Notifications
Clear all
Topic starter
08/06/2026 4:07 pm
TL;DR: Password-based authentication remains costly and risky, with the average employee managing 190+ passwords, over 40% of help desk calls tied to password issues, and more than 80% of data breaches linked to password problems, according to Axiad. The real issue is not convenience alone: password-centric IAM still depends on weak, reusable, and stealable secrets.
NHIMG editorial — based on content published by Axiad: This Password Day, we think you deserve better
By the numbers:
- The average employee has 190+ passwords.
- Over 40% of help desk calls are about password-related issues.
- 80% of data breaches relate to password issues., sues.
Questions worth separating out
A: Prioritise passwordless authentication on the workflows that create the most support burden and security exposure, such as remote access, privileged applications, and high-value SaaS.
Q: Why do passwords remain such a persistent identity risk?
A: Passwords persist because they are familiar, widely supported, and easy to deploy, not because they are strong.
Q: How do teams know if passwordless authentication is actually working?
A: Look for fewer password reset tickets, lower lockout rates, reduced help desk time spent on authentication issues, and lower exposure to phishing-based account compromise.
Practitioner guidance
- Reduce password dependencies in high-risk workflows Start with VPN, admin access, privileged SaaS, and remote workforce entry points where stolen credentials have the highest blast radius.
- Harden account recovery and reset paths Review every fallback route that still depends on knowledge factors, help desk verification, or email-based recovery.
- Measure help desk effort as an identity risk signal Track password reset volume, lockout rates, and recovery ticket trends as programme health indicators.
What's in the full article
Axiad's full blog post covers the practical detail this post intentionally leaves for the source:
- Examples of passwordless methods that fit different user populations and device environments
- Operational considerations for moving from password resets to stronger recovery workflows
- Guidance on securing machines and documents beyond user login, including signing and encryption
- Deployment and maintenance considerations for automated, cloud-based authentication models
👉 Read Axiad's post on why passwordless authentication matters for identity security →
Passwordless authentication: what it means for identity teams?
Explore further
08/06/2026 5:35 pm
Passwordless authentication is not just a user-experience upgrade. It is a reduction in identity attack surface because it removes the most reusable and most socially engineered credential type from the human workflow. The article’s own data shows why passwords persist as operational debt rather than security control. When employees manage hundreds of passwords, the system invites reuse, reset flows, and insecure workarounds. Practitioners should treat password removal as an identity risk decision, not a convenience project.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: What is the difference between passwordless authentication and simply adding MFA?
A: MFA strengthens a password-based model, but it still leaves the password as a reusable secret that can be stolen, reused, or guessed. Passwordless authentication removes that primary secret from the normal login flow and replaces it with stronger proof such as device-bound or biometric factors. The difference is structural, not cosmetic.
👉 Read our full editorial: Passwordless authentication reduces identity risk and help desk load
