Kasey Cromer, Netlok | May 27, 2026

Executive Summary

In 2026, security leaders are being asked to defend more with less. The global cybersecurity workforce gap has reached 4.8 million unfilled positions, and AI upskilling is helping organizations stretch leaner teams further. But even the most capable, AI-assisted security team cannot overcome a broken front door. Passwords remain one of the most expensive, most exploited, and most friction-heavy elements in enterprise security. The answer is not a longer, more complex password. It is no password at all.

Photolok by Netlok is a passwordless identity provider built for this environment. It simplifies how employees log in, removes passwords from the equation entirely, and gives security teams the tools they need to protect people, not just credentials. For lean, AI-assisted teams managing complex identity surfaces, that combination is not just convenient: it is strategic.

The Workforce Gap Is Real, and AI Is Changing How Teams Respond

The cybersecurity talent crisis is no longer a projection. According to the ISC2 2025 Cybersecurity Workforce Study, there are an estimated 4.8 million unfilled cybersecurity positions globally. The World Economic Forum estimates that the industry would need to grow its workforce by 87% just to meet current demand. The financial consequences are concrete: IBM’s 2025 Cost of a Data Breach Report found that organizations with significant staffing shortages paid an average of $1.76 million more per breach than their better-staffed counterparts.

Many organizations are responding by investing in AI-powered security tools and upskilling existing staff. IBM’s 2025 Cost of a Data Breach Report found that organizations making extensive use of security AI and automation saved an average of $1.9 million per breach compared to those that did not, and reduced their breach lifecycle by an average of 80 days. AI is giving lean teams real leverage.

But AI cannot deliver its full potential if security teams are buried under preventable, low-value work. Password resets, account lockouts, MFA confusion, and access change requests consume a disproportionate share of IT and security attention every single day. For lean teams, every hour spent on password support pulls attention from threat detection and leaves a growing backlog of the strategic work that AI tools are meant to free them up to do.

Addressing front-end authentication demands is not just about employee experience improvement. It is a cost and risk reduction strategy for AI-assisted security teams.

Passwords Are a Seven-Figure Problem Hiding in Plain Sight

Most organizations have never calculated the true cost of their password infrastructure. When they do, the number is rarely small.

Forrester Research puts the average cost of a single helpdesk password reset at $70. Gartner estimates that 20% to 50% of all helpdesk calls are password-related. In large enterprises, this adds up to more than $5 million annually in password reset costs alone. Forrester Research estimates that employees spend an average of 11 hours per year on password-related tasks. In a company of 15,000, that translates to more than $5 million annually in lost productivity — before accounting for a single helpdesk call.

That number does not include the broader cost of digital friction. WalkMe’s 2026 State of Digital Adoption report, based on a survey of 3,750 executives and employees across 14 countries, found that workers now lose the equivalent of 51 working days per year to technology friction, up 42% from 2025.

The security risk compounds the operational cost. Phishing and stolen credentials consistently rank among the most common and costly initial access vectors in IBM’s annual breach research. Every password that exists is a credential that can be phished, guessed, stolen, or reused. And every reset process is an opportunity for a social engineering attack. The widely reported MGM Resorts breach in 2023 began with a social engineering call to the helpdesk. The technique works because helpdesk staff are trained to be helpful, and verifying identity over the phone is genuinely difficult to do with exact certainty.

Complexity Is Not the Answer

The instinct in enterprise security has long been to fight password risk with more complexity — longer strings, more special characters, requirements to change passwords every 30, 60, or 90 days, and unique requirements for every system. In practice, this approach increases cost without meaningfully reducing risk.

As password requirements become more demanding, reset volume and lockout rates increase — because complex passwords are harder to remember, and employees who forget them have no choice but to reset or get locked out. NIST’s updated password guidelines confirm this directly, noting that complexity requirements lead to user frustration and more frequent resets, not stronger security. The predictable result is that more employees reuse passwords across systems, store them insecurely, share credentials to avoid being locked out or call support more often. These behaviors are not failures of awareness. They are rational responses to a system that asks too much.

For lean security teams, complexity-only strategies deliver the worst possible outcome: higher operational burden and sustained risk. The answer is not a harder password. It is a better system.

Why Biometrics and Passkeys Are Not Enough on Their Own

Biometrics and passkeys both represent real progress beyond passwords. But in 2026, neither is sufficient as a standalone authentication strategy.

iProov’s 2025 Threat Intelligence Report documented a 2,665% increase in virtual camera attacks and a 300% surge in face-swap attacks — techniques that use AI-generated faces and voices to fool identity verification systems into granting access as if a real, authorized person were present. The same biometric trait that was once considered uniquely yours is now a liability if it is publicly available.

Passkeys are a significant step forward in eliminating password reuse and phishing risk, but they carry their own limitations in enterprise environments. Device dependency creates complexity around lost, stolen, or replaced hardware. Shared workstations, common in healthcare, manufacturing, and retail, do not map cleanly to individual passkeys. Recovery flows often reintroduce the social engineering risks that passkeys were designed to eliminate.

Critically, neither biometrics nor passkeys have a built-in notion of duress. If a user is coerced into authenticating under threat, the system has no way to help the user. The login looks legitimate. Access is granted. And the security team has no signal that anything is wrong.

How Photolok Addresses the Gap

Photolok is a passwordless identity provider that sits at the identity layer, not the SaaS application layer. It integrates with platforms like Okta Workforce and replaces passwords entirely with photo-based authentication that is both simpler for users and harder for attackers to exploit.

Photo-based authentication. Users identify images from a photo panel rather than entering a password. These photos are not publicly available and cannot be predicted or replicated by AI. There is nothing to phish, nothing to crack, and nothing to share insecurely.

1 Time Photo. Users can configure up to five single-use photos for authentication. When a 1 Time Photo is active, only the first panel appears during login and the user’s standard login photos remain hidden. Once used, the photo cannot be reused. Even if an attacker records the session or captures the screen, they gain no usable knowledge about a person’s login photos. There are no patterns for AI to learn and no value in replaying what was captured.

Duress Photo. Users can configure up to two Duress Photos. If a user is forced to authenticate under coercion, selecting a Duress Photo triggers a real-time alert to security teams the moment it is chosen. The person doing the coercing sees a normal login. The security team sees an immediate distress signal.

This is a capability that passwords, passkeys, and biometrics do not provide. It protects the person behind the credential, not just the credential itself.

What Security Leaders Should Do Now

The shift to passwordless authentication does not happen overnight, but security leaders can take concrete steps today.

• Audit your password reset volume. Understand what password-related support is actually costing your organization in helpdesk time, employee downtime, and IT capacity. The number is almost always larger than expected.
• Identify your highest-friction authentication points. Where are users getting locked out most frequently? Which systems generate the most reset tickets? These are the places where passwordless adoption delivers the fastest return.
• Evaluate your identity layer versus your app layer. Passwordless tools applied individually to each SaaS application create fragmentation. A passwordless identity provider that sits beneath all of your applications delivers consistent protection at scale.
• Plan for coercion scenarios. Most organizations do not have protocols for what happens when an employee is forced to authenticate under threat. Duress detection at the identity layer is not a niche capability. For any organization using video-based or remote-work authentication, the lack of a duress function is a gap that cannot be ignored.
• Align passwordless adoption with your AI security investments. The operational capacity you recover by eliminating password support goes directly back to the strategic work your lean team needs to be doing. AI tools are more effective when the people using them are not buried in preventable IAM noise.

The Bottom Line

In 2026, the cybersecurity workforce gap is not closing fast enough to rely on headcount alone. AI upskilling is giving lean teams real leverage, but only if the operational environment supports it. Passwords are one of the most persistent sources of cost, friction, and risk in enterprise security, and complexity-only strategies have proven they cannot fix the underlying problem.

Photolok eliminates passwords entirely, simplifies the login experience for employees, and gives security teams something no password, passkey, or biometric system provides: a real-time signal when someone is authenticating under duress.

Leaner teams deserve better tools. And better tools start with a better front door.

Request Your Personalized Demo

About the Author

Kasey Cromer is Director of Customer Experience at Netlok.

Sources

[1] ISC2. ‘2025 Cybersecurity Workforce Study.’ 2025. isc2.org

[2] World Economic Forum. ‘Global Cybersecurity Outlook 2026.’ January 2026. weforum.org

[3] IBM. ‘Cost of a Data Breach Report 2025.’ 2025. ibm.com/reports/data-breach

[4] WalkMe. ‘State of Digital Adoption 2026.’ April 2026. walkme.com

[5] Forrester Research. ‘The Total Economic Impact of Passwordless Authentication.’ 2024. forrester.com

[6] CIO. ‘The Hidden Costs of Your Helpdesk.’ February 2025. cio.com

[7] iProov. ‘Threat Intelligence Report 2025.’ January 2025. iproov.com

[8] Netlok. ‘How Photolok Works.’ netlok.com

[9] NIST. ‘Digital Identity Guidelines: Authentication and Authenticator Management (SP 800-63B-4).’ 2025. csrc.nist.gov