Three quiet changes have rewritten enterprise password practice over the past two years. Passkey rollouts have moved from pilot programmes into mainstream identity strategy at most large organisations. The refreshed NIST guidance on authentication has worked its way through internal security policies. Identity provider defaults have changed enough that the user-facing experience of enterprise authentication looks different from how it looked twelve months ago. None of this has been announced as a single transition, but the cumulative shift is substantial.
The interesting question is what the change has actually delivered in terms of security outcomes, help-desk load, and user experience, and where the gap between the new best practice and the messy reality of large enterprise environments remains widest.
Passkeys move from pilot to default
The headline change is that passkeys have moved from being an experimental authentication option to being the default credential type for an increasing share of enterprise applications. Major identity providers and enterprise application vendors have built passkey support into their primary authentication flows, often with explicit guidance to administrators to prefer passkey enrolment over password-based authentication for new accounts.
The adoption pattern inside large enterprises has been uneven but visible. Newer applications and SaaS environments where the user authenticates through a modern identity provider are the easiest cases, where passkey enrolment is largely a configuration decision and has been broadly adopted. Legacy applications, internal systems, and environments where authentication runs through older protocols remain harder, and these are where the gap between the new best practice and operational reality is largest.
The security benefits of passkey adoption are real and measurable. Phishing-based credential theft, which has been the dominant vector for account compromise in most enterprises for years, is meaningfully reduced when the credential cannot be phished. Password reuse risk disappears for passkey-authenticated accounts. The friction of multi-factor authentication, which has historically been a source of user resistance, is partially absorbed into the passkey flow itself.
What passkey adoption does not eliminate is the recovery and enrolment work. Onboarding a new user to a passkey-based authentication system, recovering access for a user who has lost their authenticator device, and managing the lifecycle of authentication credentials across employee transitions all require operational processes that the passkey technology itself does not provide. Help-desk volume on authentication issues has shifted in shape rather than disappearing entirely, and several large IT operations functions have reported recovery-related ticket volume increasing as passkey enrolment has scaled.
NIST guidance and the death of mandatory rotation
The refreshed NIST guidance on authentication, which has been working its way through enterprise security policy for several years, has finally reached the point where its recommendations are visible in most large organisations' documented practice. The most consequential change is the formal end of mandatory periodic password rotation as a baseline security control.
The argument against rotation has been clear in the research literature for years. Forced periodic changes produce worse passwords on average, encourage predictable rotation patterns that attackers exploit, and increase help-desk burden without delivering measurable security benefit when the underlying password is strong. The official NIST position aligned with this evidence some time ago, but enterprise security policies often lagged for compliance and audit reasons.
That gap has now largely closed in most large organisations. Mandatory rotation policies have been removed or significantly relaxed for most account types, replaced by rotation only on suspected compromise and by stronger enrolment requirements at the front end. Audit and compliance frameworks have followed, with most major frameworks now treating the absence of mandatory rotation as compatible with strong security practice rather than as a weakness.
This shift has had a measurable effect on help-desk load. Password-reset tickets, which were one of the largest sources of routine IT support work for years, have declined meaningfully at most large organisations that have removed mandatory rotation. The decline is offset partially by passkey recovery work, but the net direction is positive.
What identity providers changed quietly
The third piece of the shift has happened inside identity provider defaults. The major enterprise identity platforms have updated their default configurations in ways that meaningfully affect what an enterprise gets out of the box.
Default password complexity requirements have shifted away from the older rule-based approach, including mandatory uppercase, mandatory special character, and mandatory numeric, toward length-based and breached-password-checking approaches that produce stronger outcomes with less user friction. The change is consistent with the NIST guidance but goes further in some respects, with automatic checks against known-compromised password databases now common as a default control.
Default multi-factor authentication enforcement has tightened. Most enterprise identity providers now strongly encourage or require MFA enrolment for new accounts, with conditional access rules that escalate authentication requirements based on contextual risk signals. The user experience of enterprise authentication has become more dynamic. A low-risk session from a managed device on a trusted network may pass through with minimal friction, while a higher-risk context triggers stronger verification.
The defaults are doing a meaningful amount of the work that previously required explicit configuration. For organisations that have stayed on current versions of their identity platforms, baseline authentication posture has improved without requiring substantial internal effort. For organisations that have stayed on older versions or have customised their identity configurations heavily, the gap to current best practice has widened.
Where the gaps remain
The cleaner authentication picture in the modern enterprise application portfolio masks several areas where the gap to best practice is large and growing.
Legacy applications that authenticate through older protocols, including basic auth, NTLM, and certain SAML implementations with weak configurations, remain a meaningful share of the enterprise application landscape and are not benefiting from the broader shift. Removing or replacing these is technically straightforward but operationally expensive, and most enterprises have a long tail of such applications that have not been prioritised.
Service-to-service authentication is another area where the modern best practice (short-lived credentials, machine identity management, workload identity federation) has been slower to penetrate than user authentication best practice. Many enterprise environments still rely on long-lived service account credentials with broad permissions, and the work to modernise this is substantially more complex than the user-side passkey rollout.
Privileged access management is a third area where the gap is large. Administrative accounts, particularly those used for break-glass access or for legacy infrastructure management, often retain practices that are well behind the modern user authentication baseline. The reasons are usually historical, since the accounts existed before the modern controls were available and replacing them requires changes to the systems they manage, but the security implications are significant.
What to focus on next
The practical work for security and identity teams over the next two years is largely about closing these gaps rather than introducing entirely new controls. Removing legacy authentication protocols from the application portfolio. Modernising service-to-service authentication and bringing machine identity into the same management framework as human identity. Extending the modern user authentication controls into the privileged access space, where the gap is largest.
This is unglamorous infrastructure work, but it is where the remaining authentication risk in most enterprises sits. The passkey rollout and the NIST-guidance shift have addressed the easier and more visible parts of the problem. The harder and quieter parts remain, and they are where the next two years of useful authentication work will be done. The organisations that get there first will have a meaningfully lower exposure to the credential-based attacks that continue to dominate enterprise breach analysis.
