I suspect some places still only use passwords for server logins because they can simply use active directory for user management and then have servers use ad/ldap for credential checking.
I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.
For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.
> This requires the enterprise to run up to date browser however.
Why is this so hard?!? I agree with you, but this sentence rang so true it was sad. I've been forced to work with/around unbelievably out-of-date browsers in order to install current firmware updates on systems at almost every place I've worked.
Because large corporations have teams in charge of users desktops that still assume this is the 90s, and most users are idiots. Also, there are a ton of bad internal web applications targetting outdated browsers
I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.
For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.