Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passwordless rollout at scale: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: RSA’s case study shows that passwordless adoption at enterprise scale depends less on the authenticator itself than on platform architecture, recovery design, redundancy, and behaviour change, with a 3x usage lift when urgency and social proof were combined. The real security issue is not passkey support but whether IAM programmes can remove password dependencies without creating new recovery and usability failure points.

NHIMG editorial — based on content published by RSA Security: Deploying FIDO and Passwordless Solutions at Scale

Questions worth separating out

Q: How should security teams roll out passwordless authentication without causing lockouts?

A: Start by removing password dependencies from enrollment, recovery, and policy exceptions, then require at least two independent authentication methods for users who cannot tolerate downtime.

Q: Why do passwordless programmes fail even when passkey technology works?

A: They fail when the surrounding identity architecture still depends on passwords or shared secrets, especially in recovery and help desk verification.

Q: What do IAM teams get wrong about passwordless adoption?

A: They often treat passwordless as a technical launch instead of a governed transition.

Practitioner guidance

  • Remove password dependencies from recovery paths Review enrollment, help desk verification, policy exceptions, and account recovery to ensure no shared-secret step remains as the default fallback.
  • Require multiple registered authenticators Set a policy that users should have at least two usable authentication methods where operational continuity matters, and test what happens when one device is lost or one method is unavailable.
  • Sequence rollout by user readiness Start with lower-stakes applications and existing mobile authentication footholds before mandating passwordless for high-value systems.

What's in the full article

RSA Security's full case study covers the operational detail this post intentionally leaves for the source:

  • The internal rollout sequence RSA used to move from voluntary use to mandatory passwordless adoption
  • Examples of the documentation and employee education materials used to explain passkeys to non-technical users
  • Details of the device-bound passkey combinations RSA used for different user groups and recovery scenarios
  • The specific legacy systems and edge cases RSA still has to resolve as part of the broader programme

👉 Read RSA Security's case study on deploying FIDO and passwordless at scale →

Passwordless rollout at scale: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Passwordless is an identity architecture problem before it is an authentication problem. The vendor’s case study shows that removing the password from the login screen is not enough if enrollment, recovery, and policy enforcement still depend on password-era assumptions. The important question is whether the organisation has removed the weak links from the identity chain or simply moved them elsewhere. Practitioners should treat passwordless as a programme design issue, not a point solution.

A few things that frame the scale:

  • From our research: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: How do you know if passwordless authentication is actually working?

A: Look for sustained usage, low fallback-to-password rates, and successful recovery events that do not reintroduce shared secrets. Registration alone is not enough. If employees keep avoiding the primary method or the help desk keeps handling exceptions manually, the programme has not matured beyond pilot behaviour.

👉 Read our full editorial: Passwordless authentication at scale exposes the real IAM rollout gap



   
ReplyQuote
Share: