Passwordless identity in critical infrastructure: what changes for IAM

At a glance

What this is: This is RSA Security’s analysis of passwordless identity for critical infrastructure, with the central finding that stronger authentication only works when it is paired with least privilege, access review, and Zero Trust controls.

Why it matters: It matters because critical infrastructure teams have to secure mobile, cross-border workforces without weakening operational continuity, and passwordless programmes fail if IAM governance does not keep pace.

👉 Read RSA Security's analysis of passwordless identity for critical infrastructure

Context

Passwordless identity removes passwords from the login path, but it does not remove the need to govern who gets access, how much access they get, and when that access is reviewed. In critical infrastructure, the IAM problem is broader than authentication because field technicians, maintenance crews, and contractors need fast access without creating persistent privilege risk.

RSA Security frames the issue around operational identity in energy, transportation, and healthcare, where workforce mobility and reliability requirements collide with phishing, credential reuse, and insider-error exposure. The practical question for IAM teams is not whether passwordless should exist, but how it fits into lifecycle, privilege, and Zero Trust governance across staff and contractors.

Key questions

Q: How should security teams deploy passwordless identity in critical infrastructure?

A: Use passwordless as the authentication layer, then bind it to least privilege, step-up policy, and strong recovery controls. Critical infrastructure teams should treat contractors, field technicians, and maintenance crews as high-change identities that need tighter enrolment, offboarding, and access review than static office users.

Q: Why do passwordless programmes still need access governance?

A: Because removing passwords does not remove entitlement risk. A user can still receive excessive access, misuse legitimate access, or retain privileges after role changes. Governance remains necessary to ensure access is proportionate to task, context, and operational need, especially where the workforce is mobile and distributed.

Q: What breaks when passwordless access is rolled out without least privilege?

A: The programme can become easier to use without becoming safer. Users may authenticate more cleanly while still holding broad, persistent permissions that increase blast radius after a mistake or compromise. The main failure is that authentication improvement is mistaken for overall identity control improvement.

Q: Who is accountable when passwordless access fails in a critical operation?

A: Accountability sits with the IAM, security, and operational owners who approved the access model, recovery paths, and privilege scope. In critical infrastructure, passwordless is not just a login choice. It is part of a broader governance decision about who can act, under what conditions, and with what oversight.

Technical breakdown

Passwordless identity in operational environments

Passwordless identity replaces shared knowledge factors such as passwords with stronger authenticators like hardware-backed keys, biometrics, or device-bound methods. In operational environments, that changes the failure mode from stolen secrets to device trust, enrolment integrity, and recovery controls. The system is still only as strong as its identity proofing, fallback paths, and administrative governance. If those controls are weak, passwordless can shift risk rather than remove it, especially where contractors, rotating crews, and remote access are common.

Practical implication: review recovery, enrolment, and exception-handling paths before expanding passwordless across critical workforce groups.

Least privilege and risk-adaptive access for workforce identity

Passwordless authentication does not determine what a user may do after login. That decision still depends on role design, entitlement scope, and conditional access policy. In critical infrastructure, the governance challenge is to make access narrow enough for safety while still allowing urgent operational work. Risk-adaptive controls matter because access needs can change by location, device posture, task urgency, and infrastructure segment. Without that layer, passwordless simply gives a cleaner path into overly broad access.

Practical implication: bind passwordless sign-in to least-privilege entitlements and step-up controls for higher-risk operational actions.

Zero Trust for contractors, technicians, and cross-border teams

Zero Trust architecture assumes no implicit trust based on network location or job familiarity. That matters in critical infrastructure because the workforce is mobile, distributed, and often composed of mixed employees and third parties. Passwordless can support Zero Trust by reducing password attack surface, but Zero Trust still requires continuous verification, segmentation, and policy enforcement after authentication. The real governance issue is whether access remains proportional to task and context once the user is inside the environment.

Practical implication: map passwordless programmes to Zero Trust policy, especially for contractor and remote-access workflows.

NHI Mgmt Group analysis

Passwordless is an authentication change, not an identity governance strategy. RSA Security correctly centres the operational workforce, but the security value comes from what happens after sign-in, not from removing passwords alone. In critical infrastructure, authentication is only one control point among lifecycle, privilege, and monitoring. The practitioner conclusion is straightforward: passwordless should be treated as a control layer inside IAM, not as a substitute for IAM.

Critical infrastructure makes the access problem harder because the workforce is fragmented and time-sensitive. Field technicians, maintenance crews, and contractors need access that is fast, contextual, and often temporary. That combination makes standing privilege and broad entitlements especially dangerous, because the business pressure to keep operations moving can override review discipline. The practitioner takeaway is to design for operational speed without accepting persistent access as the default.

Least privilege is the real control, and passwordless only helps when it is enforced consistently. A passwordless programme with broad, durable entitlements still leaves the organisation exposed to insider error, misuse, and account abuse. The governance gap is not authentication strength but access scope and review quality. Practitioners should judge passwordless success by whether it reduces entitlement blast radius, not by whether it eliminates login friction.

Borderless workforces need policy that follows the person, device, and task. Critical infrastructure access now crosses sites, borders, and trust zones, which means static access assumptions age quickly. Passwordless can support this model if the programme also tracks role changes, contractor offboarding, and device trust changes. The practitioner conclusion is that identity controls must become more contextual as operations become more distributed.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Ultimate Guide to NHIs explains the lifecycle, privilege, and visibility controls that underpin durable identity governance.

What this signals

Passwordless will not simplify governance unless identity programmes also narrow entitlement scope. The shift away from passwords reduces one class of attack, but it can leave standing privilege untouched. For security teams running mixed human and machine identity programmes, the real signal is whether access reviews, device trust, and role design are converging into a single control model rather than remaining separate operational tracks.

69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, per the 2026 Infrastructure Identity Survey, and that pressure is already changing how teams think about access governance. Even in a human workforce post, the lesson transfers: strong authentication is only durable when privilege is scoped, reviewed, and contextualised. Critical infrastructure programmes should expect the same governance architecture to be reused across staff, contractors, and emerging non-human actors.

Borderless operations amplify the value of contextual controls. When access crosses sites, shifts, and jurisdictions, static trust assumptions age too quickly for operational reality. Teams should prepare for policy that evaluates device posture, task urgency, and entitlement scope together, because passwordless alone does not answer whether an action should be allowed.

For practitioners

• Tie passwordless enrolment to verified identity proofing Require strong enrolment controls for employees, contractors, and field staff before passwordless credentials are issued. Recovery and re-enrolment paths should be treated as privileged workflows, not convenience features.
• Constrain operational access with least privilege Map passwordless sign-in to narrowly scoped entitlements for maintenance, support, and emergency tasks. Remove broad role bundles where possible and require step-up access for high-risk actions.
• Align passwordless access with Zero Trust policy Use device posture, location, and task context to decide whether access is allowed, limited, or stepped up. Do not assume a successful passwordless login should confer blanket trust across the environment.
• Review contractor and seasonal worker access more often Build shorter review cycles for temporary staff whose access patterns change quickly. Offboarding, role changes, and site transfers should trigger entitlement reassessment before access becomes stale.
• Measure privilege reduction, not just adoption Track whether passwordless rollout actually reduces password-related incidents, reused credential exposure, and over-broad access. Adoption counts alone do not show whether the identity programme is safer.

Key takeaways

• Passwordless reduces password-based attack paths, but it does not remove entitlement risk or governance obligations.
• Critical infrastructure teams need to pair passwordless with least privilege, contextual access policy, and tighter review cycles for contractors and operational staff.
• The success metric is not adoption rate alone. It is whether the programme lowers blast radius, supports Zero Trust, and improves operational resilience.

Key terms

• Passwordless Identity: An authentication approach that removes passwords from the user journey and replaces them with stronger methods such as hardware-backed keys, biometrics, or device-bound credentials. The security outcome depends on enrolment integrity, recovery controls, and whether access is still governed by least privilege after sign-in.
• Risk-Adaptive Access: An access model that changes permission decisions based on context such as device posture, location, task urgency, and user risk. In practice, it is how passwordless authentication becomes part of a broader governance system instead of a standalone login convenience.
• Least Privilege: A governance principle that grants only the access needed to complete a specific task and nothing more. For critical infrastructure, it is the control that limits damage when authentication is compromised, because strong login methods do not prevent excessive entitlement scope.
• Zero Trust Architecture: A security model that assumes no implicit trust based on network location or prior authentication. It requires continuous verification, segmentation, and policy enforcement so that a successful login does not automatically translate into broad operational access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Passwordless Identity and Workforce Challenges for Critical Infrastructure. Read the original.