Top
Home / Cyber Security
Cyber Security

The passwordless shift: capital one’s strategic overhaul

By

At the RSA Conference 2025, Andy Ozment, Chief Technology Risk Officer at Capital One, took the stage with a candid and practical exploration of a topic that has long hovered at the intersection of aspiration and implementation: going passwordless. In his session, titled “Dude, Where’s My Password? The Challenges of Getting to Passwordless,” Ozment laid out the realities, trade-offs, and breakthroughs of Capital One’s ongoing transition to a password-free future.

The password problem

The premise is simple but critical: passwords are outdated. For decades, they’ve served as the default gatekeepers to digital systems, yet they remain a top vulnerability. Breaches, phishing, and credential stuffing continue to expose this flaw. Capital One, like many major institutions, recognized that even strong passwords paired with weak human behavior make for a security liability.

Moving away from passwords isn’t just about tightening security—it’s about building trust and convenience into the user experience.

A journey, not a switch

Capital One’s transformation didn’t happen overnight. It began with early groundwork:

Single Sign-On (SSO) in 2005, to simplify access across applications.

Multi-Factor Authentication (MFA) in 2015, initially using email, voice, and SMS—methods that were eventually deemed too vulnerable.

By 2019, MFA evolved to app-based one-time passcodes and push notifications.

In 2023, the major pivot came with FIDO2 security keys and biometrics.

Each phase built upon the last, showing that passwordless is less a product and more a strategy—a design philosophy woven into systems, policies, and culture.

Cybersecurity risks
Cybersecurity risks

Building the architecture for passwordless

Behind the scenes, several strategic moves enabled the shift:

Cloud migration: With its data centers closed by 2020, Capital One leaned fully into the cloud, gaining the flexibility needed to support modern authentication systems.

Modern authentication standards: OAuth, mTLS, and SAML helped unify identity access across a wide range of services.

Corporate device control: Authentication occurs on secure, managed devices—whether through native environments or virtual desktops.

By 2025, 89% of internal and 65% of external applications supported passwordless login. That figure continues to grow.

Hurdles on the road

Naturally, this transformation came with challenges:

Identity proofing: Registering users with strong assurance required new methods—smartphone scans of government IDs, video verification, and token-based checks.

User friction: Changing user habits always meets resistance. Support, education, and thoughtful onboarding were key.

Hardware constraints: Not everyone has a compatible device, so fallback options and kiosks are being explored, particularly for secure or restricted environments.

Looking ahead

Ozment’s message was clear: passwordless is not just a technical upgrade; it’s a cultural shift. It requires orchestration across IT, security, compliance, and user experience teams. But once implemented, the benefits—greater security, less friction, and increased trust—pay off exponentially.

Capital One’s journey is instructive, not because it’s finished, but because it is deliberate, iterative, and transparent. For those navigating similar transformations, the real question is no longer if we should go passwordless—but how soon we can get there.

Tags: ,
0

Andriani has been working in Publishing Industry since 2010. She has worked in major Publishing Houses in UK and Greece, such as Cambridge University Press and ProQuest. She gained experience in different departments in Publishing, including editing, sales, marketing, research and book launch (event planning). She started as Social Media Manager in 4i magazine, but very quickly became the Editor in Chief. At the moment, she lives in Greece, where she is mentoring women with job and education matters; and she is the mother of 3 boys.

RELATED POSTS

News, Tech

Cybermindz, the globally recognized nonprofit advancing the mental resilience of cybersecurity professionals, announced the launch of its Alert Fatigue Primer, a major new addition to its BaseCamp™ Platform. The primer will be unveiled at RSA Conference 2025, where Cybermindz will host a series of

News, Tech

Users will be asked to provide their fingerprints or other security features Microsoft is now working on creating a passwordless world, where users will be more secure and feel safer. The company has announced that all users will be able to

4i magazine was founded with the vision of enabling our readers to make sense of the modern world. Our mission is to provide our audience with the most important, cutting-edge tech news and insights. Today's media landscape features too much information and not enough knowledge. Our coverage aims to fix that, by focusing the spotlight on developing trends, up-and-coming talents, and news that's worth your attention.

info@4imag.com
jobs@4imag.com

© Copyright 4i Mag 2022 All Rights Reserved