Digital identity research warns of ‘password debt’ as enterprises delay IAM rollouts

Enterprises may be sharpening their understanding of digital identity threats but the industry is still struggling to turn that knowledge into large‑scale execution. Hypr’s latest State of Passwordless Identity Assurance report shows passwordless and identity verification deployments stalling. RSA has been testing its own passwordless strategy internally, uncovering the hidden dependencies that still tether organizations to passwords. And in the public sector, Cisco Duo is positioning its zero‑trust platform as a way for agencies to align with new NIST cybersecurity standards.

Passwordless hits a plateau

Enterprises are getting to grips with identity threats and phishing‑resistant authentication, but scaling passwordless and digital identity verification technologies remains slow.

That’s the conclusion from the sixth annual State of Passwordless Identity Assurance report from Hypr and 451 Research from S&P Global Energy Horizons.

The study finds that organizations have gained a deeper grasp of identity‑security concepts but  adoption has plateaued after last year’s surge. Passwordless deployments remain limited to specific user groups and isolated use cases rather than broader rollouts. Identity verification shows a similar pattern as IDV is widely recognised but still deployed narrowly.

Researchers attribute the slowdown to cost pressures and legacy-system compatibility issues.  Regulatory uncertainty and the complexity of scaling identity transformation across an entire organization adds to the hesitancy. This comes even as many enterprises understand that securing identity means protecting every touchpoint.

Despite improved literacy around phishing‑resistant authentication, the report shows that usernames and passwords remain dominant for 76 percent of respondents. Only 43 percent report using passwordless methods, and year‑over‑year adoption has remained flat. Many apps and devices still lack support for FIDO2, WebAuthn and other passwordless standards, with 32 percent citing legacy‑app incompatibility as a key obstacle.

IDV remains the second most‑deployed identity tool and a common response to breaches, but its use is concentrated in limited scenarios. Responsibility for workforce identity verification is fragmented across HR, IT, IAM and security teams, which is slowing progress toward unified, automated orchestration.

The report shows growing concern over generative and agentic AI, which are amplifying existing threats such as phishing and ransomware while enabling new attack types including deepfakes and employee‑impersonation fraud.

The report notes that breaches continue to drive reactive spending. Increased security budgets (59 percent) were the most common post‑incident response, followed by audits, training and stronger authentication. Organizations typically rush to deploy IDV (61 percent), multi-factor authentication (MFA) (57 percent) and identity threat detection tools (52 percent) after an attack. It’s a pattern the report describes as “panic buying.”

Hypr and 451 Research argue that the industry is entering an “Age of Industrialization,” where the greater challenge lies in operationalizing digital identity security at scale. Enterprises face a growing “password debt” with legacy credentials and fragmented controls, which attackers continue to exploit. Progress will depend on coordinated, organization‑wide execution.

The State of Passwordless Identity Assurance 2026 report can be read here.

RSA maps out passwordless strategy after experiment

RSA did some self‑experimentation as it put its own passwordless strategy to the test. As a company that sells authentication technology, RSA set out to answer a simple question — does it actually use what it builds?

Leadership set an internal goal of achieving 100 percent passwordless authentication across its global workforce. The aim was twofold. RSA wanted to reduce credential‑based risk inside the organization, and experience the same deployment challenges faced by enterprise customers rolling out passwordless and FIDO‑based authentication at scale.

RSA has a globally distributed workforce, hybrid infrastructure and a mix of cloud and on‑premises systems. The company deployed its own IAM platform, RSA ID Plus, which supports passwordless MFA, SSO and access controls.

The platform itself performed as expected, the friction occurred in the surrounding identity ecosystem. RSA found hidden dependencies that continued to default certain workflows back to passwords. These surfaced across identity‑lifecycle touchpoints such as device replacement, account recovery and access to legacy applications.

RSA then identified and removed these password‑based fallbacks, clearing the path for true passwordless operation across all users and environments.

The company says the exercise revealed the hardest part of going passwordless is not the authenticator. Instead it’s the legacy assumptions, infrastructure gaps and operational workflows that still rely on passwords. RSA charted its own workforce rollout as a journey that “moved through three meaningful shifts,” sharing its learnings as a structured path.

RSA’s report on its passwordless experience “Inside RSA: Deploying FIDO and Passwordless Solutions at Scale” can be downloaded here.

Cisco Duo takes aim beyond MFA

Cisco Duo is making moves in public sector cybersecurity as agencies align identity systems with the updated NIST Cybersecurity Framework 2.0 and NIST SP 800‑53 controls.

Cisco says its zero‑trust, phishing‑resistant IAM platform is a way for government organizations to strengthen authentication and device trust, along with compliance requirements.

Cisco Duo is designed to provide multi‑factor and passwordless authentication. But it also goes beyond multi-factor authorization, according to a company blog post, by conducting device‑health checks and enforcing adaptive access policies that block credential‑based attacks.

The platform also supports FIDO2, biometrics, hardware tokens and push‑based authentication, alongside single sign‑on and continuous behavioural monitoring.

Its device‑visibility features assess operating systems and security agents, as well as compliance status, before granting access. The company says the capabilities map the identity, access control and device‑security requirements outlined in NIST CSF 2.0.

The updated framework from 2024 has a “Govern” function and places stronger emphasis on supply‑chain risk and enterprise‑wide cybersecurity governance. Duo’s zero‑trust model aligns with the framework’s expanded focus on identity management, threat detection and resilience.

iProov has an explainer on why NIST rewrote the rules (hint: the threat landscape changed), and a breakdown of Special Publication 800-63-4 and its “fundamental rethink” of secure digital identity, in a detailed post.

As for Cisco Duo, it also aligns with NIST SP 800‑53, which is the federal catalogue of more than 1,000 security and privacy controls used across government systems and regulated industries. The framework underpins compliance regimes such as FedRAMP, HIPAA and FISMA, and is central to achieving an Approval to Operate (ATO) for federal systems.

Duo’s authentication, device trust and continuous monitoring features support several of the control families including access control, system protection and incident response. More on Cisco Duo can be found in this blog post.

Article Topics

Cisco  |  cybersecurity  |  digital identity  |  HYPR  |  identity access management (IAM)  |  identity verification  |  iProov  |  NIST  |  passwordless authentication  |  passwords  |  RSA