Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password managers, passkeys, and 2FA: what should teams change?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Password managers, unique machine-generated credentials, 2FA, and emerging passkeys remain the most practical baseline against AI-amplified phishing and credential reuse, while passkey portability and post-quantum readiness shape the next phase of account security, according to Bitwarden. The governance issue is not convenience but eliminating predictable identity failure modes before attackers automate them.

NHIMG editorial — based on content published by Bitwarden: practical steps for stronger password security, passkeys, and post-quantum readiness

Questions worth separating out

Q: How should organisations reduce password reuse across large user populations?

A: They should remove password creation from the user and make a password manager the default for generating, storing, and autofilling unique credentials.

Q: Why do passkeys matter if organisations still use passwords today?

A: Passkeys matter because they replace shared secrets with public-private key pairs, which removes a major phishing and credential-theft path.

Q: What do security teams get wrong about two-factor authentication?

A: They often treat SMS codes as equivalent to app-based authenticators, but they are not.

Practitioner guidance

  • Enforce password-manager adoption for high-volume users Require a password manager for employees who handle large account sets, and prohibit reuse or patterned passwords in policy and access reviews.
  • Require authenticator-app 2FA on critical accounts Make app-based TOTP the default for password managers, email, and other sensitive accounts.
  • Map recovery dependencies before expanding passwordless Document which accounts still depend on passwords, where passkeys can fall back to legacy authentication, and how device loss is handled.

What's in the full article

Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on choosing between password managers, passphrases, and memorised secrets for different account types
  • Practical discussion of passkey portability and what it means for cross-device identity recovery
  • More detail on the zero-knowledge vault model and how master-password recovery works in practice
  • The toolkit and product walk-through the article points readers to for immediate setup

👉 Read Bitwarden's practical guidance on password managers, passkeys, and 2FA →

Password managers, passkeys, and 2FA: what should teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Password security fails when organisations treat memorisation as a control. The article correctly separates human convenience from identity assurance. Once users manage dozens or hundreds of logins, predictable passwords and reuse become structural weaknesses that attackers can automate against at scale. The practical conclusion for IAM programmes is that quality credentials must be generated and governed, not merely advised.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who should own passkey recovery and fallback access controls?

A: Identity, security, and support teams should own them together because recovery is part of the authentication lifecycle. If device loss, account recovery, or fallback passwords are not governed, passwordless adoption simply shifts the risk from login theft to operational lockout or weak recovery paths.

👉 Read our full editorial: Password managers and passkeys are changing account security



   
ReplyQuote
Share: