Passwordless authentication and MFA: what changes for NHI governance

At a glance

What this is: This is an analysis of why traditional MFA still leaves critical authentication risk in place and why passwordless approaches change the control model for IAM and NHI governance.

Why it matters: It matters because service accounts, AI agents, and human users all sit behind identity controls that fail when the first factor remains a shared secret or a weak second factor.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Beyond Identity's analysis of passwordless authentication versus MFA

Context

Passwordless authentication is usually discussed as a user-experience upgrade, but the more important issue is identity assurance. Traditional MFA often improves login security without removing the most fragile element in the flow, which is the password or another shared secret. For IAM and NHI governance, that distinction matters because any control stack built on a weak first factor still leaves a broad attack surface.

In NHI-heavy environments, the same logic applies beyond human logins. Service accounts, API tokens, and AI agents depend on credentials and policy checks that can be phished, replayed, or socially engineered if the underlying trust model is weak. The article’s starting position is typical for security programs that have already adopted MFA but have not yet rethought the authentication model itself.

Key questions

Q: How should security teams replace traditional MFA without creating new access friction?

A: Start by removing passwords from the most sensitive sign-in paths and using phishing-resistant, device-bound authentication for those users first. Then keep policy lightweight and contextual, so access depends on trusted devices and current posture rather than repeated prompts. The goal is to reduce compromise paths without forcing users back into shared secrets or unnecessary second-device steps.

Q: Why do passwords remain a problem even when MFA is deployed?

A: Passwords remain a problem because they are shared secrets that can be phished, reused, leaked, or sold, which means the first factor is often already compromised before MFA even starts. If the second factor is weak or intercepted, the attacker gets a full session. MFA improves protection, but it does not erase password risk.

Q: What is the difference between passwordless authentication and traditional MFA?

A: Traditional MFA keeps the password and adds another factor on top of it. Passwordless authentication removes the password entirely and uses stronger proof such as device-bound cryptography plus local user verification. The difference is not cosmetic. It changes whether the attacker can reuse a copied secret to reach the account.

Q: Should organisations require device posture checks for every login?

A: For sensitive users and high-value systems, yes. Device posture checks help ensure that access is tied to a trusted endpoint, not just a one-time credential challenge. They are most useful when combined with continuous evaluation, so access can change if encryption, endpoint protection, or device integrity changes after sign-in.

Technical breakdown

Why password-based MFA still leaves a trust gap

Traditional MFA adds one or more additional checks after a password, but the system still begins with a shared secret. That matters because passwords are portable, reusable, and frequently exposed through phishing, reuse, or credential stuffing. If an attacker obtains the first factor, the remaining factor often becomes the only real barrier. Many deployed MFA methods also rely on channels that can be intercepted or socially engineered, which reduces the practical value of the second factor. In IAM terms, MFA improves assurance but does not remove the weakest identity primitive from the flow.

Practical implication: Treat password-based MFA as risk reduction, not as a completed control model.

How passwordless authentication changes identity assurance

Passwordless authentication removes the password from the login equation and replaces it with device-bound cryptographic proof plus local user verification such as biometrics. Instead of proving knowledge of a shared secret, the user proves possession of a trusted device and, in many implementations, liveness on that device. This shifts the control point from something the attacker can copy to something that is much harder to replay remotely. For NHI programs, the architectural lesson is the same: strong identity needs binding to a trusted runtime or device context, not just a secret that can be moved.

Practical implication: Prioritise authentication methods that bind identity to hardware and local verification.

Continuous policy checks matter more than the login event

Authentication is not just a one-time gate. Modern identity systems can evaluate device posture, location, encryption state, endpoint protection, and other signals at sign-in and during access decisions. That approach aligns more closely with zero trust because access depends on current context, not on a static login performed hours earlier. For NHI and agentic AI programs, this is especially relevant because machine identities often operate continuously and can change risk state without a new login prompt. The technical shift is from static approval to ongoing trust evaluation.

Practical implication: Use dynamic access policy so identity decisions can change when device or workload risk changes.

Threat narrative

Attacker objective: The attacker’s objective is to turn weak authentication into durable account access that can be reused for further movement.

1. Entry begins when an attacker captures a password, SMS code, email factor, or push approval through phishing, SIM swap, or prompt fatigue.
2. Escalation follows when the attacker reuses the stolen factor to satisfy a weak MFA flow and establish a trusted session.
3. Impact is account takeover, which can lead to downstream access to applications, data, or administrative functions protected by the compromised identity.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless is not just a usability improvement. It is a control-model change. Traditional MFA can reduce risk, but it still leaves the organisation exposed to compromise of the first factor and to weaknesses in the second factor. Passwordless shifts the trust anchor away from shared secrets and toward device-bound proof. That is a material change for IAM and NHI governance because it reduces the number of places where identity can be replayed or stolen. Practitioners should treat it as a foundation decision, not a preference in login UX.

Shared secrets remain the weak point even when MFA is everywhere. If the first factor is still a password, the control stack inherits password risk even when the second factor is stronger. That means security teams can report MFA coverage without actually eliminating the attack path that matters most. For NHI governance, this is familiar: a secret that can be copied, leaked, or reused is not a robust identity boundary. The practical conclusion is that coverage metrics matter less than the strength of the underlying trust primitive.

Continuous assurance is the real value, not the login ceremony. The article points toward device posture, secure hardware, and policy evaluation as part of the authentication decision. That matters because modern identities, including machine identities, do not behave like static users behind a single sign-in event. Access should depend on current risk signals, not merely on whether a one-time check passed. Teams should evaluate whether their controls can respond when device state, workload state, or session context changes.

Identity blast radius: the next control question is how far one stolen factor can travel. Passwordless and device-bound authentication matter because they shrink the blast radius of a stolen credential. In practice, the issue is not only whether an attacker can log in, but how many systems they can reach once they do. That framing is especially useful for NHI programs, where a single compromised token or service identity can propagate across automation, APIs, and pipelines. Practitioners should assess blast radius, not just authentication success rates.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why identity programs still miss hidden machine access paths.
• A practical next step is to use the The 52 NHI breaches Report to study how weak identity assumptions turn into real compromise chains.

What this signals

Passwordless authentication should be treated as an identity-control decision, not a login preference. Security teams that focus only on user convenience will miss the deeper operational gain, which is reducing the number of reusable secrets in circulation. That shift matters most where privilege, automation, and remote access intersect. Teams should measure whether password removal actually reduces exposure across human and non-human identities, not just whether adoption is high.

The next governance gap is the distance between a strong login and a weak session. A phishing-resistant login does not help if sessions remain long-lived, over-privileged, or disconnected from current device state. For NHI and agentic AI programs, that same pattern shows up when credentials outlive the task they were meant to support. Practitioners should align access duration with task duration and make revocation part of the control design.

Blast-radius control is becoming the right lens for authentication strategy. If a stolen factor can unlock many downstream systems, the control is too porous for modern identity risk. That is why passwordless, posture-aware, and continuously evaluated access belongs in the same conversation as privileged access management and NHI lifecycle control. The programme question is no longer whether MFA exists. It is how far a compromise can travel once it happens.

For practitioners

• Remove passwords from high-value authentication paths Start with administrative users, privileged access, and any login that reaches sensitive data or production systems. Replace password-plus-OTP patterns with device-bound, phishing-resistant authentication where possible.
• Map which MFA factors depend on shared secrets Inventory SMS, email, push approval, and knowledge-based checks, then flag the ones that can be intercepted or socially engineered. Prioritise the paths where a stolen first factor still creates a working session.
• Bind authentication to trusted device state Require signals such as encryption, secure hardware, and endpoint protection before granting access. For workloads and NHI flows, extend the same idea to runtime trust and workload posture.
• Use continuous access evaluation for sensitive identities Reassess access when device posture, location, or session context changes instead of treating sign-in as a one-time event. This is especially relevant for privileged users and automation that runs for long periods.

Key takeaways

• Traditional MFA reduces risk, but it still leaves passwords and other shared secrets in the authentication chain.
• Passwordless authentication changes the trust model by binding access to devices, local verification, and stronger cryptographic proof.
• For IAM and NHI governance, the real objective is to shrink compromise blast radius and keep access tied to current risk.

Key terms

• Passwordless Authentication: A sign-in method that removes passwords from the authentication flow and replaces them with stronger proof such as device-bound cryptography and local user verification. It reduces exposure to phishing and reuse because there is no shared secret for an attacker to steal and replay.
• Phishing-Resistant Authentication: Authentication designed to remain effective even when users are targeted by phishing, replay, or man-in-the-middle attacks. It typically binds the credential to a device or origin so stolen codes and harvested secrets cannot be reused elsewhere.
• Device Posture: The current security condition of an endpoint at the moment access is requested or continued. It can include encryption, operating system patch state, endpoint protection, and hardware-backed trust signals, all of which help determine whether the device should be trusted.
• Shared Secret: Any credential or factor that can be known by more than one party and copied or reused, such as a password, OTP, or recovery code. Shared secrets are fragile because once exposed, they can often be replayed to bypass identity controls.

Deepen your knowledge

Passwordless authentication, device posture checks, and phishing-resistant login design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to reduce shared-secret risk across human and non-human identities, it is a practical place to start.

This post draws on content published by Beyond Identity: Can Passwordless Authentication Replace My MFA? Read the original.