“Major gap” identified between ID security confidence and reality

Surveying 500 IT and cyber security decision-makers across the UK, the US, Canada, France and Germany, the new study uncovers a significant ‘disconnect’ between enterprise confidence in identity security and operational reality.

While most organisations believe they can revoke all physical and digital access within 24 hours when an employee leaves, more than one-third report experiencing actual failures in doing so, contributing towards identity-related security incidents across the enterprise.

Key findings

While confidence is high, so are security incidents. 94% of organisations claim confidence that all physical and logical access can be revoked within 24 hours of an employee leaving. However, 35% experienced delays or failures in doing exactly that in the past two years, while 70% experienced at least one identity-related security incident overall.

Governance is fragmented. Only 50% of enterprises have unified reporting ownership for physical and digital identity and just 48% have consolidated budget control. Finance is the most governance-fragmented sector, with 34% operating fully separate reporting structures despite having to progress under stringent regulatory access control obligations.

Complexity is growing, with enterprises managing three separate systems on average. 59% of enterprises manage three or more distinct credential and authentication systems. 58% state that managing digital identity has become more complex over the past two years.

The public sector has the highest identity security incident rate of any industry, with 43% experiencing access revocation failures. It has a 20% manual credential revocation rate, which is more than double that of the IT/technology sector.

Passkey adoption must scale to protect businesses. 93% of organiszations are at some stage of passkey adoption, while 65% report high or expert technical familiarity. However, only 13% have deployed passkeys at scale, explaining why organisations experience such high levels of security incidents.

The leading driver for moving to password-free authentication is reducing phishing and credential-based breach risk (45%), followed by reducing IT costs from password resets and Help Desk load (44%).

Focus on execution 

Andrew Shikiar, executive director and CEO of the FIDO Alliance, commented: “The story in this data isn’t about awareness. It’s about execution. 93% of organisations are on the passkey journey, but only 13% have deployed at scale. The security incident rates directly reflect that gap.”

Shikiar added: “Phishing-resistant authentication only delivers its full protective value when deployment is comprehensive rather than selective. Threat actors don’t limit themselves to those parts of the organisation that are already protected.”

Sean Dyon, vice-president of the Authentication Business Unit at HID, observed: “Identity security is no longer just an authentication challenge. It’s an enterprise governance challenge. As organisations adopt passkeys, a unified approach towards managing physical and digital identity becomes critical. This research shows that fragmented governance, disconnected systems and limited visibility create real business risk.”

Dyon concluded: “HID is closing that gap by bringing credentials, access rights and lifecycle management together in order to enable faster and more confident access decisions.”

*Further information is available online at www.fidoalliance.org and www.hidglobal.com