Password fatigue and secure access design: what IAM teams should change

TL;DR: Human error remains a major breach driver, with IBM’s Cost of a Data Breach Report cited in the article saying 90% of successful cyberattacks and 70% of data breaches originate at endpoint devices, often under pressure-driven workarounds. Passwordless authentication, automated credential rotation, and single sign-on reduce friction, but the deeper lesson is that access design must assume people will take shortcuts when systems remain too cumbersome.

NHIMG editorial — based on content published by Imprivata: As Employees Remain the Weakest Link, Experts Say It’s Time to Eliminate Passwords

By the numbers:

• 90% of successful cyberattacks and 70% of data breaches originate at endpoint devices.

Questions worth separating out

Q: How should security teams implement passwordless authentication in high-friction environments?

A: Start where password fatigue is most operationally visible, such as shared devices, frontline teams, and shift-based work.

Q: Why do complex login processes increase human identity risk?

A: Complex login processes increase risk because users respond to friction with shortcuts, including credential reuse, shared access, and persistent sessions on common devices.

Q: What breaks when credential rotation is not tied to identity lifecycle events?

A: Rotation loses much of its value when passwords or secrets remain active after role changes, device changes, or access recovery events.

Practitioner guidance

• Prioritise passwordless for the most friction-heavy user groups Start with frontline teams, shared-workstation users, and shift workers where password reuse and session carryover are most likely.
• Tie credential rotation to identity lifecycle events Automate rotation after role changes, device changes, access recovery, and account sharing exceptions.
• Review shared-device session controls Enforce logout behaviour, idle timeout, and session isolation on devices that move between users or shifts.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• The article’s framing of password fatigue in clinical and frontline workflows, including why shared-device behaviour matters in practice.
• The specific access simplification examples the source uses to connect passwordless login to reduced friction and better accountability.
• Imprivata’s own explanation of how passwordless authentication and automated credential rotation are positioned together.
• The source article’s closing argument for designing access around human error rather than expecting users to eliminate it.

👉 Read Imprivata's article on eliminating passwords and reducing access friction →

Password fatigue and secure access design: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →