Passwordless identity in critical infrastructure - are controls keeping up?

TL;DR: Passwordless identity can reduce password reuse, phishing exposure, and day-to-day friction for field technicians, contractors, and maintenance crews in critical infrastructure, but RSA Security’s analysis makes clear that access still needs strong privilege controls, Zero Trust alignment, and continuous review. Eliminating passwords changes the authentication surface, not the governance burden.

NHIMG editorial — based on content published by RSA Security: Passwordless Identity and Workforce Challenges for Critical Infrastructure

Questions worth separating out

Q: How should security teams deploy passwordless identity in critical infrastructure?

A: Use passwordless as the authentication layer, then bind it to least privilege, step-up policy, and strong recovery controls.

Q: Why do passwordless programmes still need access governance?

A: Because removing passwords does not remove entitlement risk.

Q: What breaks when passwordless access is rolled out without least privilege?

A: The programme can become easier to use without becoming safer.

Practitioner guidance

• Tie passwordless enrolment to verified identity proofing Require strong enrolment controls for employees, contractors, and field staff before passwordless credentials are issued.
• Constrain operational access with least privilege Map passwordless sign-in to narrowly scoped entitlements for maintenance, support, and emergency tasks.
• Align passwordless access with Zero Trust policy Use device posture, location, and task context to decide whether access is allowed, limited, or stepped up.

What's in the full article

RSA Security's full blog covers the operational detail this post intentionally leaves for the source:

• Practical examples of how passwordless identity supports field technicians, maintenance crews, and contractors in critical infrastructure
• RSA Security's framing of passwordless alongside Zero Trust and risk-adaptive access decisions for operational environments
• The source article's discussion of insider threat reduction, training, and privilege management in workforce identity programmes
• The article's sector context across energy, transportation, and healthcare, which helps practitioners map the model to their own environment

👉 Read RSA Security's analysis of passwordless identity for critical infrastructure →

Passwordless identity in critical infrastructure - are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →