Capital One is on track to eliminate the use of passwords for most internal and external employee-facing applications by the end of this year. One major effect of drastically reducing the use of passwords by employees is that it will “effectively eliminate entire classes” of cyberattack against the company, according to the bank’s chief technology risk officer, Andy Ozment. Specifically, going passwordless will eliminate phishing attacks, in which attackers steal employees’ passwords and one-time login codes, and password guessing attacks. For Capital One specifically, the implementation of passwordless authentication is multi-factor authentication using a x.509 device certificate and a FIDO2 passkey. X.509 is a specific standard for these certificates. In some cases, devices unlock passkeys using a short PIN that the user must enter. Although this approach is still more secure than a password because the PIN does not leave the device, and the device keeps the passkey being unlocked private, the use of PINs has generated complaints at Capital One that the bank isn’t truly going passwordless. Passwordless helps protect Capital One against specific attack vectors by blocking attempts where an attacker obtains a password or multifactor authentication (MFA) code from a text or app. More broadly, passwordless eliminates man-in-the-middle attacks, in which an attacker poses as the bank or intercepts communications that are meant to be secure. Passwordless eliminates these threats through asymmetric encryption, which ensures that the only way to decrypt a message is with a private encryption key, which devices manage automatically and much more carefully than users can manage passwords. As a concrete example, “probably the largest single reduction in risk we’ll get from this initiative” out of Capital One’s passwordless journey, according to Ozment, was transitioning the company’s virtual private network (VPN) to passwordless. With passwordless VPN, Capital One employees connect to the bank’s network to begin their work not by entering a username and password but using their preferred passwordless authentication. For many employees, this means using a device biometric — for example, facial recognition on their iPhone or the fingerprint scanner on their computer. Employees who prefer other methods can plug in their USB security key or tap their NFC device to their phone. While the passwordless journey is expected to end this year for Capital One, there are more gains the company can make in simultaneously simplifying and securing the employee experience. Indeed, it could lead to eliminating the use of a VPN.