Notifications
Clear all
Topic starter
12/06/2026 10:22 pm
TL;DR: 93% of respondents still use passwords for business, while 52% have already fallen victim to a password-based cyberattack and 45% plan to use passwordless technology next year, according to Axiad’s 2023 State of Authentication Survey. Passwordless and phishing-resistant MFA are advancing, but legacy friction and change resistance keep them from becoming the default.
NHIMG editorial — based on content published by Axiad: The Path to Passwordless, Phishing-Resistant MFA: Emerging but Still a Long Road Ahead
By the numbers:
- 93% of respondents are still using passwords for business.
- 52% have fallen victim to one.
- 45% said they will use passwordless technology over the next year.
Questions worth separating out
Q: How should organisations roll out passwordless authentication without breaking access?
A: Start with the highest-risk populations first, such as privileged users and remote access roles, then move outward in phases.
Q: Why do password-based attacks still succeed even when organisations think they are prepared?
A: Preparation often focuses on awareness and detection, while the actual weakness sits in credential reuse, phishing susceptibility, and recovery workflows.
Q: What do teams get wrong about phishing-resistant MFA?
A: They often treat it as a narrow login upgrade instead of an end-to-end identity control.
Practitioner guidance
- Inventory password-dependent access paths Map which applications, admin workflows, and recovery processes still require passwords or password resets.
- Harden fallback and recovery flows Apply phishing-resistant verification to enrolment, account recovery, and help desk-assisted resets so attackers cannot bypass stronger primary authentication by targeting the weakest exception path.
- Phase phishing-resistant MFA by risk tier Start with privileged users, remote access, and sensitive applications, then expand to broader workforce populations once device support and support coverage are stable.
What's in the full article
Axiad's full blog post covers the survey detail this post intentionally leaves for the source:
- The full breakdown of how 200-plus IT professionals answered the authentication readiness questions.
- The specific reasons respondents gave for staying with passwords, including change resistance and resource constraints.
- The side-by-side view of planned passwordless adoption versus phishing-resistant MFA adoption in the next year.
- The vendor's own framing of how passwordless fits into its Zero Trust and orchestration approach.
👉 Read Axiad's analysis of the 2023 State of Authentication Survey →
Passwordless authentication adoption is rising, but why is it still hard?
Explore further
13/06/2026 1:05 am
Passwordless adoption is really a governance migration problem, not a pure authentication upgrade. The survey shows that most organisations understand the risk of password-based compromise, but understanding does not remove dependency on legacy workflows, support models, and application constraints. That is why adoption lags even when the security case is mature. Practitioners should treat the transition as an identity programme change effort, not a feature roll-out.
A few things that frame the scale:
- 80% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should own passwordless migration in an identity programme?
A: Ownership should sit with identity security, IAM operations, and application platform teams together, because the work spans policy, user experience, and integration. If one team owns only the factor replacement, the programme will stall at exceptions and unsupported systems. Strong governance requires shared accountability across the access stack.
👉 Read our full editorial: Passwordless phishing-resistant MFA is still a long way off
