Identity access management is shifting toward passwordless shared access

At a glance

What this is: This is a discussion of how IAM is evolving toward passwordless, shared, and context-aware access in critical industries.

Why it matters: It matters because IAM teams must balance usability, compliance, and accountability across human, machine, and emerging AI-driven access patterns.

By the numbers:

• 92% of security leaders say their organizations have implemented or are planning to implement passwordless authentication.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Imprivata's discussion of passwordless shared access in critical industries

Context

Identity access management is shifting from a purely protective function to an operational enabler, especially where workers share devices, move quickly between systems, and cannot afford repeated login friction. In healthcare, public safety, and manufacturing, the question is no longer whether identity matters, but how to make access both secure and fast enough for real work.

Passwordless authentication, risk-based verification, biometrics, and shared mobile access are all responses to the same governance problem: traditional login patterns slow frontline operations while still leaving accountability gaps. The stronger model is not simply fewer passwords. It is access that is bound to the right person, the right device, and the right context without forcing work to stop.

For identity teams, this is also a lifecycle issue. Shared access must still be governed, reset, and auditable, whether the identity is human, machine-adjacent, or part of a broader operational workflow. The programme question is not whether to remove friction, but which controls can replace it without weakening assurance.

Key questions

Q: How should security teams implement passwordless authentication for shared devices?

A: Security teams should pair passwordless authentication with device binding, session logging, and automatic reset so the next user starts from a clean state. The aim is not only faster login. It is to preserve accountability across shared workstations while avoiding password fatigue and reducing the likelihood that one user inherits another user’s session state.

Q: Why do shared workstations create IAM governance challenges?

A: Shared workstations create governance challenges because multiple people use the same hardware across a shift, which blurs session ownership unless identity controls are explicit. Teams must define who authenticated, what they accessed, and when the environment was cleared. Without that lifecycle discipline, shared access becomes shared residual risk.

Q: What do organisations get wrong about passwordless access?

A: Many organisations treat passwordless as a user-experience upgrade instead of an access governance redesign. That mistake leaves gaps in session handling, auditability, and cleanup. Passwordless only improves security when it is paired with strong context checks and a reliable way to end the prior session before the next one begins.

Q: How do you know if shared mobile access is working?

A: Shared mobile access is working when users can authenticate quickly, load their personalised workspace, and then leave no recoverable session state behind. A good signal is that the device consistently returns to a known-clean condition between users while maintaining complete logs of who accessed what and when.

Technical breakdown

Passwordless authentication and shared-device access

Passwordless authentication replaces repeated password entry with stronger proof such as biometrics, device binding, or risk-based checks. In shared-device environments, the key design requirement is not just authentication, but session continuity across multiple applications without widening the attack surface. If the user authenticates once and then receives controlled access to a shared workstation or mobile device, the system must preserve identity continuity, logging, and revocation boundaries. That is what makes passwordless useful in frontline settings: it reduces friction without turning every handoff into a new security exception.

Practical implication: design passwordless flows so session state, auditability, and device reset are part of the access model from the start.

Context-aware IAM in critical industries

Context-aware IAM uses signals such as location, device state, risk, role, and workflow context to decide how access should be granted. This matters in hospitals, manufacturing plants, and public safety settings where the same user may need different access depending on shift, workstation, or incident severity. The model is not about relaxing control. It is about making the control adaptive so security checks fit the operational moment instead of blocking it. Done well, context reduces login fatigue and improves assurance because access decisions are more specific than a static password policy.

Practical implication: map access policy to workflow context, not just user role, so verification matches the operational environment.

Shared mobile access and automatic reset

Shared mobile access allows a worker to badge into a device, load a personalised workspace, and then have that session cleared for the next user. This is especially important where many workers touch the same hardware across a shift. The architectural point is that the identity lifecycle extends beyond login: entitlement, session content, and device state all need cleanup. Without an enforced reset step, shared access becomes persistent access with a friendlier interface. The control value comes from making each session ephemeral even when the device itself is shared.

Practical implication: pair shared access with mandatory wipe-and-reset logic so one user’s session cannot bleed into the next.

NHI Mgmt Group analysis

Passwordless authentication is now an operational requirement, not a convenience feature. In critical industries, repeated password prompts create measurable delay, but removing them without redesigning assurance simply moves risk elsewhere. The governance task is to decide which access moments need strong proof, which need continuity, and which need automatic reset. Practitioners should treat passwordless as a workflow control, not a login shortcut.

Shared access only works when identity and session state are separated cleanly. A shared workstation or mobile device can support frontline efficiency, but only if the user session is explicitly bounded and cleared between workers. Otherwise the organisation is just sharing risk more efficiently. Practitioners should view shared access as a lifecycle problem that spans authentication, session handling, and offboarding.

Shared access reset: the control is not the shared device itself, but the enforced destruction of residual session state after use. That concept is central in environments where many workers authenticate to the same hardware across a shift. The implication is that access governance must extend beyond credential validation into device cleanup, audit trail integrity, and role-specific session boundaries.

Identity is becoming a productivity layer, but only if governance stays precise. The strongest programmes will not choose between user experience and assurance. They will instrument context, session reset, and verification depth so that frontline users move faster without creating invisible persistence. Practitioners should align IAM design with operational tempo, not with the old assumption that every login is a separate security event.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• For teams extending identity controls into machine and workflow access, NHI Lifecycle Management Guide shows why access state must be governed through provisioning, rotation, and offboarding, not just authentication.

What this signals

Shared access reset: the next frontier in IAM is not only faster authentication, but proving that each session returns the device to a clean, auditable state. As organisations broaden passwordless adoption, the control question shifts from whether a user can get in to whether the environment is genuinely ready for the next user.

The pressure to support frontline work will keep pushing IAM toward context-aware controls, especially in environments where shared devices and shift-based access are normal. Teams that can combine risk-based authentication with deterministic reset will reduce friction without creating hidden persistence, which is the real governance failure in shared access models.

Passwordless does not remove lifecycle obligations. It increases the need to prove that authentication, session cleanup, and entitlement reuse are all linked, especially where human access patterns overlap with managed devices and workflow automation.

For practitioners

• Redesign shared-device login flows Replace repeated password prompts with passwordless access that still records who authenticated, on which device, and for which workflow. Pair the authentication event with explicit session boundaries so clinicians, technicians, or field staff do not inherit the prior user’s state.
• Make session reset mandatory Require automatic wipe-and-reset behaviour on shared workstations and shared mobile devices before the next user starts. Validate that application state, cached credentials, and local data are cleared as part of the handoff, not as a manual cleanup step.
• Use context to tune assurance Apply risk-based authentication and device context to decide when to step up verification versus when to preserve continuity. The control objective is to reduce friction in normal workflows without weakening protection during higher-risk access moments.
• Audit frontline IAM for lifecycle gaps Review how identity is provisioned, reused, and retired in shared workflows. The common failure is treating login as the end of the control, when the real issue is whether the session and device are fully returned to a clean state.

Key takeaways

• Passwordless authentication only improves security when it is paired with session boundaries, auditability, and automated reset.
• Shared device environments expose governance gaps that are lifecycle problems as much as login problems.
• IAM programmes in critical industries must optimise for both workflow speed and clean handoff, or they will trade friction for residual risk.

Key terms

• Passwordless Authentication: Passwordless authentication is a method of proving identity without a reusable password, usually by using biometrics, device possession, or cryptographic proof. In practice, it reduces login friction while improving resistance to credential theft, but only if the surrounding session and device controls are equally strong.
• Shared Device Access: Shared device access is a model where multiple users authenticate to the same workstation or mobile device across a shift or workflow. It requires strict session isolation, logging, and reset controls so one user’s activity does not persist into the next user’s session or create accountability gaps.
• Context-Aware Access: Context-aware access is an access decision model that uses signals such as role, location, device state, and risk to decide how much verification is needed. It helps organisations balance usability and assurance by adapting authentication depth to the operational situation rather than applying a fixed rule everywhere.
• Session Reset: Session reset is the enforced clearing of user state, cached data, and active access after a session ends. It matters in shared environments because access control does not end at authentication. A clean reset is what prevents residual access from becoming the next user’s hidden risk.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by Imprivata: Security leaders discuss optimizing identity and access management in critical industries. Read the original.