Passwordless adoption and the credential gap teams are missing

TL;DR: Poor password hygiene remains widespread, with 66% of employees reporting risky password behaviour and 89% of security and IT professionals saying their company is pushing passkeys, according to 1Password's Annual Report 2025 analysis. The governance challenge is not whether passwordless will arrive, but whether teams can reduce raw credential exposure while it is still partial and uneven.

NHIMG editorial — based on content published by 1Password: Passwordless access still leaves credential risk wide open

By the numbers:

• 66% of employees report having poor password hygiene.
• 89% of security and IT professionals say their company is encouraging employees to shift logins to passkeys.
• 44% of CISOs report that employees using weak or compromised passwords is one of their top security challenges.

Questions worth separating out

Q: How should security teams manage the transition to passwordless authentication?

A: They should treat passwordless as a phased governance programme, not a one-time switch.

Q: Why do weak passwords still matter if an organisation is moving to passkeys?

A: Weak passwords still matter because most organisations run mixed authentication estates for a long time.

Q: What do security teams get wrong about passwordless programmes?

A: They often mistake adoption messaging for control effectiveness.

Practitioner guidance

• Map the mixed authentication estate Inventory where passwords, MFA, passkeys, recovery methods, and shared credentials still coexist so the migration plan reflects reality rather than target state.
• Enforce 2FA gaps as governance defects Prioritise accounts without 2FA, especially privileged or shared accounts, and route them into remediation queues that are tracked to closure.
• Reduce credential handling in onboarding and offboarding Remove manual password handoffs from joiner and leaver workflows by routing access through controlled identity processes and approved credential stores.

What's in the full article

1Password's full blog covers the operational detail this post intentionally leaves for the source:

• The report-level breakdown of password risk exposure, including the dashboard signals admins can use to triage weak and reused passwords.
• The specific enterprise password manager capabilities for secure sharing, storage, and admin control during onboarding and offboarding.
• The Device Trust enforcement path that checks whether the password manager is installed and functioning correctly.
• The article's practical rollout framing for moving employees from weak passwords toward stronger authentication methods.

👉 Read 1Password's analysis of passwordless adoption and credential risk →

Passwordless adoption and the credential gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →