Identity verification and passwordless adoption: what teams need now

TL;DR: Generative AI (53%) and agentic AI (45%) have overtaken stolen credentials as the top identity security concern, according to HYPR’s 2026 State of Passwordless Identity Assurance report, while passwordless adoption remains stalled at 43% and 87% of organisations have faced audio or video deepfake attacks. The security problem has shifted from login friction to industrialised impersonation, and identity assurance now has to cover the full lifecycle, not just the sign-in moment.

NHIMG editorial — based on content published by HYPR: 2026 State of Passwordless Identity Assurance Report

By the numbers:

• The majority of organizations 87% have encountered audio or video deepfakes in identity-based attacks.
• Despite passkey literacy surging to 64%, enterprise-wide adoption remains stalled at 43%.
• Identity impersonation incidents surged by 35%, with candidate fraud emerging as the second most prevalent threat after credential misuse.

Questions worth separating out

Q: How should security teams implement identity verification alongside passwordless authentication?

A: Use passwordless to remove reusable secrets, then add identity verification at the points where impersonation risk is highest, such as onboarding, recovery, and privileged approvals.

Q: Why do deepfakes create a new identity security problem even when passwordless is deployed?

A: Deepfakes attack the trust layer around the workflow, not just the login screen.

Q: What do organisations get wrong when they treat identity verification as a pilot project?

A: They usually limit it to a small set of users or high-visibility use cases and leave the rest of the enterprise on older, weaker processes.

Practitioner guidance

• Expand identity verification beyond executive-only workflows Apply stronger identity proofing to onboarding, account recovery, help desk resets, vendor changes, and other high-risk flows where impersonation produces outsized impact.
• Measure identity coverage across the full workforce Track whether passwordless and identity verification are deployed across all users, not just a pilot group or a few high-value personas, and close the remaining exception paths.
• Harden recovery and exception handling paths Add independent verification steps for high-risk requests so a synthetic voice, video, or social-engineering pretext cannot satisfy the workflow on its own.

What's in the full report

HYPR's full press release covers the survey framing and the market context this post intentionally leaves for the source:

• Survey methodology and respondent mix from more than 950 security and IT leaders.
• The full breakdown of how deepfake, phishing, and impersonation risks are changing identity priorities.
• Adoption detail on passwordless, passkeys, and identity verification by enterprise segment.
• The vendor's own explanation of how identity assurance is positioned across the employee lifecycle.

👉 Read HYPR's report on identity verification, passwordless adoption, and AI risk →

Identity verification and passwordless adoption: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →