Passwordless access still leaves credential risk wide open

At a glance

What this is: This analysis of 1Password's 2025 Access-Trust Gap findings shows that passwordless adoption is rising, but risky password behaviour and weak credential handling remain stubbornly common.

Why it matters: It matters because IAM teams still have to govern passwords, passkeys, MFA, onboarding, offboarding, and shared secrets at the same time across human and non-human access paths.

By the numbers:

• 66% of employees report having poor password hygiene.
• 89% of security and IT professionals say their company is encouraging employees to shift logins to passkeys.
• 44% of CISOs report that employees using weak or compromised passwords is one of their top security challenges.

👉 Read 1Password's analysis of passwordless adoption and credential risk

Context

Passwordless authentication is the practice of reducing dependence on passwords by using stronger methods such as passkeys, MFA, and managed credential flows. The primary credential security problem in this article is that many organisations are trying to improve authentication without yet eliminating the human and operational habits that keep raw credentials exposed.

For IAM teams, that means the challenge is not a clean switch from passwords to passwordless. It is a mixed-state governance problem across human identity, shared access, and the controls that still store, share, and review credentials during the transition.

The article's central claim is that productivity and security can be reconciled only if organisations make strong authentication easier than password reuse, while keeping enterprise controls around the credentials that remain necessary.

Key questions

Q: How should security teams manage the transition to passwordless authentication?

A: They should treat passwordless as a phased governance programme, not a one-time switch. The priority is to reduce raw credential exposure while keeping strong controls around the passwords, recovery paths, and shared secrets that still exist. That means mapping where passwords remain in use, enforcing MFA, and making managed credential storage the default during the transition.

Q: Why do weak passwords still matter if an organisation is moving to passkeys?

A: Weak passwords still matter because most organisations run mixed authentication estates for a long time. Users continue to reuse credentials, recover accounts through weaker paths, or share access informally. Passkeys reduce risk where adopted, but they do not remove the residual exposure created by legacy workflows and unmanaged credential handling.

Q: What do security teams get wrong about passwordless programmes?

A: They often mistake adoption messaging for control effectiveness. A company can encourage passkeys and still leave gaps in recovery, onboarding, offboarding, and shared access. If those lifecycle paths still rely on passwords or unmanaged secrets, the programme has changed the login method more than the underlying risk.

Q: Should organisations keep enterprise password managers after passkey adoption starts?

A: Yes, while passwords still exist in business workflows. Enterprise password managers remain useful for secure storage, sharing, and visibility into risky credentials during the transition. They are not the end state, but they are still part of the control stack until passwords are genuinely removed from critical paths.

Technical breakdown

Why passwordless is not a binary state

Passwordless is often described as an end state, but in practice it is a transition model. Organisations move through mixed authentication estates where passwords, MFA, passkeys, and enterprise password managers coexist. The security risk comes from treating that coexistence as temporary noise rather than a governed operating condition. During the transition, the real control question is how much raw credential exposure remains in user workflows, onboarding, sharing, and recovery paths. If those paths are still easy to bypass, passwordless adoption reduces friction without materially reducing identity risk.

Practical implication: map the full authentication estate before calling the programme passwordless.

How weak password behaviour persists inside modern IAM programmes

Weak password behaviour persists because users optimise for speed, reuse, and convenience when controls are inconvenient or fragmented. Default passwords, reused passwords, and missing 2FA are not just user failures. They are also indicators that policy, guidance, and enforcement are not aligned. In many environments, the authentication stack asks people to remember too much, rotate too often, or share credentials when access is informal. That combination keeps the same old exposure patterns alive even when the organisation says it is modernising authentication.

Practical implication: treat password reuse and missing 2FA as programme design failures, not only user behaviour issues.

Why enterprise password managers remain part of the control stack

An enterprise password manager is not a substitute for passwordless, but it is still a control layer for the period in which passwords continue to exist. Its value is centralised storage, controlled sharing, and visibility into weak or reused credentials. In governance terms, it helps reduce the number of unmanaged places where secrets live and supports onboarding and offboarding with less manual handling. That matters because credential sprawl is often created by the handoffs around access, not just by the authentication event itself.

Practical implication: keep enterprise password management in scope until passwords are genuinely retired from business-critical paths.

NHI Mgmt Group analysis

Passwordless adoption is a mixed-state governance problem, not a product milestone. The article shows that organisations can encourage passkeys while still carrying large volumes of weak password behaviour and unmanaged credential handling. That means the programme is not transitioning from one clean state to another. It is running two models at once, which is why controls must cover both human authentication behaviour and the residual credential estate.

Credential exposure window is the right concept for this transition period. Passwords remain dangerous not only because they can be guessed or reused, but because they stay visible across too many workflows for too long. The report's findings on poor password hygiene and continued CISO concern show that the exposure window remains open while passwordless adoption is incomplete. Practitioners should read that as a governance latency problem, not just an authentication design issue.

Weak authentication is still a lifecycle issue. Onboarding, offboarding, password reset, shared access, and recovery flows are where passwordless programmes often leak back into old behaviours. That is why the same identity lifecycle discipline used for NHIs also applies here: what matters is not only initial authentication, but how credentials are issued, stored, shared, and retired. IAM teams should treat those handoffs as first-class governance points.

Identity teams should separate user convenience from control effectiveness. The article correctly frames passwordless as something that must not slow employees down, but convenience alone does not prove security improvement. The practitioner test is whether the organisation has reduced the number of places where raw credentials can be reused, shared, or recovered insecurely. If not, the programme has improved experience more than assurance.

Passkey adoption changes the shape of identity risk, but not the need for control ownership. As organisations push logins toward passkeys, they still need clear accountability for the credentials and devices that sit outside that flow. The implication for IAM, PAM, and IGA teams is that passwordless governance must be designed as an operating model, not a feature rollout.

From our research:

• 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For the credential lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which helps teams move from ad hoc credential handling to governed rotation and offboarding.

What this signals

The practical signal for IAM teams is that passwordless programmes will be judged by how much credential handling they remove from day-to-day operations, not by how loudly they are marketed internally. Strong authentication reduces exposure only when onboarding, recovery, and sharing flows are redesigned with the same discipline.

Credential exposure window: the period during which a password or other reusable secret remains available to the user or support process. As passwordless adoption expands, the exposure window should shrink across the identity lifecycle, but it will not disappear until legacy recovery and exception handling are removed.

For programmes that still depend on passwords, the governance question is whether those credentials are centrally controlled, rotated, and reviewable. Teams that cannot answer that clearly should not treat passwordless adoption as complete, even if passkeys are already in pilot or production.

For practitioners

• Map the mixed authentication estate Inventory where passwords, MFA, passkeys, recovery methods, and shared credentials still coexist so the migration plan reflects reality rather than target state.
• Enforce 2FA gaps as governance defects Prioritise accounts without 2FA, especially privileged or shared accounts, and route them into remediation queues that are tracked to closure.
• Reduce credential handling in onboarding and offboarding Remove manual password handoffs from joiner and leaver workflows by routing access through controlled identity processes and approved credential stores.
• Keep enterprise password management in scope Require managed storage and sharing wherever passwords remain necessary, especially for developer secrets and business accounts that have not yet moved to passkeys.

Key takeaways

• Passwordless adoption reduces risk only when organisations also remove the weak recovery, sharing, and onboarding patterns that keep passwords exposed.
• The scale of the problem remains material, with 66% of employees reporting poor password hygiene and 89% of security and IT professionals pushing passkeys.
• IAM teams should govern the transition as a mixed-state programme, keeping managed password controls in place until passwords are truly out of critical business paths.

Key terms

• Passwordless Authentication: An authentication model that reduces or removes reliance on reusable passwords by using methods such as passkeys, device-bound credentials, and other stronger login factors. In practice, most organisations adopt it gradually, so governance must still cover legacy passwords, fallback recovery paths, and exception handling.
• Credential Exposure Window: The period during which a reusable secret is visible, usable, or recoverable within business workflows. Shortening this window reduces the chance of reuse, theft, and informal sharing, but only if onboarding, offboarding, support, and recovery flows are governed as part of the identity lifecycle.
• Enterprise Password Manager: A centrally managed system for storing, sharing, and controlling passwords and other credentials across an organisation. It helps reduce unsafe reuse and manual handling, especially while passwordless adoption is incomplete and some business processes still depend on passwords or shared secrets.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: Passwordless access still leaves credential risk wide open. Read the original.