Passwords are failing enterprise identity and access management

At a glance

What this is: This is an analysis of why traditional passwords keep failing at scale and which passwordless alternatives can reduce both risk and operational burden.

Why it matters: It matters because IAM teams are still carrying password-era assumptions into NHI, human access, and device-bound authentication programmes that now need stronger credential lifecycle controls.

👉 Read Imprivata's analysis of password problems and passwordless alternatives

Context

Passwords remain the default control in many environments, but they were built around human memory, not modern attack conditions or enterprise scale. Once identity spans laptops, cloud services, remote work, and privileged access, password reuse, resets, and phishing turn a simple login factor into a governance problem.

For IAM and security teams, the issue is not whether passwords are familiar. It is whether the organisation is still relying on a control that cannot scale cleanly across human users, device-centric login, and the growing need for stronger non-human access patterns.

Key questions

Q: How should organisations phase out passwords without breaking access?

A: Start with the highest-friction and highest-risk workflows, then move in waves. Keep MFA and controlled recovery in place while you test passkeys, device binding, and revocation. The goal is not a sudden cutover. It is to remove memorised secrets where the business can support stronger enrollment, fallback, and support processes.

Q: Why do passwords still create so much risk in enterprise IAM?

A: Because they are easy to reuse, easy to phish, and hard to govern consistently across many systems. Once users carry the same secret across multiple services, one compromise can become many. That makes passwords a weak anchor for modern identity assurance, especially where remote work and cloud access are common.

Q: What do teams get wrong about passwordless authentication?

A: They often focus on removing the password field without redesigning recovery, revocation, and device trust. Passwordless works when the surrounding lifecycle is tight. Without those controls, organisations simply move the failure from secret management to account recovery and device handling.

Q: Should organisations replace passwords with biometrics everywhere?

A: No. Biometrics are useful in the right context, but they need strong privacy protections and careful storage design. They are best treated as one factor in a broader authentication strategy, especially where users need secure fallback options and where biometric data must remain on-device.

Technical breakdown

Why passwords fail as an access control

Traditional passwords depend on a memorised secret that users must create, recall, rotate, and protect across many systems. That model breaks down under scale because people reuse credentials, write them down, or choose weak passwords when cognitive load rises. The control also assumes an attacker must guess or steal the secret once, but modern campaigns use phishing, credential stuffing, and replay to turn one compromise into many. In identity terms, the problem is not just authentication weakness. It is that the factor itself is easy to duplicate and hard to govern consistently across heterogeneous environments.

Practical implication: treat password policy as a legacy control layer, not a sufficient identity defence.

Passwordless authentication and passkeys

Passwordless authentication replaces memorised secrets with cryptographic assertions, usually tied to a device or secure key pair. Passkeys are a common implementation: the private key stays on the user’s device, while the service stores the public key and challenges the device during login. This makes phishing and replay much harder because the secret is never typed or shared. In enterprise settings, the architectural advantage is stronger binding between identity, device, and user presence. The trade-off is operational: recovery, device revocation, and enrollment flows must be engineered carefully so the security gain does not create access outages.

Practical implication: design recovery and revocation before broad passkey rollout, especially for high-availability users.

Biometric authentication and privacy controls

Biometrics can reduce password friction by using a physical trait plus secure device storage, but they introduce a different governance profile. Unlike a password, a fingerprint or face template cannot be changed if exposed, so privacy, storage location, and enclave protection matter more than convenience claims. Organisations should distinguish between biometric verification and biometric storage. The strongest architectures keep biometric data on-device, encrypt it, and avoid central repositories that expand breach impact. This is especially important where identity policy must satisfy both security and privacy obligations.

Practical implication: only adopt biometrics where on-device protection and recovery workflows are explicit requirements.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwords are a governance problem, not just a usability problem: the article shows that the same secret has to satisfy human memory, phishing resistance, recovery, and compliance at once. That is why password policy keeps producing exceptions, resets, and insecure workarounds. The implication is that identity programmes should stop treating passwords as the baseline control for modern access decisions.

Passkeys shift the trust anchor from memory to device-bound cryptography: that matters because the enterprise is no longer asking users to prove identity by recalling a secret. Instead, the control depends on possession of a registered device and a signed challenge. For practitioners, this changes the centre of gravity from password hygiene to device lifecycle, recovery design, and revocation governance.

Biometrics improve convenience only when privacy engineering is explicit: the article’s caution is well placed because immutable identifiers raise the breach cost if storage or transport is mishandled. A biometric programme that ignores storage locality, encryption, and consent boundaries creates a different kind of identity risk. Practitioners should treat biometrics as a high-assurance factor with privacy constraints, not as a universal replacement.

Credential management is becoming a cross-domain control plane: the same transition away from passwords affects human login, privileged access, and the way organisations think about device trust. That makes authentication strategy inseparable from lifecycle management, recovery governance, and phishing resistance. Teams that align human IAM, PAM, and device-bound authentication will be better positioned to retire password dependency without creating new operational fragility.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 52% of respondents see AI security decision-making power shifting toward platform and infrastructure teams rather than the executive suite.
• Forward pivot: For a wider control lens, review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how provisioning, rotation, and offboarding change when access stops being human-only.

What this signals

Passwordless migration is not just a UX project. Once identity shifts from memorised secrets to device-bound credentials, teams have to govern enrollment, revocation, and recovery with the same care they once gave passwords themselves. The strongest programmes treat this as a lifecycle change, not a feature rollout.

Secret minimisation debt: organisations that keep passwords in place while layering new factors often preserve the old failure modes for too long. With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, identity teams should expect the same pressure on human access models as automation expands. The control question is no longer whether passwords are familiar, but whether they still belong in the trust path at all.

For practitioners

• Inventory where passwords remain mandatory Map every application, remote access path, and privileged workflow that still depends on memorised secrets. Prioritise the systems where phishing exposure, help desk resets, or reused credentials create the highest risk.
• Pilot passkeys in high-friction user journeys Start with use cases that create many password resets or repeated login prompts, then define enrollment, device replacement, and account recovery before expanding. Use the pilot to test whether the new flow actually reduces support volume.
• Separate biometric convenience from biometric governance Require on-device storage, encryption, and documented recovery steps before approving biometrics for production access. If those controls are not present, treat biometric login as a design risk rather than a finished control.
• Keep MFA in place during transition periods Use multifactor authentication on privileged and remote access while passwordless options are phased in. That reduces dependency on a single control family and gives teams time to validate fallback and revocation paths.

Key takeaways

• Passwords fail because they are fragile at scale, not because users are careless.
• Passkeys and device-bound authentication reduce phishing risk, but only when recovery and revocation are designed first.
• Identity teams should treat password reduction as a lifecycle and governance change, not a cosmetic login update.

Key terms

• Passwordless Authentication: Passwordless authentication lets a user prove identity without typing a memorised secret. In practice, it usually relies on a device-bound key, biometric verification, or a hardware-backed assertion, with recovery and revocation becoming the core governance tasks instead of password resets.
• Passkey: A passkey is a cryptographic credential pair that replaces a password during login. The private key remains on the user’s device, while the service verifies a signed challenge with the public key. This reduces phishing and replay risk, but only if enrollment, device replacement, and fallback are controlled.
• Biometric Authentication: Biometric authentication uses a physical characteristic such as a fingerprint or face scan to confirm identity. The security quality depends less on the biometric itself than on how the template is stored, protected, and recovered, because biometric data cannot be changed once exposed.
• Credential Management: Credential management is the discipline of issuing, protecting, rotating, recovering, and retiring the secrets and authentication factors that control access. For passwordless programmes, it expands beyond secret handling into device trust, account recovery, and lifecycle governance across the full identity stack.

Deepen your knowledge

Passwordless authentication and credential lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are planning a transition away from passwords, it is worth exploring.

This post draws on content published by Imprivata: password problems, passwordless alternatives, and enterprise credential management. Read the original.