Hybrid passwordless authentication raises the bar for identity security

At a glance

What this is: RSA Security describes how a major US bank adopted hybrid passwordless authentication to secure mixed environments spanning cloud, legacy, third-party, and BYOD access.

Why it matters: This matters because IAM teams rarely operate in clean greenfield conditions, and passwordless programmes fail if they do not account for legacy apps, remote users, and untrusted devices.

👉 Read RSA Security's analysis of hybrid passwordless authentication in banking

Context

Hybrid passwordless authentication is not just a replacement for passwords. In practice, it is an access model that has to work across device types, user populations, and application generations without breaking operational continuity.

For IAM programmes, the hard part is not proving passwordless works in isolation. The hard part is making it coexist with legacy on-premises applications, third-party access, BYOD risk, and regulatory expectations in one control plane.

RSA Security uses the bank case to show that authentication modernisation is a governance problem as much as a user-experience one. The starting point is typical for large financial institutions: mixed estate, mixed trust, and no room for access disruption.

Key questions

Q: How should security teams roll out passwordless authentication in hybrid environments?

A: Security teams should roll out passwordless by inventorying application compatibility, device trust, and fallback authentication before enforcing policy broadly. The goal is not simply to remove passwords, but to ensure passkeys, federation, and recovery flows work across legacy and modern systems without creating ungoverned exception paths.

Q: Why do BYOD devices change the risk profile of passwordless authentication?

A: BYOD changes the risk profile because the credential is no longer protected by a fully controlled endpoint. Even strong passwordless methods still depend on device integrity, so organisations need separate trust rules for personal devices, especially when sensitive or regulated applications are involved.

Q: What do organisations get wrong about hybrid passwordless programmes?

A: They often treat passwordless as a login project instead of an identity governance change. That mistake leaves fallback routes, legacy exceptions, and inconsistent device policy in place, which can preserve the very access risks the programme was meant to reduce.

Q: Who should own the controls around adaptive authentication decisions?

A: Identity security, IAM architecture, and compliance teams should share ownership, because adaptive authentication affects both access policy and audit evidence. The control needs clear decision criteria, defined escalation paths, and evidence that the policy behaves predictably under operational stress.

Technical breakdown

Hybrid passwordless authentication across legacy and modern estates

Hybrid passwordless authentication combines passkeys or other strong authenticators with policy controls that let the same identity work across cloud services, on-premises applications, and managed endpoints. The architectural challenge is not the authenticator itself, but how federation, device posture, and fallback paths are coordinated when legacy apps still expect older flows. In this pattern, the identity layer must preserve continuity without reintroducing password dependence through exceptions or alternate routes.

Practical implication: map every fallback path before rollout so passwordless exceptions do not become the new weakest authentication route.

Passkeys, device binding, and BYOD risk

Passkeys reduce phishing exposure because the credential is bound to the device and the relying party, not copied as a reusable secret. That model becomes more complex on BYOD and potentially compromised endpoints, where the issue is not only interception but whether the device can safely hold or present the credential. Device-aware authentication therefore matters as much as the passkey itself, especially when remote users and third parties are in scope.

Practical implication: treat BYOD as a distinct trust tier and apply device checks before allowing passkey-based access to sensitive systems.

Adaptive authentication for regulated environments

Adaptive authentication uses risk signals such as device state, location, behavior, or session context to decide whether to step up, deny, or continue access. In regulated environments, this matters because authentication must satisfy security, resiliency, and audit expectations without creating avoidable downtime. The control is only effective when risk scoring and policy decisions are consistent enough to be explained during review and resilient enough to survive failover conditions.

Practical implication: define which risk signals can trigger step-up or denial, and test them against downtime and audit requirements before production rollout.

Threat narrative

Attacker objective: The attacker seeks durable access to enterprise accounts that can move across environments without needing repeated compromise attempts.

1. Entry occurs through password exposure, phishing, or other credential compromise when organisations still rely on reusable secrets for broad access. Escalation follows when the same credential can be used across remote, legacy, and third-party environments without device-aware verification. Impact is account takeover, unauthorized access, and a wider compliance and downtime exposure if the credential is reused in high-value workflows.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless only improves identity security when the control model survives the edge cases. The bank case is not a simple authentication upgrade story. It is a reminder that passwordless succeeds only when legacy apps, third-party access, and BYOD users are all covered without creating exception pathways that reintroduce weak authentication.

Hybrid access changes the governance burden, not just the login experience. A mixed estate forces IAM teams to reason about federation, device trust, and recovery paths together. That means passwordless programmes must be designed as operating models, not isolated feature deployments, because the real failure mode is inconsistent enforcement across user populations.

Device-aware authentication is now a control boundary, not a convenience layer. Once passkeys extend to remote and BYOD users, the trust question moves from secret strength to endpoint assurance. Financial services programmes that ignore this shift may improve phishing resistance while leaving device compromise as the main residual risk.

Legacy compatibility is the hidden constraint in most passwordless programmes. A modern authenticator does not remove the need to support old applications, but it does expose how much of the environment still depends on brittle fallback logic. Practitioners should treat those fallback routes as part of the identity attack surface, not as implementation detail.

Hybrid passwordless strengthens human IAM, but it also raises the bar for adjacent NHI governance. Third-party access, service integrations, and downstream automation often rely on the same identity platform and trust assumptions. When human authentication is hardened, weak machine and delegated access paths become more visible and more exploitable, so identity programmes should review both together.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• The same report found that 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
• For a deeper governance baseline, see NHI Lifecycle Management Guide, which maps how lifecycle controls reduce persistent access risk across identity types.

What this signals

Hybrid passwordless programmes will increasingly be judged by their exception handling, not their primary login flow. IAM teams should assume that legacy apps, third-party access, and BYOD will remain in scope for years, which means the real control question is whether fallback paths are visible, owned, and removable. When they are not, passwordless simply relocates risk instead of reducing it.

With 35.6% of organisations citing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, the governance lesson is that identity controls are now being measured by continuity across trust zones, not by point-in-time authentication strength. That shift matters for human IAM too, because the same identity platform often governs both people and services.

Passwordless and device trust are converging into a single governance concept: access assurance. Teams that pair authentication modernisation with the OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 will be better positioned to align human, delegated, and machine access policies under one operating model.

For practitioners

• Inventory every passwordless fallback path Document where users can still authenticate through passwords, one-time codes, or alternate recovery flows, then assign an owner to remove or harden each path before broad rollout.
• Split BYOD from managed-device policy Use different access conditions for personally owned devices and corporate endpoints so passkey acceptance, step-up, and deny logic reflect distinct risk tiers.
• Test legacy application compatibility early Validate how on-premises applications behave when passwordless is enforced, including authentication redirects, session renewal, and exception handling for third-party users.
• Align authentication policy with compliance evidence Map adaptive authentication rules to the controls auditors will ask about, including downtime tolerance, recovery behavior, and explainable risk decisions.
• Review delegated and machine access separately Use the same identity programme review to check whether service integrations or partner access still depend on weaker secret handling than the human login path.

Key takeaways

• Hybrid passwordless authentication only reduces risk when legacy apps, BYOD, and third-party access are governed as part of the same design.
• The main security question is no longer whether passkeys work, but whether fallback paths and device trust rules are controlled tightly enough to avoid reintroducing exposure.
• IAM teams should treat passwordless as an operating-model change that also sharpens review of adjacent NHI and delegated access paths.

Key terms

• Hybrid Passwordless Authentication: An access model that replaces passwords with stronger authenticators while still supporting mixed environments such as legacy applications, remote workers, and third-party access. In practice, it must coordinate federation, recovery, and device trust so the new login method does not reintroduce weaker fallback paths.
• Passkey: A phishing-resistant authenticator that binds credentials to the user’s device and the relying party rather than exposing a reusable secret. For identity programmes, the key governance issue is not only whether passkeys work, but whether the endpoint holding them is sufficiently trusted.
• Adaptive Authentication: A policy approach that changes access decisions based on risk signals such as device state, location, or session behaviour. It is effective only when the signals are explainable, the decision logic is consistent, and the response paths are resilient enough for regulated environments.
• Fallback Path: Any alternate login or recovery route that remains available when the primary authentication method fails or is bypassed. These paths matter because they often preserve older security assumptions, and in hybrid environments they can quietly become the easiest way back into sensitive systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Large US Bank Adopts Hybrid Passwordless Authentication to Transform Identity Security. Read the original.