Passwordless authentication is still constrained by IAM sprawl

At a glance

What this is: This is Axiad’s take on KuppingerCole’s passwordless authentication research, with the key finding that passwordless adoption is rising while IAM fragmentation remains widespread.

Why it matters: It matters because passwordless does not simplify governance on its own, and IAM teams still have to reconcile lifecycle, policy, and trust decisions across multiple identity systems.

By the numbers:

• According to the 2022 Authentication Survey, 70% of respondents have 3 or more IAM ecosystems in use.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Axiad's analysis of KuppingerCole's passwordless authentication research

Context

Passwordless authentication removes one of the most visible attack surfaces in enterprise identity, but it does not remove identity complexity. The first-order governance problem is that most organisations already run multiple IAM ecosystems, so a passwordless layer has to fit into an existing operating model rather than replace it.

For IAM teams, the challenge is less about choosing a new login method and more about aligning authentication policy, device trust, federation, and recovery across fragmented environments. That makes passwordless part of a broader identity modernisation effort, not a standalone control.

Axiad’s discussion reflects a typical enterprise starting point: multiple systems, mixed authentication methods, and a need to improve assurance without creating another isolated identity silo.

Key questions

Q: How should security teams implement passwordless authentication across multiple IAM systems?

A: Start by mapping where identity is actually resolved, then standardise recovery, federation, and conditional access across each IAM ecosystem. Passwordless works best when the trust chain is consistent from device to application. If each platform handles enrolment and fallback differently, the programme adds complexity instead of reducing it.

Q: Why does passwordless not automatically make an environment zero trust?

A: Zero trust requires continuous verification, policy enforcement, and session control. Passwordless removes one credential type, but it does not decide whether a device is healthy, whether a session should continue, or whether access should be limited by context. Without those controls, the environment is still trusting more than it should.

Q: What do teams get wrong about passwordless recovery flows?

A: They often make recovery easier than login, which creates a weaker back door into the account. If help-desk identity proofing, device replacement, or re-enrolment is less strict than the primary authentication method, attackers will target the fallback instead of the front door.

Q: How do you know if passwordless authentication is actually working?

A: Look for fewer password-based prompts, but also check whether recovery tickets, account rebinds, and policy exceptions are falling. If passwordless adoption rises while fallback activity stays high, the programme has not removed risk, it has shifted it into less visible control paths.

Technical breakdown

Why passwordless still depends on IAM federation

Passwordless authentication changes the user experience, but not the underlying identity architecture. The system still needs to verify a user, bind that user to an account, and pass trust signals across directories, applications, and policy engines. In practice, that means federation, device posture, and recovery flows matter as much as the front-end factor replacement. If those layers are inconsistent, passwordless becomes another isolated method rather than a durable identity control.

Practical implication: map passwordless into your federation and recovery architecture before expanding it across applications.

What phishing resistance really means in practice

Phishing-resistant authentication is stronger than simply removing passwords because the credential exchange is bound to the legitimate origin and intended device context. That reduces classic credential replay and proxy attacks, but only if the implementation resists fallback paths such as weaker recovery steps, shared devices, or unmanaged endpoints. The control is therefore only as strong as the weakest supported enrollment and reset flow.

Practical implication: review enrolment, reset, and help-desk recovery paths for the same assurance level as the primary login method.

How passwordless fits zero trust architecture

Zero trust assumes continuous verification rather than one-time trust. Passwordless can support that model by reducing credential theft risk, but it does not by itself provide continuous device, session, or application-level validation. In mature environments, passwordless is one trust signal inside a larger set of access decisions, not the decision engine itself.

Practical implication: treat passwordless as an input to zero trust policy, not as a substitute for policy enforcement.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless authentication does not solve identity sprawl. A multi-IAM estate changes the governance problem from factor strength to control consistency. When 70% of organisations already run three or more IAM ecosystems, the risk is not just user friction, but uneven policy enforcement, duplicated recovery paths, and inconsistent trust assumptions. Practitioners should treat passwordless as a consolidation trigger, not a side project.

The decisive issue is recovery, not login. Passwordless programmes often focus on the happy path while leaving fallback mechanisms under-designed. Recovery, device replacement, and account rebind processes are where assurance collapses if they are weaker than the primary factor. The implication is that the control boundary must include off-ramp processes, not just authentication events.

Zero trust and passwordless are complementary, not interchangeable. Passwordless can improve phishing resistance, but zero trust still requires conditional access, session control, and continuous validation. Passwordless without policy depth can reduce one class of attack while leaving authorisation drift untouched. Practitioners should judge maturity by whether passwordless strengthens the broader trust model, not whether it exists in isolation.

Named concept: authentication fragmentation debt. This is the operational burden created when passwordless is layered onto multiple IAM ecosystems without standardising policy, recovery, and federation. The debt shows up as inconsistent controls, support complexity, and uneven user assurance. The practical conclusion is that modern authentication must be governed as an estate-level capability, not a point solution.

The market signal is that authentication modernisation is becoming an integration problem. Buyers are no longer evaluating passwordless as a standalone feature. They are evaluating whether it can operate across existing directories, policy engines, and user populations without adding another control island. Practitioners should expect procurement and architecture decisions to converge around interoperability, recovery assurance, and policy consistency.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why authentication modernisation and identity inventory have to move together.
• Passwordless reduces one access risk, but the broader programme still depends on Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to keep identity governance coherent across the estate.

What this signals

Authentication fragmentation debt: passwordless projects often fail when they are treated as a front-end upgrade instead of an estate-level trust redesign. The real programme impact is the need to reconcile federation, recovery, and conditional access across multiple identity systems before scale creates more exceptions than control.

The next phase of authentication modernisation will be measured less by password removal and more by whether the organisation can keep access decisions consistent across directories, devices, and applications. That is where IAM teams should expect the sharpest governance pressure, especially when user support and recovery processes vary by platform.

The broader signal is that zero trust maturity will increasingly depend on identity consistency, not just stronger login methods. Practitioners who pair passwordless with lifecycle discipline and policy standardisation will have a cleaner path than those who bolt it onto a fragmented estate.

For practitioners

• Inventory authentication fallbacks Document every recovery, reset, and re-enrolment path that can bypass the primary passwordless flow, then grade each path by assurance level and help-desk dependency.
• Map passwordless to federation flows Trace how identity is asserted from device to directory to application, and identify where token exchange or policy translation weakens the assurance chain.
• Standardise trust policy across IAM ecosystems Align device posture, conditional access, and recovery requirements across all IAM platforms before scaling passwordless to additional applications.
• Use a zero-trust lens for rollout decisions Validate that passwordless improves continuous verification, session control, and application access policy rather than only reducing password prompts.

Key takeaways

• Passwordless reduces phishing exposure, but it does not remove the governance burden created by multiple IAM ecosystems.
• Recovery and re-enrolment paths are the control points that most often determine whether passwordless actually improves assurance.
• Teams should judge passwordless by how well it strengthens zero trust policy and identity consistency across the estate.

Key terms

• Passwordless Authentication: An authentication approach that removes passwords from the primary login path and replaces them with stronger factors such as cryptographic keys, biometrics, or device-bound credentials. The control only works when enrolment, recovery, and federation are governed with the same assurance as the login event.
• Phishing-Resistant Authentication: Authentication that cannot be easily replayed, proxied, or tricked into revealing reusable credentials. In practice, that means the credential is bound to the legitimate origin and device context, and fallback processes do not reintroduce weaker verification steps.
• Identity Fragmentation: The condition where an organisation runs multiple IAM ecosystems with inconsistent policy, recovery, and trust handling. It creates duplicated control paths, uneven assurance, and operational debt, especially when a new authentication method has to work across every environment at once.
• Zero Trust Architecture: A security model that assumes trust must be continuously earned rather than granted once at login. For authentication programmes, it means the login method is only one signal, while device posture, session risk, and policy enforcement continue to shape access decisions.

Deepen your knowledge

Passwordless authentication and federation governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising identity controls across a fragmented estate, it is worth exploring.

This post draws on content published by Axiad: KuppingerCole Highlights Axiad as a Top Passwordless Authentication Provider. Read the original.