Notifications
Clear all
Topic starter
06/06/2026 11:10 am
TL;DR: Passwordless authentication is gaining momentum because FIDO-style passkeys and cryptographic credentials can reduce phishing risk, password resets, and user friction while improving sign-in success, according to Imprivata. The IAM question is no longer whether passwords are weak, but how to migrate identity controls without breaking workflow, assurance, or lifecycle governance.
NHIMG editorial — based on content published by Imprivata: passwordless authentication and the FIDO Alliance's role in reducing password reliance
By the numbers:
- 77% of hacking incidents involve stolen credentials.
- most end users have an average of 100 online accounts.
- in 2025, the average cost of a data breach in the U.S. was $4.4 million.
Questions worth separating out
Q: How should organisations roll out passwordless authentication without breaking access recovery?
A: Start with high-assurance users and a narrow application set, then expand only after recovery, device binding, and step-up verification are documented.
Q: Why do passwords still create so much identity risk in modern environments?
A: Passwords remain risky because they are reusable, easy to phish, and often tied to inconsistent user behaviour across many accounts.
Q: What should security teams measure after introducing passwordless sign-in?
A: Track password reset volume, sign-in success, account recovery events, and help-desk load.
Practitioner guidance
- Prioritise phishing-resistant sign-in for high-risk users Start with administrators, finance users, clinicians, and other high-value accounts where credential theft has outsized impact.
- Redesign recovery before removing passwords Document every fallback path, including help-desk resets, lost-device flows, and step-up verification after enrolment.
- Align passwordless with SSO and MFA policy Treat passwordless as part of the broader authentication stack so policy remains consistent across applications, session length, and step-up triggers.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The article's practical framing of passwordless benefits for healthcare-style workflows and everyday user access.
- Specific examples of passwordless methods, including badge tap authentication, phone tokens, and biometrics.
- The source's staged view of how organisations can move toward no-password authentication without forcing a single cutover.
- The article's explanation of why passwordless can improve user experience as well as security.
👉 Read Imprivata's article on passwordless authentication and FIDO →
Passwordless authentication: what it means for IAM and access teams?
Explore further
06/06/2026 11:48 am
Passwordless is a human IAM control shift, not just an authentication upgrade. The article correctly frames passwords as a source of friction, reset cost, and phishing exposure, but the deeper change is in how identity assurance is established. Moving from shared secrets to passkeys changes the control surface for sign-in, recovery, and step-up verification. Practitioners should treat this as an authentication governance redesign, not a cosmetic login update.
Passwordless adoption should be read as an access assurance programme, not a user-experience project. When password resets and phishing incidents dominate support and incident queues, the organisation is signalling that shared-secret authentication has outlived its control value.
A question worth separating out:
Q: How does passwordless differ from adding more MFA factors?
A: Passwordless replaces the password as the primary secret, while MFA usually adds a second factor on top of password-based login. That difference matters because passwordless removes the most phishable credential from the flow. Teams should use it where they need stronger assurance and less user friction, not as a cosmetic layer on top of weak authentication.
👉 Read our full editorial: Passwordless authentication and FIDO Alliance governance for IAM teams
