Hybrid passwordless authentication: what it means for IAM teams

TL;DR: A major US bank used hybrid passwordless authentication across Windows, Mac, remote, third-party, and BYOD users to strengthen access security and compliance while preserving legacy app access, according to RSA Security. The case shows that passwordless only reduces risk when it is paired with device-aware controls, legacy coverage, and identity governance.

NHIMG editorial — based on content published by RSA Security: Large US Bank Adopts Hybrid Passwordless Authentication to Transform Identity Security

Questions worth separating out

Q: How should security teams roll out passwordless authentication in hybrid environments?

A: Security teams should roll out passwordless by inventorying application compatibility, device trust, and fallback authentication before enforcing policy broadly.

Q: Why do BYOD devices change the risk profile of passwordless authentication?

A: BYOD changes the risk profile because the credential is no longer protected by a fully controlled endpoint.

Q: What do organisations get wrong about hybrid passwordless programmes?

A: They often treat passwordless as a login project instead of an identity governance change.

Practitioner guidance

• Inventory every passwordless fallback path Document where users can still authenticate through passwords, one-time codes, or alternate recovery flows, then assign an owner to remove or harden each path before broad rollout.
• Split BYOD from managed-device policy Use different access conditions for personally owned devices and corporate endpoints so passkey acceptance, step-up, and deny logic reflect distinct risk tiers.
• Test legacy application compatibility early Validate how on-premises applications behave when passwordless is enforced, including authentication redirects, session renewal, and exception handling for third-party users.

What's in the full article

RSA Security's full report covers the operational detail this post intentionally leaves for the source:

• How the bank integrated passwordless authentication with Microsoft Entra ID across Windows, Mac, remote, and third-party access
• Implementation detail on RSA ID Plus with Passkeys, RSA Risk AI, and RSA Mobile Lock in a regulated banking environment
• The specific compliance, resiliency, and BYOD protection considerations that shaped the deployment decisions
• The bank's stated benefits and results in productivity, access consistency, and credential protection

👉 Read RSA Security's analysis of hybrid passwordless authentication in banking →

Hybrid passwordless authentication: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →