printer friendly version

Disconnect between confidence in identity security and operational reality

The FIDO Alliance and HID have released The State of Physical and Digital Identity in the Enterprise, a new research report examining how organisations manage physical and logical access across their workforces.

Surveying 500 IT and cybersecurity decision-makers across the US, Canada, UK, France, and Germany, the new study uncovered a significant disconnect between enterprise confidence in identity security and operational reality. While most organisations believe they can revoke all physical and digital access within 24 hours of an employee leaving, more than one-third report failing to do so, contributing to identity-related security incidents across the enterprise.

Key findings from the report include:

● 94% of organisations claim confidence that all physical and logical access can be revoked within 24 hours of an employee leaving.

● Yet 35% experienced delays or failures doing exactly that in the past two years — and 70% experienced at least one identity-related security incident overall.

Governance is fragmented

● Only 50% of enterprises have unified ownership of reporting for physical and digital identities, and just 48% have consolidated budget control.

● Finance is the most governance-fragmented sector, with 34% maintaining fully separate reporting structures despite stringent regulatory access-control obligations.

Complexity is growing, and enterprises manage three separate systems on average

● 59% of enterprises manage three or more distinct credential and authentication systems.

● 58% say managing digital identity has become more complex over the past two years.

The Public Sector carries the highest incident rate

● The sector has the highest identity security incident rate of any industry, with 43% experiencing access revocation failures.

● It has a 20% manual credential revocation rate, which is more than double that of the IT/Technology sector.

Passkey adoption must scale to protect businesses

● 93% of organisations are at some stage of passkey adoption, and 65% report high or expert technical familiarity.

● However, only 13% have deployed passkeys at scale, which helps explain why organisations experience such high levels of security incidents.

Phishing-resistant authentication is a top business priority

● The leading driver for moving to passwordless authentication is reducing phishing and credential-based breach risk (45%), followed by reducing IT costs from password resets and help desk load (44%).

“The story in this data is not about awareness, it is about execution. Ninety-three percent of organisations are on the passkey journey, but only 13% have deployed at scale, and the security incident rates reflect that gap directly,” said Andrew Shikiar, executive director and CEO of the FIDO Alliance. “Phishing-resistant authentication only delivers its full protective value when deployment is comprehensive rather than selective, because threat actors do not limit themselves to the parts of the organisation that are already protected.”

“Identity security is no longer just an authentication challenge; it is an enterprise governance challenge. As organisations adopt passkeys, a unified approach to managing physical and digital identity becomes critical. This research shows that fragmented governance, disconnected systems and limited visibility create real business risk. HID is closing that gap by bringing credentials, access rights and lifecycle management together to enable faster, more confident access decisions,’’ said Sean Dyon, vice president of the Authentication Business Unit at HID.

Share this article:

Further reading: