Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Hybrid passwordless authentication: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A major US bank used hybrid passwordless authentication across Windows, Mac, remote, third-party, and BYOD users to strengthen access security and compliance while preserving legacy app access, according to RSA Security. The case shows that passwordless only reduces risk when it is paired with device-aware controls, legacy coverage, and identity governance.

NHIMG editorial — based on content published by RSA Security: Large US Bank Adopts Hybrid Passwordless Authentication to Transform Identity Security

Questions worth separating out

Q: How should security teams roll out passwordless authentication in hybrid environments?

A: Security teams should roll out passwordless by inventorying application compatibility, device trust, and fallback authentication before enforcing policy broadly.

Q: Why do BYOD devices change the risk profile of passwordless authentication?

A: BYOD changes the risk profile because the credential is no longer protected by a fully controlled endpoint.

Q: What do organisations get wrong about hybrid passwordless programmes?

A: They often treat passwordless as a login project instead of an identity governance change.

Practitioner guidance

  • Inventory every passwordless fallback path Document where users can still authenticate through passwords, one-time codes, or alternate recovery flows, then assign an owner to remove or harden each path before broad rollout.
  • Split BYOD from managed-device policy Use different access conditions for personally owned devices and corporate endpoints so passkey acceptance, step-up, and deny logic reflect distinct risk tiers.
  • Test legacy application compatibility early Validate how on-premises applications behave when passwordless is enforced, including authentication redirects, session renewal, and exception handling for third-party users.

What's in the full article

RSA Security's full report covers the operational detail this post intentionally leaves for the source:

  • How the bank integrated passwordless authentication with Microsoft Entra ID across Windows, Mac, remote, and third-party access
  • Implementation detail on RSA ID Plus with Passkeys, RSA Risk AI, and RSA Mobile Lock in a regulated banking environment
  • The specific compliance, resiliency, and BYOD protection considerations that shaped the deployment decisions
  • The bank's stated benefits and results in productivity, access consistency, and credential protection

👉 Read RSA Security's analysis of hybrid passwordless authentication in banking →

Hybrid passwordless authentication: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Passwordless only improves identity security when the control model survives the edge cases. The bank case is not a simple authentication upgrade story. It is a reminder that passwordless succeeds only when legacy apps, third-party access, and BYOD users are all covered without creating exception pathways that reintroduce weak authentication.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
  • The same report found that 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.

A question worth separating out:

Q: Who should own the controls around adaptive authentication decisions?

A: Identity security, IAM architecture, and compliance teams should share ownership, because adaptive authentication affects both access policy and audit evidence. The control needs clear decision criteria, defined escalation paths, and evidence that the policy behaves predictably under operational stress.

👉 Read our full editorial: Hybrid passwordless authentication raises the bar for identity security



   
ReplyQuote
Share: