Facial biometrics expose the limits of passwordless IAM

At a glance

What this is: This is an analysis of facial biometrics for passwordless authentication and the governance gaps that still block adoption.

Why it matters: It matters because IAM teams must decide whether face authentication strengthens identity assurance without creating new lifecycle, compliance, and shared-device control problems.

By the numbers:

• 40% of all help desk calls are related to passwords.
• Each password reset costs $70.
• 42% of system intrusion attacks and 88% of basic web application attacks involved compromised login credentials.

👉 Read Imprivata's analysis of face authentication for passwordless access

Context

Facial biometrics, also called face authentication, is a passwordless method that verifies a person by matching an enrolled facial template to a live capture at login. In identity programmes, the real question is not whether it is technically possible, but whether it can replace password-era trust assumptions without breaking governance across human access, shared devices, and regulated workflows.

The article frames face authentication as a response to password risk, help desk load, and third-party access exposure. That is the right problem space for IAM teams, because the operational debate is less about biometrics in isolation and more about whether passwordless access can be deployed as part of a coherent identity architecture rather than a point solution.

Key questions

Q: How should security teams roll out passwordless authentication without breaking legacy access?

A: Start with application and workflow inventory, then classify which systems can support modern authentication and which still require transitional controls. Passwordless succeeds when teams design for the real estate of legacy apps, shared devices, and exception paths instead of assuming a clean migration.

Q: Why do passwordless programmes fail if they focus only on the login method?

A: Because the login method is only the front end of identity assurance. If enrollment, recovery, auditability, offboarding, and application compatibility are not aligned, the organisation replaces one friction point with a fragmented control model that is harder to govern.

Q: How can organisations judge whether facial biometrics are actually reducing risk?

A: Look for fewer password resets, lower help desk volume, reduced dependence on recoverable secrets, and consistent auditability across shared and regulated workflows. If those indicators do not improve, the biometric layer is likely adding convenience more than measurable security.

Q: Who remains accountable when passwordless access spans employees, contractors, and third parties?

A: Accountability stays with the organisation that owns the identity lifecycle and access policy, even when external users or shared devices are involved. Passwordless does not remove governance responsibility; it makes lifecycle control, offboarding, and audit trails more visible.

Technical breakdown

How facial biometrics work as an authentication factor

Facial biometrics work by converting an enrolled face into a template and comparing that template against a fresh camera capture at login. The article describes convolutional neural networks for face matching and liveness detection to reduce spoofing attempts. In practice, this makes face authentication a possession-plus-inherence style factor, but it still depends on strong enrollment, secure template storage, and a trustworthy capture path. If any one of those is weak, the factor becomes a front-end convenience layer rather than a reliable control.

Practical implication: treat face authentication as an assurance control only when enrollment, template protection, and liveness checks are governed end to end.

Why passwordless adoption fails in legacy environments

Many enterprises cannot drop passwords simply by adding a modern factor, because critical applications still expect keyboard-based logins or non-standard authentication flows. That creates a compatibility problem: the identity stack may support FIDO2 or SAML, but the actual workload or workstation path does not. The result is often a hybrid model where passwordless is available only for some users, some devices, or some workflows. That fragmentation is usually a governance problem disguised as a technical one.

Practical implication: inventory which applications and device flows still force legacy authentication before declaring passwordless readiness.

What shared-device environments change about identity assurance

Shared-device settings, such as clinical or operational workstations, change the authentication problem because credentials cannot be left behind between users. Face authentication can reduce the risk created by shared passwords or shared tokens, but only if the session model, logout behaviour, and audit trail align with the device-sharing pattern. The security question is not simply whether biometrics are stronger than passwords. It is whether they preserve individual accountability when multiple people touch the same endpoint across a shift.

Practical implication: align passwordless design with session termination, user switching, and audit requirements on shared endpoints.

Threat narrative

Attacker objective: The attacker wants to turn one compromised login into durable, low-friction access that bypasses normal user accountability and control.

1. Entry occurs when attackers obtain a stolen password, reused credential, or phishing-captured login and use it against a traditional authentication flow. Credential compromise remains the first step in many identity-led intrusions because passwords are still widely reused and reset under pressure.
2. Escalation follows when the attacker moves from a single stolen login into broader access through help desk resets, weak third-party access paths, or shared accounts that blur attribution. In identity terms, the compromise becomes a governance failure once one login can unlock multiple workflows.
3. Impact occurs when the attacker uses that access to reach systems, steal data, or perform actions that look legitimate from the application’s perspective. The damage is amplified in environments where login assurance and access governance are not tightly linked.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwords are not just a user inconvenience. They are a governance failure mode. Password resets, help desk load, and credential compromise are symptoms of an identity model that still treats the password as a normal state. Once identity assurance has to be rebuilt around high-risk access, passwordless becomes a structural control discussion, not a UX feature discussion. Practitioners should judge passwordless by whether it reduces dependency on recoverable secrets, not by whether it feels modern.

Facial biometrics solve the login ceremony, not the identity architecture. Face authentication can tighten the front door, but it does not remove the need for lifecycle governance, access scope control, or third-party offboarding. If the surrounding identity programme still relies on fragmented policies, the organisation simply moves its weakest link from passwords to unenforced process. Practitioners should evaluate biometrics inside the full authentication and access chain, not as a standalone upgrade.

Shared-device environments expose the real value of passwordless. In workflows where users share workstations but not accountability, passwordless must preserve fast user switching, per-user auditability, and session separation. That is where facial biometrics can matter most, because the challenge is not only authentication strength but attribution. Practitioners should treat shared-device rollout as the hardest test of any passwordless design.

Face authentication has a narrow but real fit in regulated environments. The strongest use case is not universal replacement of passwords, but controlled deployment where operational speed, auditability, and local device access all matter at once. That makes the topic especially relevant for IAM, PAM, and lifecycle teams that need one access model across complex workflows. Practitioners should focus on where the control boundary really sits, because the boundary, not the biometric, determines security.

Identity assurance must be measured against third-party and workforce reality, not idealised users. The article’s emphasis on third-party access and legacy compatibility shows why passwordless programmes fail when they are designed for a clean environment that does not exist. The governance issue is whether the programme can absorb exceptions without reverting to passwords as the default. Practitioners should expect hybrid identity states and manage them explicitly.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why access assurance often breaks long before teams reach enforcement, according to Ultimate Guide to NHIs.
• For teams formalising lifecycle controls, the NHI Lifecycle Management Guide is the next step for tightening provisioning, rotation, and offboarding discipline.

What this signals

Identity assurance is shifting from secret-based access to lifecycle-based access. Passwordless authentication can reduce reliance on recoverable credentials, but it does not eliminate the need to prove who can enroll, recover, switch devices, or offboard access. For IAM teams, the programme question is whether biometric access can be governed with the same discipline as any other high-value identity control.

With 30.9% of organisations still storing long-term credentials directly in code, according to our research, the passwordless conversation is really about removing old dependence on fragile secrets while not introducing new unmanaged trust points.

Biometric convenience becomes defensible only when auditability survives the workflow. That means shared-device sessions, contractor access, and exception handling must remain traceable at the same standard as standard user logins. Teams that cannot prove those controls should treat face authentication as partial modernization, not completed transformation.

For practitioners

• Map passwordless eligibility by application and workflow Identify which critical systems still depend on keyboard-based or legacy login paths before promising full password removal. Separate feasible passwordless journeys from exceptions that will still require alternative authentication controls.
• Protect biometric enrollment and template storage Require strong controls around enrollment capture, template storage, encryption, and deletion on termination. The security value of facial biometrics depends on keeping the enrollment path trustworthy and the stored template tightly governed.
• Design for shared-device session switching Test fast user switching, logout behaviour, and per-user audit trails on shared workstations. A passwordless programme that fails to preserve attribution on shared devices creates operational speed without governance clarity.
• Review third-party access alongside passwordless rollout Use passwordless programmes to force a broader access review of vendor, contractor, and partner pathways. Third-party access still creates breach exposure, so authentication changes should be paired with offboarding and entitlement checks.

Key takeaways

• Facial biometrics can reduce password dependence, but the real test is whether the surrounding identity programme can absorb legacy systems, shared devices, and recovery workflows.
• The evidence problem is broader than login friction: credential compromise, third-party access, and help desk burden all point to an identity model still built around recoverable secrets.
• IAM teams should judge passwordless by lifecycle governance, not by the biometric itself, because access assurance only improves when enrollment, audit, and offboarding are controlled together.

Key terms

• Facial Biometrics: A biometric authentication method that verifies a person by comparing a live facial capture with an enrolled template. In identity programmes, its value depends on secure enrollment, trustworthy liveness detection, and careful handling of stored templates so the factor does not become just another managed secret.
• Passwordless Authentication: An authentication approach that removes the password as the primary login secret and replaces it with stronger factors such as biometrics, device-bound credentials, or possession-based methods. It improves user experience only when recovery, audit, and exception handling are governed as tightly as the login itself.
• Liveness Detection: A control that checks whether a presented face is from a live person rather than a photo, replay, or synthetic spoof. It is a critical layer in biometric systems because it protects the matching step from simple impersonation attempts and supports stronger assurance at login.
• Shared Device Access: An access model where multiple people use the same physical workstation, terminal, or endpoint across a shift. The main governance challenge is preserving individual accountability, session separation, and auditability while allowing fast user switching without shared credentials.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Discover three key insights into facial biometrics and passwordless authentication. Read the original.