Notifications
Clear all
Topic starter
09/06/2026 11:13 pm
TL;DR: Despite 92% of organisations implementing passwordless, only 7% are fully passwordless, according to RSA Security, suggesting the blocker is not technology maturity but how teams interpret identity telemetry and recovery friction. The real gap is operational: organisations measure events, but too rarely interrogate where trust breaks and why.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
Questions worth separating out
Q: How should security teams improve passwordless adoption without adding more friction?
A: Start by measuring where the secure path breaks in real workflows, not just where passwordless is enabled.
Q: Why do passwordless programmes stall even when deployment rates are high?
A: They stall when teams confuse deployment with usable coverage.
Practitioner guidance
- Map passwordless failure points across the full identity journey Track where users are forced to fall back from passwordless into passwords, including device changes, application exceptions, browser limitations, and recovery workflows.
- Instrument recovery and helpdesk workflows as identity controls Review account reset, verification, and support escalation paths with the same assurance expectations you apply to primary authentication.
- Use telemetry to answer one operational question at a time Replace generic reporting with targeted questions such as where users fail, which workflows trigger fallback, and which exceptions drive the most password reuse.
What to expect at the briefing
RSA Security's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step passwordless rollout and telemetry review approach used internally across employee login journeys.
- The recovery-gap signals the vendor tracked after reaching 94% passwordless adoption.
- The discussion of how MFA fatigue, helpdesk social engineering, and phishing changed the trust model beyond login.
- The Identiverse session and live demo context for practitioners who want the source narrative and examples.
👉 Read RSA Security's analysis of passwordless adoption and identity telemetry →
Passwordless adoption gap: are your telemetry questions wrong?
Explore further
10/06/2026 1:29 am
The passwordless gap is really a question-design gap. The article’s core point is that identity data already exists in most enterprises, but teams ask reporting questions instead of operational questions. That means they see deployment status, not trust failure. The practitioner lesson is that programme maturity depends on interrogating the journey, not merely counting enabled users.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do you know if passwordless is actually working?
A: You know it is working when users can complete every common access and recovery journey without reverting to passwords. Look for consistent success across devices, locations, and applications, and check whether support tickets or fallback usage are declining. If recovery is still easier than login, passwordless is only partially working.
👉 Read our full editorial: Passwordless adoption reveals a question problem, not a data one
