Omdia: Enterprises Still Rely on Passwords as Credential Theft Attacks Escalate

Password Dependence Persists Despite Known Risks

Enterprises continue to rely on passwords for authentication even as credential theft attacks proliferate across workforce, customer, and third-party access points, according to Omdia's white paper "Controlling Identity Risk: Detecting and Mitigating Identity Threats" published this week. The research, commissioned by ID Dataweb, found that fragmented IAM strategies leave organizations exposed to threats that traditional authentication cannot detect.

The gap matters because credential-based attacks now target multiple identity types simultaneously. Organizations manage an average of 80 machine accounts per user, with non-human identities growing 40% annually. Static authentication checks at login miss suspicious behavior that emerges during transactions, allowing attackers to operate undetected after initial access.

Adaptive Verification Replaces Point-in-Time Checks

Omdia recommends enterprises overhaul IAM to incorporate behavioral analytics, device intelligence, real-time risk scoring, and unified orchestration. This approach analyzes transaction patterns continuously rather than validating identity once at login. T-Mobile reduced daily authentication events from 60-70 to 7-10 using Okta's adaptive access controls, demonstrating how contextual verification cuts friction while improving security.

The shift requires platforms that unify governance across human, non-human, and AI identities. Saviynt's October 2025 expansion of AI-powered Identity Security Posture Management addresses this requirement, covering cloud and on-premises environments in a single system backed by $700M in funding. The product competes against separate tools for identity governance and privileged access management, which create visibility gaps between systems.

Consolidation Tilts Market Toward Converged Platforms

M&A activity in 2025 totaled $96-102B as buyers moved toward integrated platforms. Palo Alto Networks acquired CyberArk for $25B, while CyberArk separately purchased Venafi for $1.5B to add machine identity capabilities. These deals signal that enterprises prefer vendors combining identity governance and privileged access management over point products.

The consolidation pressures specialists. Okta faces scrutiny following high-profile breaches that exposed customer data, prompting Forrester's 2026 IAM trends report to highlight increased FedRAMP and SOC 2 compliance demands. Delinea recently joined Microsoft's Entra ecosystem rather than compete independently. Startups like Beyond Identity, which raised $205M for passwordless authentication, and MojoAuth, claiming 145M identities acquired in three months, challenge incumbents by offering AI-native architecture from the start.

Budget Implications for Security Teams

Buyers must decide whether to upgrade legacy multi-factor authentication or replace it entirely with adaptive platforms. The decentralized identity market reaches $4.9B in 2026, growing at 53.5% CAGR toward $41.7B by 2030, indicating rapid buyer adoption. Organizations already using separate IGA and PAM tools face a choice: continue integrating disparate systems or consolidate to platforms like Saviynt or Cisco Duo that unify these functions.

Permission-level controls reduce misconfigurations and insider risks more effectively than role-based access alone. Fine-grained authorization, identified by Forrester as a heating trend, allows security teams to enforce policies based on specific resource requests rather than broad job functions. This granularity matters most in environments with frequent configuration changes, where overprivileged accounts create exposure.

What to Watch

FIDO passkeys are mainstreaming as biometric adoption slows due to deepfake risks, per Forrester. This creates implementation questions for organizations that invested in biometric authentication in the past two years. Buyers should evaluate whether their current IAM vendor's roadmap includes passkey support and how it integrates with existing authentication methods.

Vendor security posture now directly affects buyer risk profiles. Security teams should audit IAM vendors for MFA enforcement on administrative accounts, third-party access controls, and breach disclosure practices. The post-Okta environment makes vendor diligence a procurement requirement rather than a checkbox exercise. Organizations still using password-based authentication for any user population should model the cost of credential theft incidents against the cost of platform upgrades that eliminate static credentials entirely.