San Francisco — Capital One is on track to eliminate the use of passwords for most internal and external employee-facing applications by the end of this year, capping off a 20-year journey to simplify its authentication experience.
One major effect of drastically reducing the use of passwords by employees is that it will "effectively eliminate entire classes" of cyberattack against the company, according to the bank's chief technology risk officer, Andy Ozment. Specifically, going passwordless will eliminate phishing attacks, in which attackers steal employees' passwords and one-time login codes, and password guessing attacks.
The transition comes with some asterisks. Ozment said customer authentication is a different system and is not impacted by the transition of employee authentication to passwordless. In addition, not every employee application will be able to reach passwordless status.
Ozment said about 11% of internal applications and 35% of external applications will still require passwords. These applications won't reach passwordless status either because of a lack of third-party support or because employees need to continue accessing these applications even after they leave the bank (e.g. 401(k) accounts).
Regardless, the transition of most applications to passwordless will greatly improve the bank's risk profile by eliminating a common vulnerability exploited in cyberattacks, and it will make the employee experience better by simplifying the experience of logging in to most applications.
The announcement and detailing of the journey Capital One has taken so far to get to this point came during a talk Monday by Ozment at RSAC Conference, a leading cybersecurity conference held annually in San Francisco.
What replaced passwords?
Exact implementations of passwordless authentication vary, but the universally shared quality is that it doesn't require the user to memorize a password or any other knowledge-based secret.
For Capital One specifically, the implementation of passwordless authentication is multi-factor authentication using a x.509 device certificate and a FIDO2 passkey. Here's what that means:
A device certificate is a secret file securely stored on a phone or computer when a user first logs into their account using that device. A certificate is like a password that a machine memorizes, but it is large enough that it is impossible to guess, and each certificate is unique — unlike passwords, which users often reuse for different applications. X.509 is a specific standard for these certificates.
A passkey is simply a digital credential stored on a device. It relies on public key cryptography, which enables apps to authenticate a user's identity, as long as they keep their credential private. FIDO2 is an open standard that governs how passkeys work, including the protocols that devices must follow to keep these credentials private.
In some cases, devices unlock passkeys using a short PIN that the user must enter. Although this approach is still more secure than a password because the PIN does not leave the device, and the device keeps the passkey being unlocked private, the use of PINs has generated complaints at Capital One that the bank isn't truly going passwordless.
"Our [employees and contractors] are being prompted to enter their PIN, and then they're flooding our help desk with like, 'Hey, I'm supposed to be on passwordless, but I just had to enter a password,'" Ozment said.
"I will say, I don't know that I would fully embrace the branding of passwordless again, but I'm not necessarily here to tell you I have a better answer," Ozment conceded. "I would absolutely keep that in mind if you do a roll out that you have to be nuanced in that communication."
The winding road to passwordless
Capital One's journey to passwordless authentication began in 2005 with the launch of single sign-on (SSO) for internal employees. The company introduced multi-factor authentication (MFA) in 2015, initially using codes sent via email, text message and phone calls.
The company rolled out physical security keys starting in 2018, initially used for One Time Passwords (OTP). By 2019, the bank added mobile push and app OTP as options and eliminated less secure factors like email, SMS, and voice.
The final push towards passwordless began in 2019, when the company set the goal of eliminating passwords from most apps. In June 2022, the bank's chief information security officer (CISO) set a challenge to get to passwordless VPN for employees within one year, and in June 2023, the team completed the passwordless VPN project.
Now, the bank is working toward a goal of requiring passwordless login for over 1,000 targeted applications by the end of 2025.
"We're going to finish passwordless this year, and then we're going to throw a heck of a party," Ozment said.
How eliminating passwords protects the bank
Passwords have long been identified by cybersecurity professionals as a major source of problems. In 2024, a high percentage (71%) of basic web application attacks leveraged the use of compromised credentials, according to Verizon's annual report on data breaches.
Passwordless helps protect Capital One against specific attack vectors by blocking attempts where an attacker obtains a password or multifactor authentication (MFA) code from a text or app. More broadly, passwordless eliminates man-in-the-middle attacks, in which an attacker poses as the bank or intercepts communications that are meant to be secure.
Passwordless eliminates these threats through asymmetric encryption, which ensures that the only way to decrypt a message is with a private encryption key, which devices manage automatically and much more carefully than users can manage passwords.
As a concrete example, "probably the largest single reduction in risk we'll get from this initiative" out of Capital One's passwordless journey, according to Ozment, was transitioning the company's virtual private network (VPN) to passwordless.
With passwordless VPN, Capital One employees connect to the bank's network to begin their work not by entering a username and password but using their preferred passwordless authentication. For many employees, this means using a device biometric — for example, facial recognition on their iPhone or the fingerprint scanner on their computer. Employees who prefer other methods can plug in their USB security key or tap their NFC device to their phone.
While the passwordless journey is expected to end this year for Capital One, there are more gains the company can make in simultaneously simplifying and securing the employee experience. Indeed, it could lead to eliminating the use of a VPN.
"I'm a little sad that I just had to use the word VPN, and I know we all want to move to a zero trust world and not use traditional VPNs," Ozment told RSAC Conference attendees. "Very soon, we hope to be up here presenting about our transition to zero trust, but that's a different presentation."
