Notifications
Clear all
Topic starter
25/06/2026 2:45 pm
TL;DR: RSA’s 2026 ID IQ Report says 69% of global organisations experienced an identity-related breach in the last three years, while 45% said breach costs exceeded IBM’s typical benchmark and 24% said costs passed $10M. The data shows identity failure is now a cost and governance problem, not just an authentication problem.
NHIMG editorial — based on content published by RSA Security: Soaring Identity Costs and Stalling Passwordless Progress in Japan: RSA ID IQ Report Unveils Top Identity Threats
By the numbers:
- 69% of global organizations experienced an identity-related breach in the last three years.
- 45% of organizations said the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM.
- 57% still don’t use passwordless as their primary authentication method.
Questions worth separating out
Q: What breaks when passwordless is deployed but fallback authentication still exists?
A: Passwordless loses most of its value when passwords, recovery codes, or manual resets remain available behind the scenes.
Q: Why do help desk processes become a security risk in identity programmes?
A: Help desks can become an attack path when staff can reset access or change factors without strong verification.
Q: How do security teams know if passwordless is actually reducing risk?
A: They should look beyond adoption rates and measure fallback dependence, recovery frequency, and the number of accounts that still require password-based exceptions.
Practitioner guidance
- Map the full identity recovery chain Document every path that can restore or override access, including help desk resets, backup factors, delegated approvals, and exception handling.
- Harden help desk verification rules Require risk-based verification, step-up checks, and supervisor approval for high-impact account changes, especially when the request affects factor resets or privileged roles.
- Measure passwordless by fallback exposure Track how often users still rely on passwords, temporary bypasses, or legacy authentication paths in production and recovery workflows.
What's in the full analysis
RSA Security's full report covers the operational detail this post intentionally leaves for the source:
- Country-level breakdowns for Japan versus global respondents, including how local credential behaviour differs.
- Survey methodology and respondent mix across IAM, cybersecurity, and IT roles.
- Additional data on passwordless adoption barriers and user friction patterns.
- Webinar context from RSA executives on the report’s findings and interpretation.
👉 Read RSA Security's 2026 ID IQ Report on identity breaches and passwordless adoption →
Identity breaches and passwordless stalls in Japan: what changed?
Explore further
25/06/2026 3:52 pm
Identity breach growth is now a governance failure, not just an authentication failure. The report shows 69% of organisations experienced an identity-related breach in three years, which means the attack surface is now distributed across login, support, recovery, and privileged access. Traditional IAM controls still focus too narrowly on user sign-in events. Practitioners should read this as a programme-design problem, not a point-in-time authentication problem.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how weak lifecycle control remains across machine access.
A question worth separating out:
Q: Who is accountable when identity recovery is abused for account takeover?
A: Accountability typically spans IAM owners, help desk operations, and security governance because the failure sits in the recovery process, not only in the login method. If reset workflows are weak, the organisation owns that control gap and must govern it as part of identity assurance.
👉 Read our full editorial: Identity breaches surge as passwordless progress stalls in Japan
