Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passwords and passkeys coexist: what should IAM teams do now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Most enterprises still run hybrid authentication, with Okta reporting 93% password usage in workforce environments and 56% of organisations keeping passwords after passkey deployment, so exposure persists across legacy apps, AD, VPN, SaaS, and privileged workflows. The security problem is not choosing a replacement, but reducing the credential layer attackers still target today.

NHIMG editorial — based on content published by Enzoic: How to reduce credential risk while passwords and passkeys coexist

By the numbers:

Questions worth separating out

Q: How should security teams reduce risk in hybrid authentication environments?

A: They should treat the remaining password estate as the main control surface, not a temporary leftover.

Q: Why do passkeys not eliminate credential risk on their own?

A: Passkeys reduce risk only on the flows that have actually migrated.

Q: What breaks when organisations rely on password policy alone?

A: Static password policy fails to detect whether a credential has already been exposed.

Practitioner guidance

  • Inventory every password-dependent access path Map Active Directory, legacy applications, VPNs, privileged workflows, customer portals, and recovery flows that still accept passwords.
  • Deploy breach-aware credential screening Block exposed passwords during creation and reset, then continuously rescreen stored credentials against new breach data.
  • Separate modernisation from risk reduction Do not treat passkey rollout as proof that authentication risk has been solved.

What's in the full article

Enzoic's full article covers the operational detail this post intentionally leaves for the source:

  • 具体?
  • Detailed credential screening workflow examples for password creation, reset, and ongoing monitoring across hybrid estates.
  • Implementation considerations for legacy Active Directory, privileged workflows, and customer login paths that still accept passwords.
  • Practical guidance on reducing credential risk without assuming passkeys have removed the need for password controls.

👉 Read Enzoic's analysis of credential risk in hybrid authentication environments →

Passwords and passkeys coexist: what should IAM teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Hybrid authentication is now an operating model, not a transition state: Most enterprises will live with passwords and passkeys side by side for years because their application estate cannot modernise in one step. That means IAM strategy must govern mixed trust, mixed assurance, and mixed recovery paths at the same time. The practitioner conclusion is simple: design for coexistence, not completion.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable for hybrid authentication risk when passwords and passkeys coexist?

A: IAM, PAM, and identity governance teams share accountability because the risk spans sign-in, recovery, and privileged access. Security ownership should follow the access path, not the authentication label. If a system still accepts passwords, someone must own its residual exposure, even when passkeys are available elsewhere.

👉 Read our full editorial: Hybrid authentication environments still need password risk reduction



   
ReplyQuote
Share: