Post-passwordless identity still needs scalable trust controls

At a glance

What this is: This analysis argues that passwordless is becoming foundational, but identity programmes now need to prepare for interoperable, privacy-preserving, and post-quantum-ready trust models.

Why it matters: It matters because human identity teams cannot treat passkeys and phishing-resistant MFA as the finish line, while NHI and autonomous governance also depend on the same trust, portability, and lifecycle assumptions.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read OneSpan’s analysis of what comes after passwordless identity

Context

Digital identity now acts as a control plane for access, security, and trust, which is why passwordless, passkeys, and phishing-resistant MFA are being evaluated as operating models rather than point features. For IAM leaders, the core question is no longer whether these controls work, but whether the enterprise can scale them across channels, devices, and identity types without creating new trust gaps.

That shift also matters beyond human login journeys. The same programme discipline that governs passkey rollout, phishing resistance, and federation readiness increasingly shapes NHI lifecycle control and autonomous identity governance, especially where credentials, trust portability, and verification boundaries overlap. NHIMG’s Ultimate Guide to NHIs is useful context for teams that need a broader identity baseline.

The article’s starting position is typical of current enterprise identity strategy: strong on authentication direction, but still emerging on what comes after the current wave of adoption. The gap is not whether passwords disappear, but how identity architectures remain portable, privacy-preserving, and governable as standards evolve.

Key questions

Q: How should security teams scale passwordless authentication without creating new access risk?

A: Security teams should scale passwordless by treating enrollment, recovery, revocation, and exception handling as first-class controls. Passkeys and phishing-resistant MFA reduce phishing exposure, but they do not remove governance obligations. The programme must prove that identity binding remains intact when users change devices, lose credentials, or move between channels.

Q: Why do passkeys and phishing-resistant MFA still need governance oversight?

A: Because stronger authentication does not eliminate lifecycle risk. Organisations still need to manage who can enroll, how accounts are recovered, when assurance is downgraded, and how exceptions are approved. Without that oversight, passwordless becomes a stronger front door with the same weak back office.

Q: When should organisations move from one-time login checks to continuous authorization?

A: Organisations should move when access risk can change during the session, not just at sign-in. This is common in high-value workflows, shared environments, and low-trust network conditions. If a one-time authentication event cannot represent the full decision window, continuous authorization becomes a governance requirement rather than a future idea.

Q: What is the difference between passwordless authentication and broader identity trust?

A: Passwordless removes shared secrets from the login step, but broader identity trust covers issuance, recovery, portability, revocation, and policy enforcement across the identity lifecycle. A team can deploy passkeys and still have weak identity governance if it cannot prove who owns the credential, how it is recovered, and when it stops being valid.

Technical breakdown

Passkeys and phishing-resistant MFA as the new baseline

Passkeys replace reusable shared secrets with cryptographic credentials bound to a device or platform account, while phishing-resistant MFA reduces the chance that an attacker can replay a captured factor. The technical value is clear, but the operational challenge is ecosystem readiness: platform support, recovery flows, device migration, and policy consistency across workforce and consumer journeys. These controls improve authentication assurance, but they do not eliminate the need for governance, because the organisation still has to manage enrollment, revocation, exception handling, and assurance drift across identity populations.

Practical implication: standardise enrollment, recovery, and exception workflows before treating passwordless as production complete.

Continuous authorization and the shift from one-time login to ongoing trust

Continuous authorization, often discussed as AuthZEN, moves the identity model away from a single authentication event and toward ongoing access decisions based on context, session state, and policy. That matters because modern access risk rarely stops at login. Once a session starts, trust can drift as device posture, network conditions, or task scope changes. This is especially relevant where access patterns are dynamic and the old idea of a single successful login no longer tells you enough about actual risk.

Practical implication: evaluate where static sign-in assurance is no longer enough and where runtime policy decisions are required.

Decentralized identity and verifiable credentials

Decentralized identity models, including OpenID for Verifiable Credentials, aim to let users present reusable claims without handing over full identity records each time. In practice, this changes how trust is established between issuers, wallets, and relying parties, and it shifts some privacy and portability concerns out of the traditional central IdP model. The architecture is promising, but it introduces new dependencies around credential issuance, verification trust, revocation, and interoperability that enterprises will need to understand before broad adoption.

Practical implication: pilot verifiable credential use cases with clear trust anchors and revocation handling, not just user experience goals.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless is a control shift, not a destination. The article correctly frames passkeys and phishing-resistant MFA as central to present-day identity strategy, but the field should stop treating them as the end state. Authentication assurance is improving, yet the governance burden shifts rather than disappears because enrollment, recovery, lifecycle, and exception handling still determine real-world risk. Practitioners should read passwordless as a new baseline for identity control, not as a closure of the problem.

Identity portability will become a governance requirement, not a niche architecture choice. The push toward OID4VC and decentralized identity reflects a broader market need for reusable trust across ecosystems, but that also changes how organisations think about issuer trust, revocation, and policy consistency. The more identity becomes portable, the more lifecycle and assurance decisions need to travel with it. Practitioners should expect portability questions to move from design reviews into mainstream IAM governance.

Post-quantum planning is becoming part of identity assurance strategy. The article’s call to begin the post-quantum conversation is directionally right because authentication controls that look durable today may not remain sufficient under future cryptographic pressure. This is not a reason to pause deployment of passkeys or phishing-resistant MFA, but it is a reason to avoid freezing roadmaps around today’s assumptions. Practitioners should build identity roadmaps that can absorb cryptographic transition without reworking the entire trust model.

Human identity strategy and NHI governance are converging around the same trust problem. Passwordless, passkeys, federated trust, and verifiable credentials all point to the same programme reality: identities must be governed across issuance, use, recovery, and revocation, regardless of whether the actor is human or machine. NHIs already expose the consequences of weak lifecycle control, and human identity programmes will face similar pressure as trust becomes more distributed. Practitioners should align authentication modernisation with broader identity governance, not treat it as a separate lane.

From our research:

• NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which makes identity governance a visibility problem before it becomes a policy problem.
• The 52 NHI Breaches Analysis shows how exposure patterns become incident patterns when credentials persist without lifecycle control.

What this signals

Passwordless will not simplify identity governance on its own. As passkeys and phishing-resistant MFA expand, teams should expect authentication architecture to become more distributed across devices, wallets, and recovery channels. That increases the importance of policy consistency, auditability, and lifecycle controls, especially where the same identity program also governs NHIs and emerging autonomous access paths.

Post-passwordless roadmaps should be built around trust portability. The practical challenge is no longer only stronger sign-in. It is whether identities can move cleanly across platforms, preserve assurance, and still be revoked or re-issued without breaking the programme. That is the same governance pressure NHIs already place on security teams, only now it is entering mainstream human identity work.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, identity programmes that ignore non-human credentials will miss the larger trust picture entirely. Human authentication modernisation and NHI governance now need to be planned together, because both are part of the same control plane.

For practitioners

• Map passwordless rollout to lifecycle control Define how enrollment, recovery, device replacement, and revocation work before expanding passkeys across workforce or customer populations. The weakest point in many deployments is not cryptography but the operational handoff between identity proofing, recovery, and account re-binding.
• Plan for continuous authorization where risk changes mid-session Identify applications where one-time login assurance is no longer enough and define which context signals should trigger re-evaluation. Use policy boundaries that can adapt to session drift rather than assuming the initial authentication event is sufficient.
• Test interoperability before standardising on one identity path Validate how passkeys, federation, and verifiable credentials behave across browsers, devices, and partner ecosystems. Treat portability, recovery, and revocation as design constraints, not post-launch clean-up tasks.
• Start post-quantum identity planning now Inventory where authentication and credential-verification dependencies rely on cryptography that may need migration. Build transition scenarios into IAM roadmaps so future changes do not force disruptive redesigns under pressure.

Key takeaways

• Passwordless improves authentication assurance, but it does not end identity governance.
• The practical challenge is scaling trust across enrollment, recovery, portability, and revocation without breaking user experience.
• IAM teams should align passwordless, continuous authorization, and post-quantum planning as one roadmap, not three separate projects.

Key terms

• Passwordless Authentication: An authentication approach that removes reusable passwords from the login step and relies on cryptographic or device-bound factors instead. In practice, it improves phishing resistance, but it still depends on strong enrollment, recovery, revocation, and account binding controls to remain trustworthy at scale.
• Passkey: A passkey is a cryptographic credential that lets a user sign in without typing a password, usually bound to a device or platform account. It reduces secret reuse and phishing exposure, but the programme must still govern provisioning, recovery, transfer, and deletion across the identity lifecycle.
• Continuous Authorization: Continuous authorization is a trust model that re-evaluates access during a session instead of assuming the original login decision remains valid. It is useful where risk changes after authentication, such as device posture shifts, network changes, or task scope drift, and it requires policy and telemetry support.
• Verifiable Credential: A verifiable credential is a digitally signed claim that can be presented and checked by a relying party without exposing unnecessary identity data. The model improves privacy and portability, but it also introduces new governance needs around issuer trust, revocation, interoperability, and reuse boundaries.

Deepen your knowledge

Passwordless authentication, passkeys, and phishing-resistant MFA are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance from human logins into broader lifecycle and trust controls, it is worth exploring.

This post draws on content published by OneSpan: Beyond passwordless: preparing for what’s next in digital identity authentication. Read the original.