsoft's hypothetical journey toward retiring password support

The adoption numbers they report are encouraging, both for stopping password attacks and for blunting the AiTM attacks we keep seeing:

Passkey adoption and usage statistics from Microsoft's UX research
Sign-in experience nudging users to register a passkey

Two caveats before celebrating. Microsoft does not disclose the full size of the experiment audience or whether these were consumer or business users. And based on the screenshots, the nudges target a mobile sign-in experience, which is not what most Microsoft 365 users see day to day. That gap matters, as the next section shows.

The setup experience, honestly

Passkey setup in Microsoft Authenticator recently came out of public preview, making it the easiest way for a user to register a portable passkey. A few things worth knowing:

  • A user with an existing Authenticator profile can simply add a passkey to that profile.
  • For a brand-new user with no profile and no password, the workflow is: issue a Temporary Access Pass (TAP), sign in with it, and register the passkey. That is your new-user onboarding flow in a passwordless world. The video below shows that exact experience: watch the passkey setup walkthrough (opens in new tab).
  • Non-portable passkeys through Windows Hello can be baked into workstation onboarding, and in our view they offer an easier sign-in than Authenticator provides today.

The sign-in experience, also honestly

Signing in with an Authenticator passkey still has friction: the user points their phone camera at a QR code, which locates the passkey in Authenticator and fulfills the sign-in request. You can see it in the same video: watch the passkey sign-in flow (opens in new tab).

Compare that to today's proactive Authenticator prompt where the user types a number they see on screen. For end users who already treat MFA as an inconvenience, adding a QR-code scan is not going to go over well. The experience needs to keep improving before adoption feels natural.

The barriers nobody should gloss over

Beyond ordinary resistance to change, three constraints stand out:

  • Hybrid environment constraints. Legacy and hybrid environments may still need passwords for other systems, which makes a clean cutover impossible.
  • User onboarding changes. Temporary Access Passes have to be written into onboarding SOPs. That is a significant change for an MSP, and for the HR teams and managers across customer environments who have always issued passwords.
  • Lost or replaced devices. Honestly, not much worse than today's reality with Authenticator on phones, but it belongs in the plan.

There are surely more, but these are the ones that will surface first in real deployments.

Our verdict on the timeline

Will passwords end within a few years? The compromise and attack volume argue yes, but just like MFA, the constraints mean Microsoft cannot simply cut the cord, especially for hybrid and legacy environments. Two things tilt us toward optimism anyway. First, the move to Windows 11, with its TPM requirement, makes Windows Hello viable for many more users, and that experience already beats the Authenticator app. Second, the direction of Microsoft's pressure is unmistakable.

The practical takeaway: drive users into passwordless methods wherever possible today, especially in net new tenants, and absolutely in tenants that have not even adopted MFA yet. Starting them on passkeys skips a generation of pain.

Frequently asked questions

How does a new user sign in if they never get a password?

Through a Temporary Access Pass (TAP). The user signs in with the TAP, registers a passkey in Microsoft Authenticator, and authenticates with the passkey from then on. That TAP issuance step has to be written into onboarding SOPs, which is a real process change for MSPs and the HR teams who traditionally hand out passwords.

Is Windows Hello a better passwordless option than Authenticator passkeys?

For day-to-day workstation sign-in, we think so. Non-portable passkeys through Windows Hello can be baked into new user onboarding and avoid the QR-code scanning step entirely. The Windows 11 TPM requirement means more devices will support it by default.

Do passkeys also stop token theft and AiTM attacks?

They help. Microsoft's own statistics are encouraging not just for preventing password attacks but also against the rising AiTM attacks, because phishing-resistant credentials cannot be replayed by a proxy page the way a password and OTP code can.

Know which tenants are still living on passwords

MFA coverage, authentication methods, and phishing-resistant credential policies are exactly the controls that drift. CloudCapsule checks 250+ controls per tenant in 60 seconds so you can see who is ready for passwordless and who has not even finished MFA.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading