TL;DR: Most enterprises still run hybrid authentication, with Okta reporting 93% password usage in workforce environments and 56% of organisations keeping passwords after passkey deployment, so exposure persists across legacy apps, AD, VPN, SaaS, and privileged workflows. The security problem is not choosing a replacement, but reducing the credential layer attackers still target today.
At a glance
What this is: This is an analysis of why hybrid authentication environments remain the norm and why passwords continue to concentrate identity risk even as passkeys spread.
Why it matters: It matters because IAM, IGA, PAM, and security teams still have to govern the password layer that legacy systems, privileged workflows, and third-party access continue to trust.
By the numbers:
- Overall password usage still reached 93% of users in workforce environments as of January 2025.
- 56% of organizations still kept passwords as an authentication method even after deploying passkeys.
- 93% of users in workforce environments as of January 2025 still used passwords, showing how entrenched the legacy layer remains.
👉 Read Enzoic's analysis of credential risk in hybrid authentication environments
Context
Hybrid authentication means an organisation uses passwords and passkeys at the same time across different systems. That is now the default state for many enterprises because older applications, Active Directory, VPNs, SaaS tools, customer portals, and privileged workflows do not all modernise together.
The governance gap is not a lack of modern sign-in options. It is the persistence of a password layer that attackers still exploit through phishing, credential reuse, and exposed secrets, while security teams assume modern authentication has reduced the whole problem.
In practice, that leaves identity programmes managing two different trust models at once. Passkeys may reduce risk on newer paths, but the remaining password estate often becomes the highest-value target because it still gates access to critical systems and administrative functions.
Key questions
Q: How should security teams reduce risk in hybrid authentication environments?
A: They should treat the remaining password estate as the main control surface, not a temporary leftover. That means inventorying every password-based path, screening credentials against breach data, and tightening recovery and help desk workflows that can reintroduce exposed access. The goal is to reduce valid-credential abuse wherever passwords still remain.
Q: Why do passkeys not eliminate credential risk on their own?
A: Passkeys reduce risk only on the flows that have actually migrated. If legacy applications, privileged workflows, or recovery paths still trust passwords, attackers can keep using exposed credentials to reach high-value systems. The risk moves, it does not disappear, until the last password-dependent path is governed.
Q: What breaks when organisations rely on password policy alone?
A: Static password policy fails to detect whether a credential has already been exposed. A strong-looking password can still be a live attack path if it appears in breach data or infostealer logs. The missing control is exposure-aware screening before and after issuance, not more complexity rules.
Q: Who is accountable for hybrid authentication risk when passwords and passkeys coexist?
A: IAM, PAM, and identity governance teams share accountability because the risk spans sign-in, recovery, and privileged access. Security ownership should follow the access path, not the authentication label. If a system still accepts passwords, someone must own its residual exposure, even when passkeys are available elsewhere.
Technical breakdown
Why password layers become the primary target in hybrid authentication
Hybrid authentication creates asymmetric risk. When some sign-in paths move to passkeys while others remain password-based, attackers concentrate on the path that still accepts reusable credentials. That is not a failure of passkeys themselves. It is a property of partial modernisation: the older trust model remains intact wherever the migration is incomplete. In identity terms, the attack surface does not shrink evenly. It shifts toward Active Directory, legacy business applications, help desk resets, and privileged workflows that still accept passwords. The result is a more valuable target set, not a smaller one.
Practical implication: map every remaining password-dependent flow and treat it as a separate high-risk control plane, not as legacy background noise.
Why credential exposure sits upstream of authentication
Credential risk often starts before the login attempt. Once passwords are exposed in breach dumps, infostealer logs, credential stuffing kits, or reuse across services, authentication becomes the last step in a longer compromise chain. The login may look legitimate because the credential is valid, which is exactly why these attacks evade many traditional detection models. In hybrid environments, that matters more because exposed passwords can still unlock older systems even when newer sign-in methods exist elsewhere. The security issue is therefore not only authentication failure, but stale trust in credentials that may already be compromised.
Practical implication: screen credentials before and after reset, and continuously test whether exposed passwords still provide valid access.
Continuous credential screening is the missing control in mixed estates
Static password policy answers the wrong question. Complexity rules may produce stronger-looking passwords, but they do not reveal whether a credential already exists in breach data. Continuous credential screening closes that gap by checking during creation, reset, and ongoing monitoring. In a mixed estate, this becomes especially important for Active Directory, workforce identity systems, customer login APIs, and recovery workflows, where a single exposed secret can still become a working access path. The control is about exposure state, not character composition. That is the operational distinction many programmes still miss.
Practical implication: make breach-aware screening mandatory in every password issuance and reset workflow, then monitor for newly exposed credentials continuously.
NHI Mgmt Group analysis
Hybrid authentication is now an operating model, not a transition state: Most enterprises will live with passwords and passkeys side by side for years because their application estate cannot modernise in one step. That means IAM strategy must govern mixed trust, mixed assurance, and mixed recovery paths at the same time. The practitioner conclusion is simple: design for coexistence, not completion.
The remaining password layer is where identity risk concentrates: When passkeys are deployed selectively, the systems that still trust passwords become the most attractive targets for attackers. This is not because passwords suddenly matter more in theory, but because they remain the shortest route to valid access in the parts of the estate that have not changed. The implication is that risk reduction must focus on the residual password estate, not the modernised edge.
Credential exposure is the control problem, not password length: A long password that has already been leaked is still a live attack path. That is why the decisive question is whether exposed credentials are blocked before they can be reused, not whether policy made them harder to guess. Practitioners should measure exposure state, not just password complexity.
Hybrid authentication turns identity governance into a lifecycle problem across all access types: Passwords, passkeys, recovery factors, and privileged workflows are all part of the same lifecycle, even when they sit in different systems. Offboarding, reset, and recertification processes must therefore account for which access methods still exist and where valid credentials remain. The practitioner conclusion is to govern the lifecycle of the old and new trust models together.
Hybrid estates expose the limits of assuming modern authentication equals modern security: That assumption was designed for a world where authentication methods changed uniformly. It fails when one layer modernises while the rest of the estate continues to trust passwords, because attackers only need one preserved trust path. The implication is that identity architecture must be assessed by residual access paths, not by headline adoption rates.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- For a broader control baseline, review OWASP Non-Human Identity Top 10 for the governance gaps that also affect credential exposure and hybrid authentication.
What this signals
Residual password risk is a programme design issue, not a migration milestone: Once passkeys enter the estate, the real question becomes how quickly you can identify and retire the remaining password-dependent trust paths. With only 5.7% of organisations reporting full visibility into their service accounts, the same visibility problem is likely to affect mixed authentication estates where passwords still linger.
Hybrid authentication exposes the same governance weakness seen across NHI programmes: organisations often modernise one control plane while leaving legacy trust intact elsewhere. That creates a false sense of coverage, because attackers only need one surviving path to valid access. The operational response is to measure residual exposure, not adoption counts.
Credential exposure becomes the durable control point across IAM and NHI: if a secret or password remains valid after exposure, the environment still trusts compromised identity material. That makes breach-aware screening and rapid invalidation the most important bridge between classic IAM, privileged access governance, and NHI lifecycle controls.
For practitioners
- Inventory every password-dependent access path Map Active Directory, legacy applications, VPNs, privileged workflows, customer portals, and recovery flows that still accept passwords. Classify each path by exposure, privilege, and whether passkeys have truly removed password trust or only added another option.
- Deploy breach-aware credential screening Block exposed passwords during creation and reset, then continuously rescreen stored credentials against new breach data. Focus on the flows that still grant access to administrative, remote access, and high-value business systems.
- Separate modernisation from risk reduction Do not treat passkey rollout as proof that authentication risk has been solved. Track the remaining password layer as its own programme stream with explicit owners, remediation targets, and reporting.
- Harden recovery and help desk workflows Apply the same scrutiny to password reset and account recovery as to primary sign-in, because these paths often bypass the strongest authentication methods and restore access to the most exposed identities.
Key takeaways
- Hybrid authentication is the current operating reality, so identity strategy has to govern coexistence rather than assume a clean migration to passkeys.
- The riskiest control point is the password layer that remains, because attackers target the systems still willing to trust reusable credentials.
- Breached credential screening and residual-path inventory are the controls that reduce valid-access abuse in mixed authentication estates.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential exposure and rotation gaps sit at the centre of this hybrid-authentication risk. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management are directly implicated by residual password trust. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers password issuance, validation, and revocation across mixed environments. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on minimizing implicit trust in reusable credentials. |
Use Zero Trust to challenge any password path that still grants broad access without continuous verification.
Key terms
- Hybrid Authentication: A mixed identity environment where passwords and passkeys coexist across different systems and workflows. It is not a transition failure; it is the practical state of many enterprises, and it requires governance that understands residual password trust, recovery paths, and uneven modernization.
- Residual Password Estate: The set of applications, workflows, and access paths that still accept passwords after passkeys are introduced. This estate often carries disproportionate risk because attackers focus on the last systems that continue to trust reusable credentials, especially administrative and recovery functions.
- Credential Screening: The process of checking passwords against known breach data before or after they are used. In practice, it is an exposure control, not a strength control, because it answers whether a credential is already compromised rather than whether it looks complex enough.
- Exposure-Aware Authentication: An authentication approach that considers whether a credential has been leaked, reused, or found in breach data before allowing it to remain valid. For hybrid estates, this is the bridge between legacy password protection and modern identity governance.
What's in the full article
Enzoic's full article covers the operational detail this post intentionally leaves for the source:
- 具体?
- Detailed credential screening workflow examples for password creation, reset, and ongoing monitoring across hybrid estates.
- Implementation considerations for legacy Active Directory, privileged workflows, and customer login paths that still accept passwords.
- Practical guidance on reducing credential risk without assuming passkeys have removed the need for password controls.
👉 Enzoic's full post covers the password-layer controls and screening details practitioners need.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org