TL;DR: Password-based authentication remains costly and risky, with the average employee managing 190+ passwords, over 40% of help desk calls tied to password issues, and more than 80% of data breaches linked to password problems, according to Axiad. The real issue is not convenience alone: password-centric IAM still depends on weak, reusable, and stealable secrets.
At a glance
What this is: This is a passwordless authentication commentary that argues passwords remain a security and operational liability because they are hard to manage, easy to abuse, and expensive to support.
Why it matters: It matters because IAM teams must reduce user friction without increasing authentication risk, while also keeping human identity controls aligned with broader NHI and machine-access governance.
By the numbers:
- 190+ passwords.
- Over 40% of help desk calls are about password-related issues.
- 80% of data breaches relate to password issues., sues.
👉 Read Axiad's post on why passwordless authentication matters for identity security
Context
Passwords remain a weak foundation for identity security because they are reusable, frequently forgotten, and often protected by user workarounds rather than strong controls. In human IAM, that weakness shows up as both user friction and predictable attack surface.
The article’s core claim is that passwordless authentication can improve both security and user experience, but only if organisations treat authentication as an end-to-end identity design problem. That has implications for MFA, device assurance, and the way human identity programmes connect to machine and workload access patterns.
Key questions
A: Prioritise passwordless authentication on the workflows that create the most support burden and security exposure, such as remote access, privileged applications, and high-value SaaS. Pair the change with phishing-resistant MFA, clear fallback paths, and user communication so recovery does not become the weakest link. The goal is to lower friction while also reducing the number of reusable secrets attackers can steal.
Q: Why do passwords remain such a persistent identity risk?
A: Passwords persist because they are familiar, widely supported, and easy to deploy, not because they are strong. They create predictable failure modes such as reuse, forgotten credentials, reset abuse, and insecure storage by users. Once an organisation has many applications and many recovery paths, passwords stop acting as a control and start acting as a liability.
Q: How do teams know if passwordless authentication is actually working?
A: Look for fewer password reset tickets, lower lockout rates, reduced help desk time spent on authentication issues, and lower exposure to phishing-based account compromise. If users still rely heavily on recovery steps or shared fallback methods, the programme has not fully removed password risk. Good passwordless design reduces both friction and secret sprawl.
Q: What is the difference between passwordless authentication and simply adding MFA?
A: MFA strengthens a password-based model, but it still leaves the password as a reusable secret that can be stolen, reused, or guessed. Passwordless authentication removes that primary secret from the normal login flow and replaces it with stronger proof such as device-bound or biometric factors. The difference is structural, not cosmetic.
Technical breakdown
Why password-based authentication keeps failing
Password systems fail because they depend on human memory, repeated credential entry, and secondary recovery paths. Once users resort to notes, spreadsheets, or password reuse, the authentication layer no longer proves identity reliably. The more applications and devices an employee must access, the more the system shifts from control to leakage. Password managers reduce some friction, but they still centralise a high-value secret store and do not remove the underlying dependence on shared knowledge factors.
Practical implication: reduce the number of password touchpoints and treat recovery, reset, and fallback paths as part of the attack surface.
Passwordless authentication and MFA as a control stack
Passwordless authentication replaces knowledge-based login with stronger factors such as biometrics, device-bound credentials, or cryptographic authenticators. In practice, the value comes from combining passwordless methods with MFA, so identity assurance does not rely on a single secret. For IAM teams, the important design choice is not whether passwords disappear everywhere on day one, but whether the organisation can raise assurance while lowering the number of recoverable secrets users can phish, steal, or reuse.
Practical implication: prioritise passwordless for high-risk user populations and pair it with phishing-resistant MFA where the business impact is highest.
Extending identity assurance beyond people
The article also points to a broader identity problem: organisations often solve human login pain but leave devices, applications, and other connected systems on weaker credential patterns. Passwordless design should therefore be aligned with how identities are asserted across the environment, not just at the user screen. That means considering certificate-based access, digitally signed interactions, and where machine identities still rely on static secrets that undermine the same assurance model.
Practical implication: align human authentication modernisation with machine identity governance so weaker credential patterns do not reappear elsewhere.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Passwordless authentication is not just a user-experience upgrade. It is a reduction in identity attack surface because it removes the most reusable and most socially engineered credential type from the human workflow. The article’s own data shows why passwords persist as operational debt rather than security control. When employees manage hundreds of passwords, the system invites reuse, reset flows, and insecure workarounds. Practitioners should treat password removal as an identity risk decision, not a convenience project.
Passwords create a help desk dependency that weakens identity operations at scale. More than 40% of help desk calls being password-related means the authentication model is consuming operational capacity that should be spent on strategic controls. That is not only a cost issue. It also creates a narrow recovery channel that attackers repeatedly target through social engineering and account reset abuse. Practitioners should view passwordless adoption as a way to remove a recurring operational failure mode.
Human IAM and NHI governance are converging around the same design principle: reduce reliance on long-lived shared secrets. Passwords, API keys, tokens, and certificates are not identical, but they all become risky when they are treated as static credentials instead of managed identity artefacts. The organisation that modernises human authentication while leaving machine access anchored to fragile secrets only shifts the problem sideways. Practitioners should align passwordless programmes with broader identity lifecycle governance.
Credential burden is a named concept here: the accumulation of too many reusable secrets until identity assurance becomes self-defeating. The average employee having 190+ passwords is not a trivia point. It is evidence that identity systems can exceed the capacity of the people they are meant to secure. The implication is straightforward: if a control requires users to remember and defend too much, it becomes part of the risk model rather than the solution.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Password reduction efforts should move alongside lifecycle control, as shown in Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
Credential burden is the point where identity design starts breaking under its own operational weight. When employees need dozens or hundreds of passwords, the programme is no longer measuring assurance cleanly, it is measuring how much users are willing to tolerate before they route around control. IAM leaders should expect passwordless adoption to succeed only where recovery, device trust, and fallback governance are redesigned with it.
Passwordless programmes should be assessed alongside broader secret governance, not as a standalone UX project. Human authentication may be the entry point, but the same organisations often leave API keys, service credentials, and certificate handling unchanged. That creates a split identity posture where one part of the environment is modernised and another still depends on long-lived secrets.
The governance signal is straightforward: if password-related tickets stay high after rollout, the programme has not yet changed the operating model. Teams should watch for whether they have reduced user dependence on shared secrets, not just changed the login screen. That is the difference between cosmetic modernisation and real identity hardening.
For practitioners
- Reduce password dependencies in high-risk workflows Start with VPN, admin access, privileged SaaS, and remote workforce entry points where stolen credentials have the highest blast radius. Replace password prompts with phishing-resistant authentication methods that fit the risk tier of the application.
- Harden account recovery and reset paths Review every fallback route that still depends on knowledge factors, help desk verification, or email-based recovery. Attackers often target the recovery path when the login path becomes stronger.
- Measure help desk effort as an identity risk signal Track password reset volume, lockout rates, and recovery ticket trends as programme health indicators. If those metrics remain high after a passwordless rollout, the organisation has not removed the underlying friction.
- Extend assurance principles to machine identities Do not modernise human authentication in isolation. Review where applications, devices, and service accounts still depend on static secrets so the same weak pattern does not continue behind the user layer.
Key takeaways
- Passwords remain an identity weakness because they create predictable user workarounds, support burden, and theft opportunities.
- The scale of the problem is measurable, with 190+ passwords per employee and more than 40% of help desk calls tied to password issues.
- Modern authentication should reduce reusable secrets across human and machine access, not just replace one login method with another.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Passwordless methods directly affect digital identity assurance and authenticator strength. | |
| NIST CSF 2.0 | PR.AA | Authentication assurance and access control are central to reducing password risk. |
| NIST Zero Trust (SP 800-207) | PR.AC | Passwordless fits continuous verification and reduced standing credential exposure. |
Use phishing-resistant authenticators and recovery controls that align with assurance needs.
Key terms
- Passwordless Authentication: Passwordless authentication proves a user’s identity without requiring a reusable password as the primary login factor. It typically relies on device-bound credentials, biometrics, or cryptographic authenticators. In practice, the control reduces phishing exposure, password reuse, and reset-driven support burden while shifting attention to recovery and device assurance.
- Phishing-Resistant MFA: Phishing-resistant MFA uses authentication methods that cannot be easily replayed or captured by an attacker during login. It strengthens the identity layer by binding proof to the device or cryptographic challenge rather than to a shared secret. For practitioners, it is most effective when paired with strong recovery governance and low-friction deployment.
- Credential Burden: Credential burden is the cumulative pressure created when users must manage too many passwords or similar secrets across applications and recovery processes. It weakens security because people adopt workarounds, reuse credentials, and rely on unsafe storage. The concept helps teams measure when the identity system has become harder to use than to bypass.
Deepen your knowledge
Passwordless authentication and phishing-resistant MFA are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your identity programme is trying to lower user friction without expanding attack surface, the course is a useful starting point.
This post draws on content published by Axiad: This Password Day, we think you deserve better. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
