Passwordless authentication is quickly becoming a top pick for securing access. By doing away with traditional passwords, companies hope that they can avoid phishing attacks, credential theft, and password fatigue. Many companies are already deploying passwordless solutions across their entire employee population, integrating them with mobile phones, security keys, multi-factor authentication, and biometric authentication systems.
But this model starts to show gaps when it's applied to non-employees. Contractors, vendors, and partners don't always align with passwordless assumptions or standard authentication processes. This blog examines why passwordless authentication, despite its strengths, can fall short for third-party identities. We’ll look at where these strategies break down and why third-party identity governance remains essential for securing external users.
Third-party identities are essential in most organizations. They include contractors, vendors, suppliers, partners, freelancers, and other non-employees who need access to systems, data, or tools. Considering their positioning outside of standard HR and IT structures, they often don't fit into the standard authentication process/with authentication factors such as one-time passwords or biometric authentication.
Third-party identities are varied in nature:
· A short-term contract developer.
· A remote vendor providing support for a key application.
· An on-site or virtual consulting organization.
· A partner firm that integrates with internal systems.
All of these groups have various access patterns and lifecycle events. Some need access for a few days, where using one-time passwords or social logins may suffice. Others may need it for months, as required by a contract or specific deliverable.
Third-party identities are distinct from employees in a few important ways:
· No reporting lines - In many cases, they do not report to corporate managers in the same way employees do.
· Outside device usage - They often use their own equipment, which is not always up to corporate standards for security.
· Variable tenure - Their requirements for access might change as needed by their project scope or contract length.
· Distributed control - Third-party access tends to be vague, distributed across business units or external sponsors.
These factors can create gaps that cannot be addressed by passwordless authentication alone.
Third-party identities are increasingly becoming a large breach factor, with their involvement in security breaches going from 15% to 30% of cases in the latest Verizon DBIR. Nearly 98% of businesses have had at least one breached vendor within the past two years. And whether they rely on one-time passwords, push notifications, or password rotations, the data shows that the most targeted third parties are IT services providers, cloud platforms, and software providers.
A key theme in many breaches is stolen credentials. Verizon's data puts credential-based attacks as the #1 entry vector for security breaches. 86% of basic web app breaches were due to stolen login credentials, despite multi-factor authentication or password policies. While the numbers vary year to year, a large number of breaches occur due to password-stolen passwords. All in all, these trends are encouraging 61% of organizations to move to passwordless authentication, as well as stronger authentication factors such as biometric authentication and one-time passwords. Gartner predicts over 50% of workforce authentication transactions will be passwordless (from less than 10% in 2021) and over 20% of customer logins will be passwordless too. The shift is supported by the growth of authentication applications, as well as single sign-on and biometric authentication solutions.
Passwordless authentication has been a good match for your typical employees. It aligns with most organizations' internal access architecture, supported by single sign-on and multi-factor authentication. Why it works for them is associated with how employee identities are managed.
Employees typically receive company-owned devices installed with authentication apps and biometric authentication. Central IT can manage the updates, lock down password policy, and take away access when needed. It ensures consistent application of multi-factor authentication and passwordless methods to employees.
Employee identities all fit the defined structure, so authentication factors and the overall authentication system can be better managed. Access tends to be long-term, dependent on continued employment, and is associated with fewer password resets than that of external users.
Passwordless authentication is most effective in well-managed, stable environments. Third-party identities usually don't fit that description. These identities are also a frequent target for ransomware—41% of 2024 ransomware attacks began with vendor or contractor access compromised, so it's critical to secure them.
Identity verification is a critical element in any authentication process. For employees, it's taken care of through HR infrastructure, background checks, and official documents. Identity proofing for third parties is often unevenly done. Contractors and vendors come from varied companies that have different standards. Some of them skip strong checks or outsource to third-party agencies. This variation weakens the foundation on which passwordless technologies will be built on.
Federated identity can in theory be used to deal with external users by enabling them to sign on through their own organization. But there are some problems with that:
· Not everyone outside your company is going to play by the same set of security rules.
· Protocols and standards will always differ between systems.
· Integrations could fall through, leaving security gaps.
Inconsistent trust across identity providers makes it difficult to rely on federated passwordless solutions for third parties.
Third-party access needs change frequently. This volatility makes passwordless models harder to apply. Examples include:
· Access tied to short-term projects, contracts, or service engagements.
· Timelines that shift unexpectedly, with access ending or extending without notice.
· External users moving between projects, changing roles, or leaving engagements, all affecting access requirements.
Passwordless authentication assumes long-term, stable relationships. It struggles to keep up with:
· Frequent creation and removal of credentials.
· Ongoing adjustments to permissions as external roles evolve.
· The risk of expired or unused credentials remaining active beyond their intended period.
These conditions increase the chances of orphaned access that could be misused.
Passwordless authentication requires a robust identity management infrastructure. For employees, traditional IAM platforms provide that infrastructure. However, when dealing with external users, these platforms fall short. This makes it harder for passwordless approaches to operate as they would ideally like to.
Legacy IAM systems assume centralized device management, clear reporting hierarchies, and long-term, stable access. But third-party identities don't behave this way. Their access is more likely to be short-term, project-specific, or contract-based, frequently changing over time.
This is where B2B IAM and external identity management (XIAM) models come into play. XIAM offerings are set up to process non-employee identities in large numbers, with the agility that traditional IAM cannot offer. They provide the infrastructure needed to:
· Combine passwordless credentials with external identity lifecycles.
· Link access to actual business events, such as project completion or contract termination.
B2B IAM supports secure collaboration between businesses using uniform policies and creating trusted connections between identity systems. It helps ensure that passwordless authentication approaches can cross the firewall and still meet security and regulatory needs.
Traditional IAM typically falls short of dealing with these external scenarios, and passwordless authentication for third parties is left ineffective if there is no purpose-built external identity management to support it.
Passwordless authentication only solves part of the issue. For third-party identities, it is governance that helps keeps everything together. Without it, even the best authentication approaches can have gaps.
Passwordless systems confirm that a credential is in good standing and valid when used. Governance guarantees that the right individual still has the right access at the right time.
Governance tools help with:
· Lifecycle automation, where credentials are created, refreshed, or revoked based on real-world events.
· Delegated administration, where business owners manage access on behalf of their external users.
· Centralized visibility, allowing security teams to see who is accessing what and why.
If left ungoverned, passwordless credentials can stay around longer than their intended duration. It accumulates risk and increases auditing complexity.
Third-party access should always have a defined lifecycle. This includes:
· Onboarding third-party users only after identity proofing and verification.
· Connecting access privileges to contracts, project timetables, or service level agreements.
· Automatically expiring credentials when work is done or roles change.
Secure vendor management has to be an integral part of the process at all times. Vendor access needs to be tied to specific policies, contract terms, and expiration controls. Automating lifecycles can help maintain access in line with business needs, reducing the likelihood of unused credentials being active.
Assign responsibility for third-party identities to business sponsors. These are the people who work directly with the external users. They are in the best position to:
· Approve access requests.
· Track changes to roles or projects.
· Confirm when access should end.
Delegated administration makes sure that there is always a traceable owner of external access.
Despite the use of passwordless authentication, monitoring should still be conducted. In your solution, incorporate:
· End-to-end visibility into who has access and why.
· Alerts for suspicious activity or access changes.
· Reporting tools that enable audits and compliance reviews.
These controls enable a stronger security foundation and help address any regulations.
Passwordless authentication and third-party identity governance work together to protect your organization from credential-based attacks, orphaned access, and compliance gaps. Combining these approaches helps ensure that external users are verified, monitored, and granted the right access at the right time.
Want to learn how to apply passwordless strategies and governance to secure your third-party ecosystem? Contact us at info@anomalix.com for solutions tailored to your business.
