Notifications
Clear all
Topic starter
12/06/2026 10:24 pm
TL;DR: Passwords are being pushed out by three converging pressures: exposed credentials on the dark web, AI-assisted phishing and social engineering, and growing availability of phishing-resistant authentication such as FIDO passkeys and certificates, according to Axiad. The real shift is that stronger authentication is becoming operationally scalable, so password dependence is now a governance choice rather than a technical necessity.
NHIMG editorial — based on content published by Axiad: Enough is Enough, 4 Reasons Passwords Will Be Flushed This Year
By the numbers:
- Over 80% of businesses use AI as core tech, and 65% regularly use generative AI in at least one business function.
Questions worth separating out
Q: How should security teams phase out passwords without breaking workforce access?
A: Start with the highest-risk populations and the most exposed applications, then introduce phishing-resistant factors alongside clear recovery and help desk processes.
Q: Why do phishing-resistant factors matter more than stronger passwords?
A: Because they change the attack model.
Q: What operational controls are needed before passwordless rollout?
A: You need issuance, replacement, preregistration, recovery, and help desk workflows that work at scale.
Practitioner guidance
- Map password-dependent access paths first Inventory where workforce users still rely on passwords for primary or fallback access, then separate low-risk from high-risk flows so migration starts with privileged and internet-exposed entry points.
- Prioritise phishing-resistant factors for exposed roles Roll out FIDO or PKI-based factors first to administrators, finance, support, and other roles most likely to be targeted by credential theft and impersonation.
- Build the lifecycle operations before broad rollout Prepare issuance, replacement, preregistration, PIN reset, and device recovery workflows before expanding strong credentials to large populations.
What's in the full article
Axiad's full article covers the operational detail this post intentionally leaves for the source:
- The dark web marketplace examples and how stolen credentials move through those ecosystems.
- The CISA, NIST, and policy references behind phishing-resistant authentication choices.
- The workforce rollout story showing how a large enterprise deployed strong credentials across 32,000 devices in six months.
- The credential management system discussion that explains how issuance and recovery can be scaled.
👉 Read Axiad's analysis of why workforce passwords are fading →
Phishing-resistant authentication for workforces: what changes now?
Explore further
13/06/2026 1:07 am
Password retirement is now a governance problem, not a usability preference. The article is right that breaches, dark web markets, and AI-generated phishing have made passwords structurally weak. The more important point is that security programmes still treating passwords as the default are preserving an attack path that has become cheaper to exploit and harder to defend. Identity leaders should stop asking whether passwords are familiar enough and start asking why they are still policy-compliant in high-risk access paths.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity oversight remains even before attackers enter the picture.
A question worth separating out:
Q: Who should be first in line for password retirement?
A: Privileged users, high-risk business roles, and externally exposed access paths should move first because they are the most attractive targets for phishing and credential stuffing. Those groups deliver the fastest risk reduction and force the organisation to solve the hardest operational issues early.
👉 Read our full editorial: Passwords are losing ground as phishing-resistant auth scales
