Notifications
Clear all
Topic starter
06/06/2026 11:27 am
TL;DR: Traditional passwords still dominate enterprise authentication, but the article argues they create recurring security, usability, and support failures through reuse, phishing, resets, and weak recovery patterns, according to Imprivata. The real shift is from memorized secrets toward stronger credential management, because password policy alone cannot fix the structural trust problem.
NHIMG editorial — based on content published by Imprivata: password problems, passwordless alternatives, and enterprise credential management
Questions worth separating out
Q: How should organisations phase out passwords without breaking access?
A: Start with the highest-friction and highest-risk workflows, then move in waves.
Q: Why do passwords still create so much risk in enterprise IAM?
A: Because they are easy to reuse, easy to phish, and hard to govern consistently across many systems.
Q: What do teams get wrong about passwordless authentication?
A: They often focus on removing the password field without redesigning recovery, revocation, and device trust.
Practitioner guidance
- Inventory where passwords remain mandatory Map every application, remote access path, and privileged workflow that still depends on memorised secrets.
- Pilot passkeys in high-friction user journeys Start with use cases that create many password resets or repeated login prompts, then define enrollment, device replacement, and account recovery before expanding.
- Separate biometric convenience from biometric governance Require on-device storage, encryption, and documented recovery steps before approving biometrics for production access.
What's in the full article
Imprivata's full article covers the implementation detail this post intentionally leaves for the source:
- Practical comparisons of passwordless methods, including biometrics, device-based authentication, and passkeys.
- Operational discussion of recovery paths when a phone or hardware token is lost, stolen, or replaced.
- Enterprise rollout considerations for legacy systems that still assume password-based authentication.
- Privacy concerns and storage choices for biometric identifiers in real deployments.
👉 Read Imprivata's analysis of password problems and passwordless alternatives →
Passwordless, MFA, and biometrics: what IAM teams should change?
Explore further
06/06/2026 12:15 pm
Passwords are a governance problem, not just a usability problem: the article shows that the same secret has to satisfy human memory, phishing resistance, recovery, and compliance at once. That is why password policy keeps producing exceptions, resets, and insecure workarounds. The implication is that identity programmes should stop treating passwords as the baseline control for modern access decisions.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 52% of respondents see AI security decision-making power shifting toward platform and infrastructure teams rather than the executive suite.
A question worth separating out:
Q: Should organisations replace passwords with biometrics everywhere?
A: No. Biometrics are useful in the right context, but they need strong privacy protections and careful storage design. They are best treated as one factor in a broader authentication strategy, especially where users need secure fallback options and where biometric data must remain on-device.
👉 Read our full editorial: Passwords are failing enterprise identity and access management
