Passwordless authentication: where MFA still falls short for IAM teams

TL;DR: Passwordless authentication is presented as the next step beyond password-based MFA because phishing, OTP interception, MFA fatigue, and SIM-swap attacks still exploit the weakest factor, according to Imprivata. The practical shift is not just better user experience but phishing-resistant identity design built around device-bound keys and local verification.

NHIMG editorial — based on content published by Imprivata: passwordless authentication and why MFA alone is no longer enough

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should organisations move from password-based MFA to passwordless authentication?

A: Start with the access paths that face the highest phishing and replay risk, such as remote access, privileged users, and sensitive business applications.

Q: Why do password-based MFA controls still get bypassed in practice?

A: They still depend on reusable secrets or coercible approvals, which attackers can steal, relay, or pressure users into accepting.

Q: When should security teams prioritise passkeys over other authentication upgrades?

A: Prioritise passkeys when phishing, credential stuffing, or remote account takeover would create outsized business risk, especially for privileged, frontline, or shared-device users.

Practitioner guidance

• Prioritise phishing-resistant authentication for high-risk access paths Replace password-plus-OTP flows first for administrators, remote access, and high-value applications where phishing and replay are realistic attack paths.
• Map which login flows still depend on reusable secrets Inventory where passwords, SMS codes, email codes, and push approvals remain in use.
• Design recovery and device-loss processes before rollout Define how users re-enrol, recover access, and revoke lost authenticators without reintroducing weak fallback methods.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• Concrete examples of how FIDO2, passkeys, smartcards, and biometric unlock differ in day-to-day deployment.
• The article's practical comparison of password-based MFA weaknesses such as OTP interception, prompt bombing, and SMS compromise.
• Implementation detail for healthcare and critical infrastructure sign-in patterns, including tap-and-go workflows.
• The source's recommended direction for replacing passwords where system support already exists.

👉 Read Imprivata's analysis of passwordless authentication and MFA limits →

Passwordless authentication: where MFA still falls short for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →