Passwords are dying. Passkeys are growing. Zero-trust architectures are reshaping enterprise security. Biometrics, AI-driven authentication, and continuous verification are converging to redefine how we prove our identity online.
In 2026, we are in the transition period of a fundamental shift in authentication. Passwords are not yet dead, but they are rapidly becoming secondary to biometric-backed cryptographic authentication. Apple reports that over one billion passkeys have been created across its ecosystem. Google has seen passkey sign-ins for Google accounts grow exponentially since 2022. Microsoft has been pushing its 1.4 billion Windows users toward passwordless authentication through Windows Hello and Microsoft Authenticator. The three dominant platform operators controlling the majority of the world's computing devices are aligned on the direction of travel: away from passwords and toward FIDO2-based phishing-resistant authentication.
The acceleration has been driven by compelling data on the cost of password-based breaches. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element including stolen credentials, phishing, or errors — with stolen passwords still the leading attack vector globally. IBM's Cost of a Data Breach report showed average breach costs exceeding US$4.88 million globally in 2024. for Hong Kong SMEs: Where to Start">for Hong Kong Businesses">Kong Businesses: Implementation Guide">for Hong Kong Online Banking: What You Need to Know">For Hong Kong businesses, which are subject to both the Personal Data (Privacy) Ordinance and growing cyber insurance requirements, the financial and legal case for moving beyond passwords is increasingly compelling.
The practical reality in 2026 is coexistence. Most services still require passwords as a fallback, and billions of accounts exist at services that have not yet implemented passkey support. The average person's digital life involves hundreds of accounts across services of wildly varying technical sophistication — from major tech platforms that have implemented FIDO2 to small local businesses running basic website software that does not support modern authentication standards. The transition will take many more years to complete, and password managers remain essential tools during the transition period.
The biometric authentication available in 2026 — Face ID, fingerprint readers, and Windows Hello — represents only the first generation of biometric authentication. The next generation involves continuous, behavioural biometrics that authenticate users based on patterns rather than discrete verification events. Behavioural biometrics analyse how you type (keystroke dynamics: speed, rhythm, and error patterns), how you move a mouse, how you hold and use your phone (accelerometer and gyroscope patterns), and how you navigate interfaces. These patterns are sufficiently unique to serve as a biometric identifier when combined with other signals.
AI-driven adaptive authentication systems are already deployed by some enterprise identity platforms and major banks. These systems learn your normal behaviour patterns and flag anomalies in real-time. If someone logs in as you from Hong Kong, types with your typical patterns, and requests access to information you typically access — the AI assigns low risk and no additional friction is applied. If the same session then attempts to access financial systems at an unusual time, sends an unusually large number of data export requests, or begins modifying access controls — the risk score rises and the session is challenged or terminated automatically.
For Hong Kong banking specifically, several major banks are already using AI-based transaction monitoring that functions as a continuous authentication layer for financial operations. The system understands your normal transaction patterns (amounts, counterparties, frequency, time of day) and flags statistical anomalies for additional verification. This is less about replacing traditional authentication and more about layering intelligence on top of it — creating a security model where a compromised account can be detected through behavioural deviation even after an attacker has successfully authenticated.
Zero trust security is an architectural model that rejects the traditional "castle and moat" approach to security, where resources inside a network perimeter are trusted and everything outside is untrusted. In a zero trust model, no user, device, or network connection is trusted by default — every access request is authenticated, authorised, and verified, regardless of whether it originates inside or outside the corporate network. The guiding principle is "never trust, always verify."
Zero trust has profound implications for authentication. In a zero trust architecture, strong MFA is a prerequisite for every resource access — including resources on the internal network that traditional models would grant automatically to connected users. But zero trust authentication goes further: it combines user identity verification with device health assessment (is the device patched? does it have endpoint security software? is it enrolled in the corporate MDM?), network context (is this a known office network? a VPN?), and behavioural risk signals to make a contextual access decision rather than a binary allowed/denied determination.
For Hong Kong businesses in 2026, zero trust principles are becoming standard guidance from security advisory bodies and are increasingly required by larger enterprise customers and partners as a condition of their supply chain security requirements. The practical first step toward zero trust is enforcing MFA everywhere and eliminating implicit trust based on network location — stopping treating the office network as inherently trusted. Many organisations start their zero trust journey with identity-centric controls, deploying an identity platform like Microsoft Entra ID or Okta that provides conditional access based on user, device, and context signals, with phishing-resistant MFA as the foundation.
The authentication landscape is evolving rapidly, but the actions that prepare you for the future are the same ones that protect you best today. Start adopting passkeys now, while they are early but widely available. Create passkeys for Google, Apple, Microsoft, and any other service you use that supports them. This positions you ahead of the curve, trains you to use the authentication method that will dominate the next decade, and provides you with real, immediate security benefits today.
For services that do not yet support passkeys, upgrade from SMS to an authenticator app if you have not already. The authenticator app ecosystem is mature, works well, and provides dramatically better security than SMS without requiring new hardware. This step alone eliminates the most common attack vector for account takeover among ordinary Hong Kong internet users. If you manage high-value accounts — cryptocurrency, business email, or accounts with significant follower bases — add a hardware security key for FIDO2 phishing resistance on services that support it.
At the institutional level, Hong Kong businesses should be aware of HKMA's evolving guidance on strong authentication for financial services, track updates to the Cyber Resilience Assessment Framework, and begin planning the transition from authenticator app-based MFA to phishing-resistant MFA for privileged accounts. The technology is available today, the regulatory direction is clear, and early movers will be better positioned when phishing-resistant MFA becomes a hard requirement rather than a recommendation. The future of authentication in Hong Kong, as globally, belongs to biometric-backed cryptographic credentials — and that future is already here for those who choose to adopt it.
