Here are two numbers that should bother everyone: 92% of organizations are implementing passwordless. Only 7% have gone completely passwordless.
That gap isn’t a technology problem. The tools exist. The standards are mature. The intent is there. The business case is clear: fewer vulnerabilities, lower costs, better user experience. And yet, most organizations are still typing passwords every day.
So why the gap?
Maybe the adoption paradox exists because organizations think they don’t have enough data to understand our complex environments: legacy systems, diverse users, and inconsistent real-world conditions.
Identity platforms already generate vast amounts of telemetry every day—authentication events, access patterns, failure rates, behavioral signals. Most security teams consume that data. Very few interrogate it.
In practice, identity telemetry is often used for audits and compliance reporting, and it stops there. Which leaves some of the most important questions—like why an organization is struggling to go passwordless—unanswered:
- Where are users actually struggling and why?
- Where does trust break down in practice?
- Which controls truly improve outcomes?
Over the past year, I’ve realized that identity data isn’t valuable on its own. It only matters when it leads to action. And it’s the right questions that surface the right signals organizations need to drive that action.
Take passwordless adoption as an example. It comes down to three questions:
The first: Is passwordless available for everyone?
Not in theory, in practice. The gap between what’s deployed and what users can actually use is often much larger than dashboards suggest. The signals for that gap usually appear where teams aren’t actively looking.
The second: Can users access passwordless everywhere?
Can users access the secure path wherever they need it? A single workflow, system, or exception that forces a workaround can stall passwordless adoption. Users don’t think in systems, they think in experiences.
The third: Does passwordless work every time?
Not in the office, not on a good day but every time, in every environment your users actually operate in. Users don’t retreat to passwords because they prefer them. They retreat because the secure path failed them when it mattered most.
At Identiverse, I’ll walk through how asking questions like these can change what you measure, where signals mislead teams, and how they reshape what gets built.
At RSA, we tested this hypothesis on ourselves. We rolled out passwordless across every employee, every login, every use case. The enterprise became the test bed.
The goal was simple: 100% passwordless. And we believed we had it right.
Then we looked at the telemetry.
Users were still typing passwords. Every day. Despite deployment, training, and policy.
That forced a hard question: why?
The only honest answer was to stop guessing and start following the data.
What followed reshaped our decisions, policies, and product design and eventually got us to where we needed to be: passwordless for our global workforce across diverse environments. The FIDO Alliance documented the journey in a 사례 연구, explaining the technologies, challenges, and lessons along the way.
Here’s where the story shifts. We reached 94% passwordless adoption across our global workforce in 12 months.
At first, it felt like the hard part was done.
But most modern breaches don’t involve cracking authentication. They involve bypassing it. MFA fatigue attacks, helpdesk social engineering, and AI-powered spear phishing that targets human processes instead of systems. In many recent incidents, attackers never touched authentication. They went around it.
Data breaches at Caesars Entertainment Group, MGM 리조트, 마크스 앤 스펜서, and other organizations forced us to rethink where trust actually breaks down in the identity journey.
Strong credentials are necessary but not sufficient.
So we extended our telemetry beyond authentication into the full credential lifecycle, especially recovery and account access workflows.
And one question became critical:
Is recovery easier than login?
I’ll share the signals we started tracking across recovery, what they revealed, and how closing that gap changed our view of continuous trust.
At Identiverse, I’ll go deeper into these ideas. Passwordless was our proving ground, but asking the right questions of your identity telemetry isn’t really about passwordless—or it isn’t about 만 passwordless. It applies just as much to MFA fatigue, Zero Trust gaps, or any security initiative you’re trying to drive.
Join my session on Thursday, June 18 at 10:15 a.m.
Then stop by RSA at Identiverse Booth #1001 to see how RSA delivers passwordless for every user, in every environment, for every use case and to demo how RSA Live Verify helps close the recovery gap we’ve been discussing.
