Passwordless access and MFA fatigue: what IAM teams should change

TL;DR: Human error still drives a large share of breaches, with IBM cited in the source article saying 90% of successful cyberattacks and 70% of data breaches originate at endpoint devices. Imprivata’s argument is that passwordless authentication, single sign-on, and automated credential rotation reduce risky workarounds by removing friction rather than relying on better user discipline.

NHIMG editorial — based on content published by Imprivata: As Employees Remain the Weakest Link, Experts Say It’s Time to Eliminate Passwords

By the numbers:

• 90% of successful cyberattacks and 70% of data breaches originate at endpoint devices.

Questions worth separating out

Q: How should organisations reduce password-related risk without slowing employees down?

A: Use passwordless authentication for the highest-friction access points, then layer SSO and automated secret rotation where users still interact with shared or operational credentials.

Q: Why do complex password policies often fail in real workplaces?

A: They fail because complexity does not eliminate human behaviour, it often increases the chance of workarounds such as reuse, shared sign-ins, or sticky sessions on shared devices.

Q: How do teams know whether passwordless access is actually improving security?

A: Look for fewer password resets, fewer help desk tickets, fewer shared logins, and less session reuse on common devices.

Practitioner guidance

• Replace password-heavy workflows with passwordless access Start with the most repetitive, high-friction login paths in frontline and shift-based environments, then measure whether password resets, help desk calls, and unsafe sign-in workarounds decline.
• Use single sign-on to cut repeated authentication prompts Reduce the number of independent logins employees face across core applications so they are less likely to reuse credentials, share sessions, or leave devices signed in.
• Automate credential rotation for shared access paths Prioritise credentials used on shared workstations, mobile devices, and high-turnover operational systems so manual secret handling does not become the weakest point in the access chain.

What's in the full article

Imprivata's full article covers the practical access-design argument this post intentionally leaves at a higher level:

• Why passwordless login reduces friction in fast-paced operational settings where repeated authentication drives workarounds
• How automated credential rotation changes accountability for shared devices and shared access paths
• Why single sign-on can improve both usability and visibility without asking employees to manage more passwords
• How the article frames secure access as a human-performance problem rather than a training problem

👉 Read Imprivata's article on passwordless authentication and secure access →

Passwordless access and MFA fatigue: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →