Notifications
Clear all
Topic starter
25/06/2026 10:48 pm
TL;DR: Facial biometrics can reduce password reset friction, lower credential-compromise exposure, and support passwordless access in regulated environments, according to Imprivata and cited third-party research. The deeper issue is not whether face authentication works, but whether identity programmes can replace password-era assumptions without fragmenting governance across users, devices, and third parties.
NHIMG editorial — based on content published by Imprivata: Discover three key insights into facial biometrics and passwordless authentication
By the numbers:
- 40% of all help desk calls are related to passwords.
- 42% of system intrusion attacks and 88% of basic web application attacks involved compromised login credentials.
Questions worth separating out
Q: How should security teams roll out passwordless authentication without breaking legacy access?
A: Start with application and workflow inventory, then classify which systems can support modern authentication and which still require transitional controls.
Q: Why do passwordless programmes fail if they focus only on the login method?
A: Because the login method is only the front end of identity assurance.
Q: How can organisations judge whether facial biometrics are actually reducing risk?
A: Look for fewer password resets, lower help desk volume, reduced dependence on recoverable secrets, and consistent auditability across shared and regulated workflows.
Practitioner guidance
- Map passwordless eligibility by application and workflow Identify which critical systems still depend on keyboard-based or legacy login paths before promising full password removal.
- Protect biometric enrollment and template storage Require strong controls around enrollment capture, template storage, encryption, and deletion on termination.
- Design for shared-device session switching Test fast user switching, logout behaviour, and per-user audit trails on shared workstations.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Implementation context for face authentication in regulated workflows and shared-device environments
- How the vendor describes support for legacy applications that do not natively support modern authentication
- Details on data capture, encryption, storage, and deletion for biometric templates and enrollment images
- The article's full breakdown of adoption barriers, including user resistance, cost, and compliance concerns
👉 Read Imprivata's analysis of face authentication for passwordless access →
Facial biometrics for passwordless access: what changes for IAM teams?
Explore further
25/06/2026 11:29 pm
Passwords are not just a user inconvenience. They are a governance failure mode. Password resets, help desk load, and credential compromise are symptoms of an identity model that still treats the password as a normal state. Once identity assurance has to be rebuilt around high-risk access, passwordless becomes a structural control discussion, not a UX feature discussion. Practitioners should judge passwordless by whether it reduces dependency on recoverable secrets, not by whether it feels modern.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why access assurance often breaks long before teams reach enforcement, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who remains accountable when passwordless access spans employees, contractors, and third parties?
A: Accountability stays with the organisation that owns the identity lifecycle and access policy, even when external users or shared devices are involved. Passwordless does not remove governance responsibility; it makes lifecycle control, offboarding, and audit trails more visible.
👉 Read our full editorial: Facial biometrics expose the limits of passwordless IAM
