Notifications
Clear all
Topic starter
12/06/2026 10:07 pm
TL;DR: As organisations move away from passwords, the real challenge is not just replacing one factor with another but mapping personas, access paths, and risk levels across employees, contractors, administrators, systems, and machines, according to Axiad. Passwordless works only when identity governance covers the full user population, not just people.
NHIMG editorial — based on content published by Axiad: Forget your Password on World Password Day
By the numbers:
- More than 8 billion consumer records were breached in 2019 with a significant percentage exposing encrypted passwords.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams design passwordless authentication for mixed user populations?
A: Start by separating personas into groups with different assurance and recovery needs.
Q: Why do passwordless programmes still need IAM governance?
A: Because removing passwords does not remove identity risk.
Q: What do teams get wrong when they treat passwordless as a single project?
A: They often focus only on the human login experience and assume the rest of identity management will follow.
Practitioner guidance
- Build a persona inventory before choosing passwordless controls. Map employees, contractors, administrators, systems, applications, and machines to the authentication method, assurance level, and recovery path each one requires.
- Bring machine identities into the same governance scope. Include service accounts, certificates, and system-to-system access in the programme charter so passwordless adoption does not leave non-human access unmanaged.
- Design fallback and recovery with the same rigour as primary authentication. Define what happens when a biometric fails, a key is lost, or a smart card is unavailable, and make sure recovery does not reintroduce weaker paths than the one you replaced.
What's in the full article
Axiad's full blog post covers the practical detail this post intentionally leaves for the source:
- The specific passwordless options discussed for different persona types, including biometrics, FIDO2, Yubikey tokens, and smart cards.
- The article's step-by-step persona assessment approach for employees, contractors, system administrators, machines, and systems.
- The author’s discussion of remote-work pressure as a driver for passwordless adoption and authentication redesign.
- The source article’s customer-facing framing of passwordless deployment and adoption challenges.
👉 Read Axiad's blog on passwordless authentication and persona-based identity risk →
Passwordless authentication: is your identity risk model complete?
Explore further
13/06/2026 12:41 am
Passwordless succeeds only when identity programmes stop treating authentication as a human-only problem. The article correctly points out that employees are only one part of the access population. Once systems, applications, machines, and privileged users are included, passwordless becomes an identity governance exercise, not just an authentication UX change. The implication is that IAM teams must define the full persona model before they can claim reduced authentication risk.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot confidently govern non-human access at scale.
A question worth separating out:
Q: How do organisations know whether passwordless is actually improving security?
A: Look for reduced password dependence, but also verify that privileged access, machine accounts, and recovery flows are under governance. If the programme only removed passwords for employees while leaving service accounts and fallback paths weak, the security gain is partial and may be misleading.
👉 Read our full editorial: Passwordless authentication needs persona-based identity risk review
