Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passwordless authentication: where MFA still falls short for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Passwordless authentication is presented as the next step beyond password-based MFA because phishing, OTP interception, MFA fatigue, and SIM-swap attacks still exploit the weakest factor, according to Imprivata. The practical shift is not just better user experience but phishing-resistant identity design built around device-bound keys and local verification.

NHIMG editorial — based on content published by Imprivata: passwordless authentication and why MFA alone is no longer enough

By the numbers:

Questions worth separating out

Q: How should organisations move from password-based MFA to passwordless authentication?

A: Start with the access paths that face the highest phishing and replay risk, such as remote access, privileged users, and sensitive business applications.

Q: Why do password-based MFA controls still get bypassed in practice?

A: They still depend on reusable secrets or coercible approvals, which attackers can steal, relay, or pressure users into accepting.

Q: When should security teams prioritise passkeys over other authentication upgrades?

A: Prioritise passkeys when phishing, credential stuffing, or remote account takeover would create outsized business risk, especially for privileged, frontline, or shared-device users.

Practitioner guidance

  • Prioritise phishing-resistant authentication for high-risk access paths Replace password-plus-OTP flows first for administrators, remote access, and high-value applications where phishing and replay are realistic attack paths.
  • Map which login flows still depend on reusable secrets Inventory where passwords, SMS codes, email codes, and push approvals remain in use.
  • Design recovery and device-loss processes before rollout Define how users re-enrol, recover access, and revoke lost authenticators without reintroducing weak fallback methods.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of how FIDO2, passkeys, smartcards, and biometric unlock differ in day-to-day deployment.
  • The article's practical comparison of password-based MFA weaknesses such as OTP interception, prompt bombing, and SMS compromise.
  • Implementation detail for healthcare and critical infrastructure sign-in patterns, including tap-and-go workflows.
  • The source's recommended direction for replacing passwords where system support already exists.

👉 Read Imprivata's analysis of passwordless authentication and MFA limits →

Passwordless authentication: where MFA still falls short for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Passwordless succeeds because it removes the reusable secret that attackers keep targeting. Password-based MFA still depends on a credential pattern that can be phished, replayed, intercepted, or fatigued into approval. Once the password disappears and the private key stays non-exportable on the device, the attack surface changes materially. Practitioners should stop treating password removal as optional UX refinement and treat it as a structural control change.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: What should IAM teams watch when rolling out passwordless login?

A: Watch enrollment assurance, recovery, device revocation, and exception handling. Passwordless only stays strong if the enrolled device remains trusted and the recovery path does not fall back to weak shared secrets. The programme should also verify that badges, passkeys, or hardware keys are managed through the same identity lifecycle as other credentials.

👉 Read our full editorial: Passwordless authentication exposes the limits of MFA-only strategies



   
ReplyQuote
Share: