Because most financial institutions still retain password-bound systems somewhere in the estate, especially for legacy applications, integrations, and recovery. Removing passwords from one layer does not remove the audit obligation if other systems still depend on them. Governance must cover what remains, not what the strategy hopes to eliminate.
Why Password Controls Still Matter After SSO
SSO reduces how often people type passwords, but it does not erase the systems, workflows, and recovery paths that still depend on them. Legacy applications, service desks, third-party integrations, and account recovery often remain password-bound long after a modern login layer is deployed. That means password policy, monitoring, and exception handling still shape real risk, especially where the identity estate is mixed. Current guidance from NIST Cybersecurity Framework 2.0 and NHI governance practices both point to the same operational reality: visibility into what still uses passwords matters more than slogans about being passwordless.
Financial institutions also have to treat passwords as part of a broader identity control plane, not as an isolated nuisance. The Ultimate Guide to NHIs — Standards notes that long-lived credentials remain common in modern estates, and that creates audit and recovery exposure even when user sign-in is modernised. In practice, many security teams discover that password governance still fails at the edge, where old systems and urgent recovery processes bypass the intended architecture.
How It Works in Practice
Effective password control in an SSO or passwordless programme means tracking every remaining password use case and assigning a risk-based rule to it. That usually includes privileged break-glass accounts, legacy mainframes, batch jobs, vendor portals, and any application that cannot yet federate with modern identity providers. The goal is not to preserve passwords forever, but to constrain their lifetime, scope, and recoverability until they can be removed.
Operationally, teams should combine authentication policy with NIST Cybersecurity Framework 2.0 functions for identify, protect, detect, and recover. That means enforcing strong secrets where passwords still exist, logging every reset and override, and reviewing whether those accounts can move to NHI lifecycle standards such as rotation, offboarding, and privilege review. It also means treating recovery flows as high-risk paths: if a password can be reset through weak help-desk identity proofing, then the password policy is only as strong as that process.
- Inventory all password-bound systems, including service and emergency accounts.
- Apply least privilege and remove shared credentials where possible.
- Rotate any remaining secrets on a short, documented schedule.
- Log resets, unlocks, and fallback authentication as security events.
- Prioritise migration of the highest-risk legacy dependencies first.
For technical baselines, align control intent with the NIST Cybersecurity Framework 2.0 and use NHI governance to close the gap between policy and operational reality. These controls tend to break down when help-desk resets, emergency access, or third-party maintenance accounts sit outside central identity governance because those paths are rarely reviewed at the same rigor as primary SSO flows.
Common Variations and Edge Cases
Tighter password control often increases operational friction, requiring organisations to balance user convenience against auditability and recovery speed. That tradeoff is real, especially in financial services where outages and regulatory deadlines can force exceptions. Best practice is evolving, but there is no universal standard for how quickly a passwordless programme can eliminate every downstream password dependency.
Some environments can remove user passwords from the front door while still needing them for back-office systems, vendor access, or regulated fallback procedures. Others may replace passwords with device-bound factors, but still rely on shared admin credentials or static secrets in scripts. The Ultimate Guide to NHIs — Standards is useful here because it frames passwords as one part of a wider secrets and identity inventory, rather than a standalone authentication debate. In practice, the right question is not whether passwords are disappearing, but whether the remaining ones are visible, governed, and justified.
That distinction matters most in merger environments, regulated outsourcing, and legacy core banking estates, where passwordless can be true for employees while still false for the systems that keep the business running.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses rotation and lifecycle of remaining passwords and secrets. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access applies to legacy and break-glass password use. |
| NIST SP 800-63 | Covers authentication assurance and recovery paths in mixed identity estates. |
Inventory all remaining passwords and enforce short rotation plus documented offboarding.
