Passwordless identity is becoming the new IAM control plane

At a glance

What this is: This analysis argues that passwordless identity is becoming a control-plane issue for IAM, not just an authentication upgrade, as passkeys, phishing-resistant MFA, and emerging trust standards mature.

Why it matters: It matters because IAM teams now have to align human identity, NHI governance, and future trust models around portability, ecosystem integration, and lifecycle readiness rather than passwords alone.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read OneSpan's analysis of the 2025 digital identity Hype Cycle

Context

Passwordless authentication removes the password as a primary attack surface, but it does not remove identity governance. The first-order problem is how organisations preserve assurance when trust signals move from shared secrets to device-bound credentials, passkeys, and policy-driven authorisation.

For IAM teams, this is no longer a narrow login discussion. The article’s core point is that identity strategy must now cover interoperability, lifecycle planning, and future-proof trust across human users today and emerging identity models tomorrow.

Key questions

Q: How should organisations roll out passwordless authentication without breaking access workflows?

A: Start with a controlled subset of applications, users, and recovery scenarios. Focus on device enrolment, help desk processes, and fallback methods before broad adoption. Passwordless succeeds when identity proofing, recovery, and application compatibility are designed together, not bolted on after deployment. A phased model reduces disruption and reveals where the trust fabric is weak.

Q: When does phishing-resistant MFA create more value than traditional MFA?

A: It creates the most value where credential theft, phishing, and session hijacking are recurring threats, especially for customer login, employee access, and privileged activity. Traditional MFA still relies on factors that can be intercepted or replayed, while phishing-resistant methods bind authentication to the device and reduce replay risk.

Q: How do verifiable credentials change enterprise identity governance?

A: Verifiable credentials shift governance toward issuer trust, portability, revocation, and user-controlled presentation. That can improve privacy and reuse, but it also adds dependency on ecosystem support and policy consistency. Organisations should evaluate them as a parallel trust layer, not a replacement for core federation and lifecycle controls.

Q: What should IAM teams prioritise after passwordless becomes the default direction?

A: Prioritise recovery design, interoperability standards, and lifecycle governance. Passwordless changes the authentication surface, but it does not remove identity lifecycle risk. Teams that succeed will treat authentication as one part of a broader trust system covering enrolment, reauthentication, recovery, and revocation across the full user journey.

Technical breakdown

Passwordless authentication as a control-plane shift

Passwordless authentication changes where identity assurance is anchored. Instead of proving a user through something they know, the system relies on device-bound factors, cryptographic credential storage, and policy-enforced verification. That changes the control plane because enrolment, recovery, device trust, and reauthentication become the operational backbone of access, not the password prompt. In practice, migration risk sits in the edges: recovery flows, shared devices, fallback paths, and inconsistent app support. Organisations that treat passwordless as a front-end feature usually miss the governance burden behind it.

Practical implication: map enrolment, recovery, and fallback handling before expanding passwordless beyond pilots.

Phishing-resistant MFA and passkeys in enterprise IAM

Phishing-resistant MFA and passkeys reduce credential replay and SIM-swap exposure by binding authentication to cryptographic proof rather than reusable secrets. Their value comes from resisting interception at the point of sign-in, but they still depend on clean identity proofing, device lifecycle control, and application compatibility. The architectural challenge is not whether they work in isolation. It is whether the enterprise can apply them consistently across customer identity, employee access, and privileged workflows without creating inconsistent assurance levels.

Practical implication: classify which applications can enforce phishing-resistant auth now and which need staged migration.

AuthZEN and OID4VC as emerging trust models

AuthZEN and OpenID for Verifiable Credentials point toward more continuous and portable trust. AuthZEN extends the authorisation discussion beyond a single login event, while OID4VC introduces reusable credentials that can be presented across ecosystems with better privacy and user control. That creates architectural opportunities, but also new dependency questions around standards maturity, issuer trust, wallet support, and revocation handling. These are not replacements for current IAM controls. They are a parallel trust layer that must coexist with current federation and policy systems.

Practical implication: test these standards in bounded use cases before anchoring core access processes on them.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless identity is changing the unit of control from password to trust fabric. The article is right to frame passwordless, passkeys, and phishing-resistant MFA as part of a broader identity control plane rather than a single authentication feature. That shift matters because IAM teams now have to govern device trust, recovery, interoperability, and policy consistency together. For practitioners, the question is not whether passwords disappear, but how much of the trust fabric they can safely move before governance catches up.

Standards maturity will determine whether passwordless reduces complexity or redistributes it. AuthZEN and OID4VC are attractive because they promise portability and more nuanced authorisation, but immature ecosystems often move complexity from passwords into integration, issuer trust, and lifecycle decisions. That is a familiar pattern in IAM: a better user experience can conceal a harder governance burden. Practitioners should treat these standards as strategic direction, not immediate simplification.

Human identity modernisation and NHI governance are converging around the same control problem. Passwordless for users, token and passkey lifecycle discipline for people, and secret or workload identity governance for machines all depend on reducing standing trust and making assurance portable. The more organisations standardise on cryptographic trust, the more they need consistent lifecycle, recovery, and revocation logic across identity types. The implication is a single governance model that spans human and non-human identity rather than separate silos.

Post-password identity will reward organisations that can operationalise trust continuously, not just authenticate once. The article correctly points toward continuous authorisation and future-proof identity design. In practice, that means identity governance moves closer to runtime conditions, device state, and policy evaluation. Teams that still think in login events will miss the real control surface. Practitioners should prepare for identity assurance to be measured across the full session, not at the first screen.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity programmes still lack a complete control baseline.
• The 52 NHI Breaches Analysis helps teams see how exposed identities become breach paths when lifecycle and visibility controls lag.

What this signals

Passwordless will not reduce identity risk unless the recovery path is equally strong. The real programme shift is away from passwords and toward governance of device trust, credential issuance, and exception handling. Teams should expect audit questions to move from login mechanisms to recovery resilience and control consistency across channels.

As organisations adopt more cryptographic trust, they will need sharper lifecycle controls for both human and non-human identities. The common failure mode is not the primary sign-in method, but the unmanaged fallback path that preserves access after a device reset, account compromise, or credential migration.

If your IAM roadmap includes passkeys, verifiable credentials, or continuous authorisation, the next constraint is standards alignment. Use NIST Cybersecurity Framework 2.0 to map govern, protect, detect, and recover responsibilities before expanding the programme.

For practitioners

• Define passwordless migration by application tier Segment customer, workforce, and privileged applications by compatibility with passkeys and phishing-resistant MFA. Start with high-risk sign-in flows where credential theft is the dominant threat, then move to lower-risk populations once recovery and fallback paths are proven.
• Test recovery and fallback workflows first Validate what happens when a device is lost, replaced, shared, or unavailable. Passwordless programmes fail most often in recovery paths, so run tabletop exercises for account recovery, help desk escalation, and identity proofing before broad rollout.
• Establish standards-based interoperability criteria Set explicit requirements for passkey, federation, and verifiable credential support across browsers, mobile devices, and enterprise applications. Avoid introducing identity silos by allowing one authentication method to dominate the ecosystem without portability checks.
• Pilot continuous authorisation in bounded workflows Use a narrow business process to evaluate AuthZEN-style authorisation before expanding it into core access paths. Measure policy consistency, revocation behaviour, and auditability so the programme learns where runtime decisions create operational friction.

Key takeaways

• Passwordless identity changes the IAM control surface from secret management to trust orchestration across devices, recovery, and policy.
• The strongest adoption case is not convenience alone. It is reducing replayable credential risk while maintaining governance across the whole access journey.
• Organisations that standardise on interoperable trust now will be better positioned for passkeys, verifiable credentials, and continuous authorisation later.

Key terms

• Passwordless Authentication: Passwordless authentication verifies a user without a reusable password, usually through cryptographic credentials, device binding, or passkeys. It reduces phishing and replay risk, but it still depends on sound enrolment, recovery, and lifecycle controls to keep access trustworthy across the full identity journey.
• Phishing-Resistant MFA: Phishing-resistant MFA is multi-factor authentication designed to resist interception, replay, and credential theft. It typically binds the authentication ceremony to a trusted device or cryptographic proof, making it harder for attackers to exploit stolen codes, tricked users, or SIM-based interception.
• Verifiable Credentials: Verifiable credentials are cryptographically signed identity claims that can be presented and checked across systems. They aim to improve portability and privacy, but they also introduce issuer trust, revocation, and ecosystem compatibility requirements that organisations must govern carefully.
• Continuous Authorisation: Continuous authorisation is a model where access is re-evaluated as conditions change instead of being granted once at login. In practice, it connects policy decisions to runtime context, so assurance can be adjusted for risk, device state, or session behaviour rather than relying on a single check.

Deepen your knowledge

Passwordless authentication, passkeys, and phishing-resistant MFA are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is extending identity governance beyond passwords and into cryptographic trust, this is a useful starting point.

This post draws on content published by OneSpan: Au-delà de l'absence de mot de passe, préparer l'avenir de l'identité numérique. Read the original.