They fail when organisations eliminate passwords but keep weak identity proofing and recovery. In that case, an attacker can still gain a valid credential through insecure enrollment, social engineering, or account recovery abuse. The risk moves from password theft to identity issuance failure, which is often harder to detect.
Why This Matters for Security Teams
passwordless authentication removes one control, not the full identity attack surface. If enrollment, recovery, device binding, or help desk verification are weak, attackers simply shift from stealing passwords to stealing issuance paths. That is why passwordless programs still suffer account takeover, especially where recovery workflows accept weak proofing or where a compromised device can mint a fresh credential. NIST’s NIST Cybersecurity Framework 2.0 treats identity as an ongoing risk management problem, not a one-time login event.
For NHI management, the same pattern appears when organisations secure the authenticator but not the lifecycle around it. In the DeepSeek breach, exposed secrets and weak exposure controls showed how quickly attackers can pivot once issuance or storage is mishandled. NHI Management Group research in The State of Secrets in AppSec highlights how fragmented secrets practices and slow remediation widen that gap. In practice, many security teams discover passwordless failure only after account recovery abuse or device enrolment fraud has already produced a valid credential.
How It Works in Practice
Passwordless succeeds only when the organisation can prove three things at runtime: who the user is, what device or authenticator is bound to that identity, and whether the recovery path is equally strong. The main failure point is not the absence of a password, but the presence of legacy identity proofing behind the scenes. If a call centre can reset access after weak checks, or an email inbox remains the single recovery factor, attackers can still take over the account without ever cracking a password.
Operationally, strong deployments usually combine phishing-resistant authenticators, device binding, risk-based step-up checks, and tightly governed recovery. Current guidance suggests treating recovery as a privileged workflow, not a convenience feature. That means:
- Require high-assurance identity proofing before issuing the first credential.
- Bind the authenticator to a trusted device or hardware-backed key where possible.
- Use separate controls for enrollment, recovery, and re-issuance.
- Log and review every recovery event as a potential compromise indicator.
- Revoke or rotate credentials automatically when the bound device is lost or replaced.
For broader programme design, the secrets management findings matter because passwordless environments still rely on tokens, keys, and recovery artifacts that must be governed as secrets. NIST’s framework also reinforces that access control must be paired with detection and continuous monitoring, not treated as a single gateway decision. These controls tend to break down when organisations centralise recovery in a help desk that lacks strong identity proofing, because the attacker targets the issuer rather than the authenticator.
Common Variations and Edge Cases
Tighter recovery controls often increase support overhead, requiring organisations to balance user friction against takeover resistance. That tradeoff is most visible in consumer-facing deployments, bring-your-own-device environments, and hybrid work models where device trust is harder to standardise. Best practice is evolving, but there is no universal standard for whether email, SMS, push approval, or knowledge-based checks are acceptable for recovery at lower assurance levels.
Some environments fail for different reasons. Shared kiosks, contractor access, and high-turnover workforces often create exceptions that weaken device binding. Legacy applications may still accept fallback passwords even after the primary login becomes passwordless, which reintroduces the same risk through the back door. Organisations should also watch for “passwordless” marketing that only means passwordless at the front end; if admin resets, delegated recovery, or service desk scripts still rely on static knowledge checks, the control is incomplete. The practical test is simple: if an attacker can obtain a fresh credential without proving the original identity to the same standard used at enrollment, the deployment is not truly passwordless.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers weak issuance and recovery paths that still enable takeover after passwords are removed. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and authentication controls map directly to access control expectations. |
| NIST AI RMF | Risk management must cover the full identity lifecycle, including recovery and re-issuance. |
Treat enrollment and recovery as access-control processes and verify assurance before issuing credentials.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
