Bottom line: Security gains from passkey adoption in central IT are negated by uncontrolled shadow IT using weak passwords, presenting organizational challenges for CISOs.
While enterprises migrate their core systems to passwordless passkeys, decentralized cloud services used by business units continue to rely on classical passwords, creating significant security gaps. Attackers deliberately target these unprotected side channels.
Modern enterprises implement passkeys in their main systems — central email applications, HR software and other core applications. The procedure operates on the principle of a direct digital handshake between device and server: the server sends an authentication request, which the user can authorize via fingerprint or facial recognition on their smartphone or laptop. No password is transmitted, eliminating attack vectors such as phishing or database theft.
However, this centralized protection architecture breaks down at organizational boundaries. Business units independently subscribe to cloud services such as graphic design tools, data analytics platforms or social media management systems to accelerate processes or circumvent procurement channels. Most of these decentralized applications do not technically support passkey authentication and require users to create classical passwords. Employees use their business email address combined with self-chosen, often weak passwords. The Verizon Global Security Report regularly documents that this exact combination of corporate identity and weak password represents the primary attack vector for attackers.
A further logistical problem arises from shared accounts within business units. Many teams share access to platforms for social media management or project boards. However, passkeys are person-bound and inextricably linked to a single device or cloud account. Simply sharing between five team colleagues is organizationally difficult with pure passkeys, which is why business units resort to classical passwords for such group accounts.
This creates new governance requirements for IT management and information security teams: the security gains from passkey migration lose value if the attack perimeter shifts to uncontrolled shadow IT. CISOs must consequently establish control mechanisms — through software procurement policies, approval workflows or risk acceptance processes — to ensure both central standards and acceptable security levels in decentralized systems.
Source: www.it-daily.net · Published June 13, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.