Passwordless rollout at scale: what IAM teams are missing

TL;DR: RSA’s case study shows that passwordless adoption at enterprise scale depends less on the authenticator itself than on platform architecture, recovery design, redundancy, and behaviour change, with a 3x usage lift when urgency and social proof were combined. The real security issue is not passkey support but whether IAM programmes can remove password dependencies without creating new recovery and usability failure points.

NHIMG editorial — based on content published by RSA Security: Deploying FIDO and Passwordless Solutions at Scale

Questions worth separating out

Q: How should security teams roll out passwordless authentication without causing lockouts?

A: Start by removing password dependencies from enrollment, recovery, and policy exceptions, then require at least two independent authentication methods for users who cannot tolerate downtime.

Q: Why do passwordless programmes fail even when passkey technology works?

A: They fail when the surrounding identity architecture still depends on passwords or shared secrets, especially in recovery and help desk verification.

Q: What do IAM teams get wrong about passwordless adoption?

A: They often treat passwordless as a technical launch instead of a governed transition.

Practitioner guidance

• Remove password dependencies from recovery paths Review enrollment, help desk verification, policy exceptions, and account recovery to ensure no shared-secret step remains as the default fallback.
• Require multiple registered authenticators Set a policy that users should have at least two usable authentication methods where operational continuity matters, and test what happens when one device is lost or one method is unavailable.
• Sequence rollout by user readiness Start with lower-stakes applications and existing mobile authentication footholds before mandating passwordless for high-value systems.

What's in the full article

RSA Security's full case study covers the operational detail this post intentionally leaves for the source:

• The internal rollout sequence RSA used to move from voluntary use to mandatory passwordless adoption
• Examples of the documentation and employee education materials used to explain passkeys to non-technical users
• Details of the device-bound passkey combinations RSA used for different user groups and recovery scenarios
• The specific legacy systems and edge cases RSA still has to resolve as part of the broader programme

👉 Read RSA Security's case study on deploying FIDO and passwordless at scale →

Passwordless rollout at scale: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →