Passwordless authentication exposes the limits of MFA-only strategies

At a glance

What this is: This is an analysis of why passwordless authentication is replacing password-based MFA and which phishing-resistant methods matter most.

Why it matters: It matters because IAM teams must design authentication that works for humans today while also hardening identity workflows that increasingly connect to NHI, workload, and agentic access patterns.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Imprivata's analysis of passwordless authentication and MFA limits

Context

Passwordless authentication is an identity architecture choice, not just a login convenience feature. The article argues that password-based MFA still leaves room for phishing, OTP theft, MFA fatigue, and SIM-swap abuse, which is why modern authentication strategy now has to shift toward phishing-resistant methods.

For IAM programmes, the real issue is whether the control being deployed can resist active attack rather than merely add another checkpoint. That matters across human identity today and increasingly across adjacent access models where credentials, tokens, and device trust all need tighter lifecycle and verification controls.

Key questions

Q: How should organisations move from password-based MFA to passwordless authentication?

A: Start with the access paths that face the highest phishing and replay risk, such as remote access, privileged users, and sensitive business applications. Replace password-plus-OTP flows with device-bound authenticators that use non-exportable keys and local verification. Keep fallback recovery tightly controlled so weak exceptions do not become the new default.

Q: Why do password-based MFA controls still get bypassed in practice?

A: They still depend on reusable secrets or coercible approvals, which attackers can steal, relay, or pressure users into accepting. OTPs, SMS codes, email codes, and push prompts can all be manipulated if the attacker controls the login path or the user is fatigued. That is why phishing-resistant design matters more than adding another factor.

Q: When should security teams prioritise passkeys over other authentication upgrades?

A: Prioritise passkeys when phishing, credential stuffing, or remote account takeover would create outsized business risk, especially for privileged, frontline, or shared-device users. They are most valuable where the organisation wants to reduce dependence on passwords without sacrificing usability. The strongest use cases are the ones where secret reuse has already become a liability.

Q: What should IAM teams watch when rolling out passwordless login?

A: Watch enrollment assurance, recovery, device revocation, and exception handling. Passwordless only stays strong if the enrolled device remains trusted and the recovery path does not fall back to weak shared secrets. The programme should also verify that badges, passkeys, or hardware keys are managed through the same identity lifecycle as other credentials.

Technical breakdown

Why password-based MFA still fails under phishing and replay

Password-based MFA can add a second checkpoint, but it does not remove the core weakness of a reusable secret. If the first factor is a password and the second factor is an OTP, push approval, SMS code, or email code, the attacker can still phish, intercept, replay, or socially engineer the flow. The article correctly frames this as an authentication architecture problem, not a user-awareness problem. The key limitation is that the authenticator is still too detached from the origin and too easy to coerce.

Practical implication: treat password-plus-OTP MFA as a transitional control, not a phishing-resistant end state.

How FIDO2 and Passkeys change the authentication trust model

FIDO2 and passkeys move authentication away from shared secrets and toward asymmetric cryptography. The private key stays on the device, while the public key is registered with the service, and the login is bound to the origin so credentials cannot be reused on a lookalike site. That design sharply reduces credential stuffing, replay, and phishing success because there is no reusable secret to steal in transit. In practice, this makes authentication resistant by construction rather than dependent on user judgement.

Practical implication: prioritise device-bound authenticators for users and workflows where phishing risk is material.

Why local verification matters more than the second factor label

Local verification means the user must approve the login on the trusted device through biometrics or a PIN before the private key can be used. That step matters because it keeps the release of the credential anchored to the user’s device possession rather than a remote one-time code or push message that can be manipulated. This is why the article’s examples, including hardware keys, badges, and system keychains, all emphasise where the private key lives and how it is unlocked.

Practical implication: choose authenticators that bind the credential to a managed device and a local unlock action.

NHI Mgmt Group analysis

Passwordless succeeds because it removes the reusable secret that attackers keep targeting. Password-based MFA still depends on a credential pattern that can be phished, replayed, intercepted, or fatigued into approval. Once the password disappears and the private key stays non-exportable on the device, the attack surface changes materially. Practitioners should stop treating password removal as optional UX refinement and treat it as a structural control change.

Phishing-resistant authentication is becoming the baseline assumption for high-risk identity journeys. The article’s strongest point is that authentication strength is no longer measured by the number of prompts, but by whether the factor can be stolen and reused elsewhere. That aligns with modern identity guidance that favours origin binding and device-held keys over removable secrets. IAM teams should re-evaluate where they still rely on secrets that were never designed for hostile networks.

Standards are now catching up to the architecture change. The article points to NIST and BSI guidance that increasingly treats passkey-style authentication as the safer default where supported. That does not eliminate governance work, because device lifecycle, enrollment assurance, recovery, and lost-token handling become the new control points. Security teams should align authentication policy with how credentials are issued, stored, and recovered across the user lifecycle.

Healthcare and critical infrastructure are the clearest proving grounds for passwordless adoption. Shared workstations, badge-based sign-in, and frequent session switching make fragile MFA especially costly in those environments. The operational lesson is that authentication must be fast, local, and resistant to phishing without forcing staff back into password resets or callback workarounds. IAM programmes in those sectors should design for tap-and-go plus strong local verification, not just for compliance checkboxes.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Passwordless rollouts should be paired with Microsoft Midnight Blizzard breach analysis because account takeover often succeeds through identity weakness, not malware sophistication.

What this signals

Passwordless is becoming an identity governance issue, not just an authentication project. Once reusable passwords are removed, the programme inherits new control points around enrollment, recovery, device trust, and revocation. That means identity teams should think in lifecycle terms, because authentication strength is only as durable as the enrolment and fallback process behind it.

The strongest near-term signal is that phishing-resistant authentication will increasingly define where IAM programmes draw the line between acceptable and legacy access. Organisations that keep push-based or SMS-based flows in privileged paths will carry unnecessary exposure, especially where shared devices or regulated workflows make compromise costly.

As passwordless expands, the governance model has to include the device, not just the user. That is the practical shift: authentication assurance now depends on enrolled hardware, local unlock, and clean offboarding when a token, badge, or passkey is lost or replaced.

For practitioners

• Prioritise phishing-resistant authentication for high-risk access paths Replace password-plus-OTP flows first for administrators, remote access, and high-value applications where phishing and replay are realistic attack paths. Use device-bound authenticators that support origin binding and non-exportable keys.
• Map which login flows still depend on reusable secrets Inventory where passwords, SMS codes, email codes, and push approvals remain in use. Classify those paths by risk, then move the highest-exposure journeys to passkeys, hardware keys, or smartcard-style authentication.
• Design recovery and device-loss processes before rollout Define how users re-enrol, recover access, and revoke lost authenticators without reintroducing weak fallback methods. Make lifecycle controls for enrolled devices part of the authentication policy, not an afterthought.
• Align privileged access with stronger local verification Require stronger device-bound authentication for PAM, shared terminals, and sensitive workflows where session takeover or prompt fatigue would be especially damaging. Keep the unlock action local and managed.

Key takeaways

• Password-based MFA reduces risk, but it does not eliminate the reuse and interception problems that attackers exploit most often.
• Passkeys and FIDO2 shift authentication toward non-exportable, origin-bound credentials that are far harder to phish or replay.
• IAM teams should treat passwordless rollout as a lifecycle and recovery design problem, not as a simple login swap.

Key terms

• Passwordless authentication: An authentication model that removes the need for a manually entered password and instead relies on device-bound credentials such as passkeys, hardware tokens, or smartcards. It reduces exposure to phishing and credential reuse because the secret is not typed, copied, or reused across sites.
• Phishing-resistant authentication: An authentication method designed so a user cannot be tricked into handing over a reusable secret to an attacker. The credential is tied to the legitimate service origin and typically remains non-exportable on a trusted device, which makes replay and impersonation far harder.
• Local user verification: A device-side check that confirms the rightful user before releasing a cryptographic authenticator. This is usually done with biometrics or a PIN, and it matters because the approval happens on the trusted device rather than through an interceptable remote prompt or code.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: passwordless authentication and why MFA alone is no longer enough. Read the original.