TL;DR: Healthcare IT leaders overwhelmingly see passwordless authentication as mission-critical, yet only 7% of organisations have fully adopted it and 60% still rely heavily on passwords, according to Imprivata’s survey of more than 200 healthcare respondents. The gap shows that authentication modernisation now hinges on integration, clinical workflow fit, and governance, not just security intent.
At a glance
What this is: Imprivata’s survey shows healthcare leaders strongly value passwordless authentication, but most organisations have not yet operationalised it at scale.
Why it matters: For IAM teams, the finding matters because healthcare access modernisation now has to balance phishing resistance, clinician workflow, and identity lifecycle controls across people and systems.
By the numbers:
- 85% of healthcare IT leaders think passwordless authentication is very important or mission-critical to the future of healthcare.
- Only 7% of organizations have fully implemented passwordless access for clinical and non-clinical staff.
- 60% of HDOs still rely heavily on passwords, resulting in risky password workarounds for 46% of respondents.
👉 Read Imprivata's survey on passwordless authentication in healthcare
Context
Passwordless authentication is the removal of passwords from the primary login flow, usually in favour of stronger methods such as biometrics, device trust, or phishing-resistant authenticators. In healthcare, the governance problem is not only security strength but operational fit, because clinicians cannot absorb friction without affecting care delivery and support load.
The article describes a familiar identity modernisation pattern: leaders agree on the destination, but integration and workflow constraints slow execution. That makes this a human IAM topic first, with implications for access management, recertification, and help desk design across clinical and non-clinical populations.
Key questions
Q: How should healthcare teams implement passwordless authentication without disrupting clinical work?
A: Start with the workflows that create the most login friction, then test passwordless in real clinical scenarios such as shared workstations, roaming staff, and interrupted shifts. Pair the rollout with recovery options, session controls, and application compatibility testing so the new method reduces friction instead of shifting it elsewhere.
Q: Why do password-heavy environments remain risky even when users know better?
A: Because user behaviour follows workflow pressure, not policy intent. In healthcare, a difficult login path leads to password workarounds, unlock calls, and repeated credential handling, which increases both operational load and the chance of misuse. The risk persists until the access journey becomes easier than bypassing it.
Q: What signals show that passwordless adoption is actually working?
A: Look for fewer password resets, fewer help desk unlock requests, lower use of workarounds, and stable clinician throughput during login-heavy periods. If security improves but staff create new manual steps or avoid the control, the programme has only moved the problem, not solved it.
Q: Who should own passwordless governance in a healthcare organisation?
A: IAM, security, clinical informatics, and operations should own it together because the control affects access assurance, workflow safety, and support burden at the same time. Governance should also define exception handling, compliance sign-off, and retirement of legacy login paths so the environment does not remain permanently hybrid.
Technical breakdown
Why passwordless adoption stalls in clinical environments
Passwordless programmes often fail at the point where identity architecture meets live care delivery. Healthcare environments carry legacy application dependencies, shared workstations, roaming clinicians, and strict uptime requirements, so the access pattern has to survive context switching and interrupted workflows. If passwordless authentication is added as a thin layer on top of brittle integration paths, teams inherit the same operational burden in a new form. The real issue is not whether the control is secure in isolation, but whether it can be integrated without creating shadow workarounds or support escalations.
Practical implication: validate application compatibility and clinical workflow impact before mandating passwordless at scale.
How advanced access reduces password-driven risk
Advanced access combines authentication, session visibility, and recovery controls so identity assurance does not end at login. Continuous session monitoring, risk-based authentication, offline MFA, and self-service reset each address a different failure point in the access journey. In healthcare, that matters because password reuse, call-backs, and manual unlocks create both delay and exposure. Passwordless works best when it is part of a broader access model that reduces the number of credential-handling events, not just the number of passwords typed.
Practical implication: design passwordless alongside session monitoring and recovery flows, not as a standalone login change.
Where compliance and training become adoption blockers
Compliance concerns and clinical training issues are not side problems, they are adoption constraints. Regulated healthcare organisations need assurance that new access methods satisfy audit expectations, support accountability, and do not undermine patient safety when users move between devices and locations. Training also matters because even strong identity controls fail when staff do not trust or understand the new flow. The governance question is whether the organisation can make authentication simpler without weakening traceability or increasing exception handling.
Practical implication: run passwordless rollouts with compliance review, role-specific training, and exception handling built in.
NHI Mgmt Group analysis
Passwordless authentication in healthcare is a human IAM modernisation problem, not just a login preference. The article shows that leaders understand the security value, but adoption stalls when the control collides with clinical workflow, legacy integration, and support models. That makes the governance challenge broader than authentication alone, because access design must align with patient care operations and administrative reality. Practitioners should treat passwordless as part of identity operating model change, not a point solution.
Clinical access friction is itself a security risk because it drives workarounds. The survey links password-heavy environments to risky password workarounds, more security incidents or breaches, delays in patient care, and higher help desk load. That pattern shows the control failure is not simply weaker authentication, but the persistence of behaviours that reintroduce unmanaged access paths. The implication is that identity programmes must measure whether a new login method actually removes friction instead of relocating it.
Identity assurance has to extend beyond initial authentication in healthcare. Continuous session monitoring, risk-based authentication, and offline MFA are the controls that make passwordless viable in operational settings where connectivity, mobility, and urgency are constant. Without those layers, passwordless can become brittle or excluded from high-pressure clinical workflows. Practitioners should evaluate passwordless as an access journey, not as a one-time authentication event.
Health systems need a governance model for exceptions, not just a deployment plan. Only 7% of organisations have fully adopted passwordless, which means the current state is dominated by mixed environments and transitional risk. The organisations that succeed will be the ones that define where passwords can still exist, how exceptions are approved, and how exceptions are retired. For IAM teams, transition governance is the real control surface.
Phishing resistance will remain a board-level objective until password dependence drops materially. The survey shows that 53% of respondents want stronger identity security and phishing resistance, while 60% still rely heavily on passwords. That gap demonstrates why modern authentication programmes should be measured by credential reduction and workflow adoption, not by policy statements alone. Practitioners should use the passwordless roadmap as a proxy for broader identity resilience maturity.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- For the broader transition from human-centric access to machine-driven decision paths, see Ultimate Guide to NHIs for the governance model that underpins identity lifecycle control.
What this signals
Passwordless adoption will increasingly be judged as an operating model change. Healthcare teams should expect the next wave of identity modernisation to be measured by workflow adoption, exception rates, and clinician satisfaction rather than simple rollout counts. Organisations that keep passwords as the fallback for every hard case will preserve the very friction they are trying to remove.
Healthcare identity programmes need a clearer separation between authentication, session control, and recovery. Passwordless alone does not solve the access problem if session assurance and reset processes still depend on legacy assumptions. The practical signal is to align passwordless work with access review, help desk reduction, and clinical productivity metrics.
With 52% of respondents in our 2026 Infrastructure Identity Survey saying AI security decision-making power is shifting toward platform and infrastructure teams, identity governance is moving closer to the operational edge. For healthcare, that same pattern means access controls must be designed where work happens, not only where policy is written.
For practitioners
- Map passwordless to clinical workflow realities Test passwordless journeys against shared devices, shift changes, emergency logins, and application switching before expanding rollout. Use representative clinician groups, not only IT staff, so the design reflects actual care delivery patterns.
- Pair passwordless with recovery and monitoring controls Deploy continuous session monitoring, risk-based authentication, offline MFA, and self-service unlock together so access does not fail when users lose connectivity or devices. Treat recovery paths as part of the control, not an exception to it.
Key takeaways
- Healthcare leaders broadly agree passwordless authentication matters, but adoption is still far behind the stated need.
- The main blockers are not just technical, they include clinical training, compliance, and the risk of new workarounds.
- Successful programmes will combine passwordless access with recovery, monitoring, and workflow-aware governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Passwordless authentication maps to digital identity assurance and authenticator lifecycle. | |
| NIST CSF 2.0 | PR.AC-1 | Access control decisions must support healthcare workflow without weakening assurance. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Passwordless is part of continuous identity verification and least-privilege access. |
Align passwordless rollout to authenticator assurance and recovery requirements before expanding adoption.
Key terms
- Passwordless Authentication: An authentication approach that removes passwords from the primary sign-in flow and uses stronger factors such as device trust, biometrics, or phishing-resistant authenticators. In practice, its security value depends on recovery, session assurance, and integration with the applications and workflows users rely on.
- Continuous Session Monitoring: A control that evaluates what happens after login, not only at the point of authentication. It tracks session behaviour for risk, anomalous activity, and policy violations, which is especially useful where users move across devices, locations, or high-pressure operational environments.
- Risk-based Authentication: An authentication method that adjusts assurance requirements based on context such as device, location, behaviour, or transaction sensitivity. It is most useful when organisations need to reduce friction for routine access while raising verification only when risk indicators justify it.
- Access Workaround: Any informal method users adopt to bypass or shortcut an access control that feels too slow, too hard, or too unreliable. Workarounds are a governance signal, not just a user problem, because they often reintroduce unmanaged credentials or weaken traceability.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: New Imprivata Survey Finds 85% of Healthcare IT Leaders Think Passwordless Authentication is Vital, but Adoption Lags Significantly. Read the original.
Published by the NHIMG editorial team on 2026-01-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
