Notifications
Clear all
Topic starter
03/06/2026 11:00 am
TL;DR: RSA Security says passwordless support now extends to Linux, closing a long-standing gap in phishing-resistant authentication across enterprise environments and aligning Linux with Windows, macOS, iOS, and Android coverage. The real issue is not form factor availability but whether IAM programmes can enforce consistent authentication policy across the operating systems that still carry critical access.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- More than 9,000 security-first organizations trust RSA to manage more than 60 million identities across on-premises, hybrid, and multi-cloud environments.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should security teams implement passwordless authentication on Linux endpoints?
A: Start by inventorying the Linux user groups that actually need interactive access, then define which devices, enrolment flows, and recovery steps are allowed.
Q: Why does leaving Linux outside the passwordless baseline increase identity risk?
A: Because Linux often supports high-value servers, administration, and developer workflows, a single exception preserves reusable secrets and weaker fallback paths.
Q: What do organisations get wrong about passwordless rollout in hybrid environments?
A: They often focus on the sign-in method and ignore the surrounding controls.
Practitioner guidance
- Audit platform exceptions in the authentication estate Identify every Linux workload, admin workstation, and developer endpoint that still depends on passwords, shared secrets, or legacy MFA paths.
- Rework recovery and break-glass workflows Test helpdesk recovery, privileged override, and account re-enrolment paths as if an attacker already controls the primary sign-in channel.
- Extend the same assurance policy to Linux Apply the same enrollment, device trust, and conditional access standards used for Windows and macOS to Linux users.
The stronger signal is whether the authentication policy covers the full endpoint estate, including the systems administrators and developers still use every day?
👉 Read RSA Security's announcement on passwordless support for Linux →
Explore further
03/06/2026 11:02 am
Passwordless on Linux closes a governance exception, not just a platform gap. Linux has long been the platform where identity programmes tolerate exceptions, especially in server, developer, and operational contexts. That exception undermines consistent phishing resistance and creates a split between policy intent and actual access practice. The implication is that IAM teams must stop treating platform variance as a technical footnote and start treating it as a governance inconsistency.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity programmes that stop at human sign-in leave major blind spots.
A question worth separating out:
Q: How do Linux passwordless deployments fit into broader identity governance?
A: They should be treated as part of joiner, mover, and leaver controls, not as a standalone UX project. If identity enrolment and revocation are not tied to lifecycle events, access can remain active longer than intended. Passwordless works best when it is governed as an identity state, not just an authentication feature.
👉 Read our full editorial: Linux passwordless support closes a stubborn IAM gap
