Notifications
Clear all
Topic starter
12/06/2026 10:14 pm
TL;DR: Passwords still drive avoidable risk because employees average 190+ passwords, over 40% of help desk calls are password-related, and more than 80% of breaches involve password issues, according to Axiad. The practical shift is toward stronger identity assurance and lower operational drag, not just a better login experience.
NHIMG editorial — based on content published by Axiad: Password Day commentary on why better authentication matters
By the numbers:
- The average employee has 190+ passwords.
- Over 40% of help desk calls are about password-related issues.
- Over 80% of data breaches relate to password issues.
Questions worth separating out
Q: How should security teams migrate away from passwords without creating new identity gaps?
A: Migrate in stages, starting with high-friction user groups and the most exposed applications.
Q: Why do password issues create so much operational overhead for IAM teams?
A: Password issues generate resets, lockouts, one-time code requests, and help desk interactions that consume staff time and delay work.
Q: What should organisations review before adopting passwordless authentication?
A: Review device trust, recovery workflows, enrollment assurance, and logging across the authentication lifecycle.
Practitioner guidance
- Map password dependency across the identity estate Inventory where passwords still gate access, where resets are handled, and which recovery paths create the highest abuse potential.
- Prioritise high-friction user groups for passwordless rollout Start with populations that generate the most resets, help desk traffic, or phishing exposure, then expand by business process risk rather than by convenience.
- Harden enrollment and recovery before removing passwords Treat registration, device binding, and account recovery as primary control points.
What's in the full article
Axiad's full blog post covers the practical passwordless considerations this analysis leaves at a high level:
- Examples of passwordless approaches for user authentication and device assurance
- Operational considerations for moving beyond passwords in everyday enterprise workflows
- Axiad's discussion of how passwordless can support document and email security
- Additional product context on automated, cloud-based authentication deployment
👉 Read Axiad's post on why passwordless authentication is replacing passwords →
Passwordless authentication: what it changes for identity teams?
Explore further
13/06/2026 12:52 am
Passwords are not just a weak factor, they are a governance liability. The article shows that password-based authentication creates recurring operational and security costs because the secret itself must be managed, recovered, and defended at scale. That makes authentication a lifecycle problem, not a point control. The practitioner implication is that identity programmes should treat password reduction as governance simplification, not a user-experience project.
A few things that frame the scale:
- 92% of NHIs are exposed to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why authentication modernisation fails when machine identities remain unmanaged.
A question worth separating out:
Q: How do passwordless programmes affect human IAM and machine identity together?
A: Passwordless often starts with human sign-in, but the same trust model should extend to devices, applications, and signed artefacts where identity assurance matters. If those adjacent controls stay fragmented, the organisation improves one access path while leaving other trust paths exposed.
👉 Read our full editorial: Passwordless authentication reduces identity risk, not just login friction
