Passwordless authentication: what IAM teams need to rethink now

TL;DR: As organisations shift remote work and privileged access flows away from passwords, Axiad argues that passwordless authentication must be designed around distinct personas, risk levels, and use cases, with alternatives such as biometrics, FIDO2, YubiKeys, and smart cards for different access paths. The real issue is not whether passwords are weak, but whether identity programmes still assume one-size-fits-all authentication.

NHIMG editorial — based on content published by Axiad: Forget your Password on World Password Day

By the numbers:

• More than 8 billion consumer records were breached in 2019, with a significant percentage exposing encrypted passwords.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should organisations choose passwordless methods for different user types?

A: Choose methods by persona and risk, not by convenience or brand preference.

Q: Why do passwordless programmes still need strong identity governance?

A: Because removing passwords changes the login method, not the underlying governance problem.

Q: What mistakes do teams make when rolling out passwordless authentication?

A: The most common mistake is assuming one authentication pattern works for every persona.

Practitioner guidance

• Map personas before selecting authentication methods Document employees, contractors, administrators, systems, and machines separately, then assign each group a distinct authentication path based on access purpose and risk level.
• Reserve phishing-resistant methods for high-risk access Use biometrics, FIDO2, smart cards, or hardware tokens where the assurance requirement is high, especially for privileged users and remote access.
• Review recovery and enrolment flows as core controls Treat account recovery, device binding, and enrolment as part of the authentication design, because weaknesses there can undo the value of passwordless sign-in.

What's in the full article

Axiad's full blog post covers the practical authentication choices this post intentionally leaves at the strategy level:

• Specific examples of biometric, FIDO2, YubiKey, and smart card use cases for different user populations
• How the vendor recommends approaching adoption across employees, contractors, privileged users, and systems
• The article's framing for remote work authentication and user experience trade-offs
• Guidance on how organisations can think about rollout sequencing and user acceptance

👉 Read Axiad's blog post on passwordless authentication for human and machine access →

Passwordless authentication: what IAM teams need to rethink now?

Explore further

View Full Forum →  |  NHI Foundation Course →