Passwordless identity security for NIS2 critical infrastructure access

At a glance

What this is: This is RSA Security’s analysis of why passwordless identity security matters for NIS2-regulated critical infrastructure and how it changes access control assumptions.

Why it matters: It matters because critical infrastructure teams need access controls that work across employees, suppliers, contractors, and legacy systems without leaving password-based attack paths open.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read RSA Security's analysis of passwordless identity security for NIS2 critical infrastructure

Context

Passwordless identity security replaces passwords with cryptographically bound access methods such as hardware keys, device biometrics, and risk-based authentication. In critical infrastructure, the governance problem is not just authentication strength, but whether access control can remain reliable when the workforce includes employees, suppliers, and contractors across environments that cannot be rebuilt overnight.

NIS2 raises expectations for resilience, access control, and incident resistance across sectors such as energy, transport, healthcare, and finance. That makes passwordless one piece of a broader identity programme, not a standalone fix, because the real security boundary in regulated infrastructure is the identity layer.

For teams managing a mixed estate of human users and machine access, the same access discipline still applies: eliminate weak standing credentials, tighten verification, and reduce the paths that attackers can abuse once they reach an account or session. For a broader baseline on non-human identity governance, see the Ultimate Guide to NHIs.

Key questions

Q: How should security teams implement passwordless access in critical infrastructure?

A: Start with the highest-risk user groups and the systems most exposed to phishing or credential reuse. Then extend passwordless only where recovery, exception handling, and supplier access are governed. The right test is whether the programme lowers attackability without creating unmanaged fallback paths or breaking auditability across regulated services.

Q: Why does passwordless matter for NIS2 compliance?

A: NIS2 raises expectations for resilience and access control in critical sectors, so passwordless helps by removing reusable secrets from the login path. That matters because credential theft is still a common entry point, but compliance also depends on lifecycle controls, privileged access governance, and evidence that access decisions are auditable.

Q: What breaks when passwordless is rolled out without access governance?

A: The rollout can still leave recovery flows, legacy systems, and supplier accounts exposed. In that case, attackers bypass the new factor through the weakest remaining path. Passwordless strengthens authentication, but it does not fix unmanaged exceptions, shared accounts, or weak offboarding.

Q: Who is accountable when contractor access is left active in a critical environment?

A: Accountability should sit with the system owner and the identity governance function, not the contractor alone. Critical infrastructure teams need clear ownership for onboarding, review, and revocation because access that outlives the business need becomes a governance failure, not just an authentication issue.

Technical breakdown

Why passwordless changes the access threat model

Passwordless authentication removes the shared secret that attackers most often steal, guess, or replay. Instead of relying on a memorised password, the system binds access to a device, biometric factor, or cryptographic credential that is harder to phish and easier to prove at login time. That reduces exposure from brute force and credential stuffing, but it does not remove governance needs around device trust, fallback paths, supplier access, or account recovery. In regulated environments, the important shift is from secret protection to assurance management.

Practical implication: teams must review every fallback and recovery path, not just the primary passwordless factor.

How passwordless identity fits Zero Trust and NIS2

Zero Trust requires each access request to be evaluated on context, not assumed safe because the user is already inside the network. Passwordless can strengthen that model by improving initial assurance, but Zero Trust still depends on segmentation, least privilege, and continuous verification after login. NIS2 matters here because it pushes organisations to show that access controls are resilient, auditable, and appropriate for critical services. Passwordless helps the front door, but the wider control plane still has to govern sessions, entitlements, and privileged actions.

Practical implication: align passwordless rollout with Zero Trust policy enforcement and audit evidence, not as a standalone login project.

Why contractor and supplier access is the real test

Critical infrastructure environments often depend on external technicians, integrators, and suppliers whose access patterns are irregular and high risk. Passwordless is useful here because it can reduce password reuse and phishing exposure, but only if identity governance extends to onboarding, access duration, and offboarding. The hardest problem is not issuing a strong login method. It is making sure every third-party access path is governed with the same rigor as internal staff access, especially where legacy systems still expect passwords or shared accounts.

Practical implication: map contractor and supplier accounts to the same lifecycle controls as employees, including revocation and periodic review.

Threat narrative

Attacker objective: The attacker seeks operational access that can disrupt essential services, extract leverage, or create outage conditions in a regulated environment.

1. Entry occurs when an attacker obtains access through a reused or guessed password against a critical infrastructure account.
2. Escalation follows when that account opens operational systems or privileged control interfaces that should have required stronger verification.
3. Impact is service disruption, often through ransomware or operational manipulation that can affect public services at scale.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless identity reduces credential theft, but it does not solve governance by itself. Passwordless weakens the most common human login failure mode, which is password reuse and phishing, yet critical infrastructure still fails if recovery, fallback, and third-party access remain poorly governed. NIS2 pressure therefore shifts the question from whether passwords should be removed to whether the surrounding identity controls are strong enough to support that change. Practitioners should treat passwordless as an assurance upgrade, not an operating model.

Identity becomes the control surface for resilience when critical services cannot tolerate account compromise. In regulated infrastructure, access assurance is part of service continuity, not just security hygiene. A login method that is harder to phish matters because the business consequence of compromise is not limited to data exposure. The broader implication is that access governance, auditability, and recovery design must be built around service uptime and operational safety, not around authentication convenience.

Third-party access without lifecycle rigor remains the weakest point in many critical infrastructure programmes. Suppliers and contractors often keep access longer than internal teams expect, especially when legacy systems and emergency support paths are involved. Passwordless can reduce exposure at the front door, but it cannot compensate for weak offboarding, shared access, or exception-based provisioning. The implication is that lifecycle governance must reach every external identity that can touch operational systems.

Zero Trust and passwordless are complementary only when the programme treats authentication as one control among many. Passwordless can improve the strength of the initial identity assertion, but Zero Trust still requires policy enforcement after login, including least privilege and segmentation. For critical infrastructure, that means the security outcome depends on how identity, device trust, and access context are combined. Practitioners should not confuse stronger login with complete trust reduction.

Passwordless control-plane gap: The key governance failure this topic exposes is the assumption that stronger authentication alone can absorb weak lifecycle and privilege management. That assumption breaks in critical infrastructure because access persistence, supplier sprawl, and legacy exceptions can still create exploitable paths even when passwords are removed. The implication is that identity programmes must be designed around end-to-end access assurance, not just a better login factor.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• That persistence makes Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs the next resource for teams tightening identity lifecycle controls.

What this signals

Passwordless is only the first layer of resilience. Critical infrastructure teams should expect passwordless to improve phishing resistance, but the operational risk shifts immediately to recovery, contractor access, and legacy application exceptions. The governance question is whether the programme can remove passwords without creating hidden bypasses that auditors and attackers can still reach.

Identity governance becomes a service continuity issue under NIS2. When access failures can interrupt energy, transport, healthcare, or financial services, IAM can no longer be treated as a narrow login topic. Teams should align passwordless rollout with privileged access reviews, offboarding discipline, and audit evidence that survives regulatory scrutiny.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the wider lesson is that authentication modernisation does not compensate for secret sprawl, according to Ultimate Guide to NHIs. The next step is to treat access assurance as a full lifecycle problem, not a front-door upgrade.

For practitioners

• Inventory every password fallback path Map where passwordless users can still authenticate through recovery codes, help desk reset flows, or legacy applications that force password-based access. Those paths often become the easiest way back into critical systems.
• Extend lifecycle controls to supplier access Apply onboarding, periodic review, and immediate revocation to contractor and vendor accounts that touch operational environments. If an external identity can reach a control system, it needs a defined owner and an offboarding trigger.
• Tie passwordless rollout to Zero Trust policy Require conditional access, device trust, and privilege checks after authentication so the login method does not become the only control. Passwordless should reduce phishing exposure, not replace access governance.
• Remove shared credentials from operational exceptions Replace shared or emergency passwords in legacy environments with accountable identities and auditable break-glass procedures. Critical infrastructure resilience depends on knowing which person or system performed each action.

Key takeaways

• Passwordless identity improves phishing resistance, but critical infrastructure still depends on surrounding governance for recovery, exceptions, and offboarding.
• NIS2 raises the operational stakes of identity control because weak access can become a service disruption issue, not just a credential problem.
• The practical test is whether passwordless reduces attack paths without creating new bypasses in supplier, legacy, or emergency access flows.

Key terms

• Passwordless Authentication: An authentication method that replaces memorised passwords with stronger factors such as cryptographic keys, device possession, or biometrics. In practice, it reduces phishing and reuse risk, but it still depends on recovery design, device trust, and lifecycle controls to remain secure in regulated environments.
• Zero Trust Architecture: A security model that assumes no access request is trusted by default, even from inside the network. Each request is evaluated using context, identity, and policy. For critical infrastructure, passwordless can strengthen identity assurance, but Zero Trust only works when access is continuously verified after login.
• Identity Lifecycle Management: The governance process that covers onboarding, access changes, reviews, and offboarding for every identity type. In critical infrastructure, it determines whether employees, suppliers, and contractors lose access when they should, which is essential when stronger authentication is only one part of the control stack.
• Fallback Access Path: Any alternate route that allows a user to authenticate when the primary control fails, such as recovery codes, help desk resets, or legacy passwords. These paths often become the weakest point in a passwordless programme if they are not designed and reviewed with the same rigor as the primary login method.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Passwordless Securing Europe’s Critical Infrastructure in the NIS2 Era. Read the original.