Passwordless authentication needs a phased IAM migration, not a big bang

At a glance

What this is: This is an independent analysis of passwordless authentication as a phased IAM transition, with the key finding that most organisations should reduce password dependency incrementally rather than attempt an immediate password removal program.

Why it matters: It matters because identity teams must redesign authentication journeys, recovery flows, and governance controls for a mixed state where passwords and passwordless methods coexist during transition.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read SSH Communications Security's analysis of phased passwordless adoption

Context

Passwordless authentication is not a single control but an authentication migration pattern that reduces dependence on shared secrets. The practical problem is that passwords still sit inside login flows, fallback paths, and recovery processes, so most organisations cannot remove them everywhere at once without breaking access.

That makes identity governance central to passwordless adoption. Security teams have to decide where friction is highest, where risk is greatest, and how to run hybrid authentication states without creating a blind spot in recovery, exception handling, or user support.

Key questions

Q: How should organisations phase in passwordless authentication without disrupting access?

A: Start by inventorying every place a password is still used, including recovery and support paths. Then target the highest-risk or highest-friction journeys first, measure user impact, and expand only after assurance and usability remain stable. The goal is a controlled transition, not an overnight replacement of every login method.

Q: Why do passwordless projects still fail if passwords are removed from the main login screen?

A: Because the main login is only one part of the authentication surface. If recovery, device replacement, help desk resets, or fallback flows still rely on passwords or weak proofing, attackers can use those paths to regain access. The overall assurance level is set by the weakest supported route.

Q: What do IAM teams get wrong about passwordless adoption?

A: They often treat it as a product rollout instead of an operating-model change. Passwordless affects enrolment, recovery, exception handling, user support, and policy enforcement, so governance must change with the technology. Without that, organisations may improve convenience while leaving control gaps in place.

Q: How do you know a passwordless programme is actually working?

A: Look for reduced password reset volume, lower dependence on fallback authentication, stable access success rates, and fewer support exceptions in high-risk journeys. If users keep reverting to legacy methods or recovery becomes the primary entry point, the programme has not reduced dependency in a meaningful way.

Technical breakdown

Why passwordless is usually a migration, not a switch

Passwordless authentication replaces password-based verification with stronger possession, biometric, or cryptographic methods, but the identity system around it rarely changes in one move. Legacy applications, help desk resets, service exceptions, and step-up flows often still depend on passwords somewhere in the chain. That creates a transitional architecture where the real control question is not whether passwords exist, but where they remain authoritative. In practice, passwordless programmes succeed when teams map every place a password is still accepted, cached, or used for recovery, then reduce those dependencies in sequence instead of assuming blanket replacement.

Practical implication: inventory every password dependency before rollout so hidden fallback paths do not undermine the new authentication model.

Hybrid authentication environments and control boundaries

A hybrid state means both password-based and passwordless methods coexist during adoption. That is not a failure, but it does create control boundaries that IAM teams must define carefully. The main risks are inconsistent assurance levels, uneven user journeys, and recovery processes that quietly reintroduce weaker authentication. The security value of passwordless depends on how consistently it is enforced across high-risk use cases, privileged workflows, and sensitive applications. Without clear policy for where each method is allowed, organisations may improve user experience while leaving the highest-risk access paths unchanged.

Practical implication: set explicit policy boundaries for where passwordless is mandatory, optional, or disallowed during the transition.

Passwordless and recovery path governance

Passwordless programmes often fail in recovery, not in primary login. If account recovery, device replacement, or support escalation still relies on weaker identity proofing, the overall assurance level drops to the weakest path in the lifecycle. This is especially important for human identity governance because recovery, re-enrolment, and help desk workflows are part of the authentication surface. Organisations need to treat recovery as a primary design element, not a side process. Otherwise, passwordless reduces friction at the front door while leaving a vulnerable back door in place.

Practical implication: redesign recovery and re-enrolment so they match the assurance level of the passwordless method itself.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless adoption is an IAM migration problem before it is an authentication feature problem. The article points to a phased transition because most organisations cannot remove passwords everywhere at once. That means the real governance task is sequencing, exception handling, and assurance consistency across mixed methods. Teams should treat passwordless as a change in identity operating model, not a checkbox on the login screen.

The highest-risk weakness in passwordless programmes is the fallback path. Passwordless may improve the primary authentication experience, but recovery, reset, and support escalation often remain password-dependent or weakly proofed. That creates a control asymmetry where the stated assurance level is higher than the actual end-to-end journey. Practitioners should read passwordless adoption as only as strong as the weakest recovery and exception process.

Human identity programmes still need lifecycle discipline during passwordless rollout. Enrolment, device binding, re-enrolment, and access recovery all sit inside human IAM governance, not outside it. If teams do not align passwordless with joiner-mover-leaver handling, they create confusion over who can recover access, when, and under what proofing standard. The conclusion is simple: passwordless is not a replacement for identity governance, it is a test of it.

Phased password reduction is the only realistic path for most enterprises, and that is a governance advantage. Gradual adoption lets teams measure where friction, failure, and misuse actually occur instead of replacing one hard dependency with another. It also gives IAM leaders a way to prioritise high-risk populations and high-friction journeys first. The practitioner takeaway is to manage passwordless as an iterative control programme, not a one-time rollout.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader lifecycle view, Ultimate Guide to NHIs , Key Challenges and Risks explains why visibility, sprawl, and over-privilege keep breaking governance models.

What this signals

Passwordless programmes will increasingly be judged by recovery and exception handling rather than by primary login elegance. If the back door still depends on weaker proofing, the programme shifts risk instead of removing it, which means IAM leaders need to track fallback usage as closely as they track adoption.

Recovery debt: the amount of authentication risk accumulated in reset, rebind, and support workflows is now a material control indicator. Teams that cannot evidence stronger proofing in these paths are not running a mature passwordless programme, even if user login has moved to modern methods.

For identity teams, the strategic question is no longer whether passwordless is desirable. The question is whether the organisation can sustain a mixed authentication estate long enough to retire password dependence without weakening account recovery or governance discipline.

For practitioners

• Map password dependencies across the full authentication journey Document where passwords still exist in primary login, step-up flows, recovery, device replacement, and help desk processes. Remove hidden dependencies before expanding passwordless to high-risk applications.
• Prioritise high-friction and high-risk use cases first Start with user populations and applications where password resets, phishing exposure, or access friction are highest. Use those deployments to prove operational fit before expanding across the estate.
• Set explicit policy boundaries for hybrid authentication Define where passwordless is required, where passwords remain permitted, and which applications must never fall back to legacy methods without additional assurance.
• Redesign account recovery and re-enrolment controls Treat recovery as part of the authentication control set. Use stronger identity proofing, rebind devices carefully, and test support workflows for bypasses that could reduce assurance.

Key takeaways

• Passwordless is a phased IAM migration, not a simple switch, because most enterprises still depend on passwords somewhere in the authentication journey.
• The weakest recovery or fallback path determines the real assurance level of a passwordless programme, not the main login method alone.
• Identity teams should treat passwordless adoption as a governance redesign exercise, with explicit policy boundaries, recovery controls, and staged rollout decisions.

Key terms

• Passwordless Authentication: An authentication approach that replaces password entry with another method such as cryptographic keys, possession-based authenticators, or biometrics. In practice, the programme is only as strong as its enrolment, recovery, and fallback paths, which must deliver the same assurance as the primary login method.
• Authentication Fallback Path: A backup route used when the primary authentication method fails or is unavailable. It matters because attackers often target the weakest supported path, and many passwordless programmes inherit password or weak proofing in recovery, support, or re-enrolment workflows.
• Recovery Assurance: The level of confidence that an organisation has in identity proofing during password reset, device replacement, or account recovery. Strong recovery assurance is essential because the overall security of an authentication system is limited by the least trustworthy path back into the account.

Deepen your knowledge

Passwordless authentication and human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a phased authentication programme from a similar starting point, it is worth exploring.

This post draws on content published by SSH Communications Security: passwordless authentication and phased IAM adoption. Read the original.