Notifications
Clear all
Topic starter
06/06/2026 1:49 am
TL;DR: Gartner research says most organisations are not trying to eliminate passwords immediately, but to reduce dependency through phased adoption that balances security, usability, and operations. A passwordless programme only works when teams treat authentication as a migration path, not a single product change.
NHIMG editorial — based on content published by SSH Communications Security: passwordless authentication and phased IAM adoption
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should organisations phase in passwordless authentication without disrupting access?
A: Start by inventorying every place a password is still used, including recovery and support paths.
Q: Why do passwordless projects still fail if passwords are removed from the main login screen?
A: Because the main login is only one part of the authentication surface.
Q: What do IAM teams get wrong about passwordless adoption?
A: They often treat it as a product rollout instead of an operating-model change.
Practitioner guidance
- Map password dependencies across the full authentication journey Document where passwords still exist in primary login, step-up flows, recovery, device replacement, and help desk processes.
- Prioritise high-friction and high-risk use cases first Start with user populations and applications where password resets, phishing exposure, or access friction are highest.
- Set explicit policy boundaries for hybrid authentication Define where passwordless is required, where passwords remain permitted, and which applications must never fall back to legacy methods without additional assurance.
What's in the full article
SSH Communications Security's full analysis covers the operational detail this post intentionally leaves for the source:
- A phased passwordless adoption approach that shows where to start and how to expand without forcing a big-bang migration.
- Practical guidance on balancing security, usability, and operational realities across mixed authentication states.
- Discussion of user behaviour, stakeholder engagement, and feedback loops that affect adoption success.
- The source's framing on why passwordless is an ongoing strategy rather than a one-time project.
👉 Read SSH Communications Security's analysis of phased passwordless adoption →
Passwordless authentication: what IAM teams should phase first?
Explore further
06/06/2026 3:09 am
Passwordless adoption is an IAM migration problem before it is an authentication feature problem. The article points to a phased transition because most organisations cannot remove passwords everywhere at once. That means the real governance task is sequencing, exception handling, and assurance consistency across mixed methods. Teams should treat passwordless as a change in identity operating model, not a checkbox on the login screen.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do you know a passwordless programme is actually working?
A: Look for reduced password reset volume, lower dependence on fallback authentication, stable access success rates, and fewer support exceptions in high-risk journeys. If users keep reverting to legacy methods or recovery becomes the primary entry point, the programme has not reduced dependency in a meaningful way.
👉 Read our full editorial: Passwordless authentication needs a phased IAM migration, not a big bang
