RSA took advantage of the Gartner IAM Summit in Dallas to take a step forward in an area that many companies have been neglecting: logging into the device itself. The company, known for its “security-first” approach to identity, has announced a suite of passwordless improvements designed to protect access to desktops and laptops, expand coverage in highly regulated sectors, and bring passwordless authentication to their own portals and web applications.
The announcement comes at a time when hybrid and remote work have made endpoints one of the primary entry points for attackers, while many organizations still rely on weak or recycled passwords to access their devices.
The desktop, the biggest gap in identity strategy
For years, most identity and access projects have focused on protecting corporate applications, VPNs, SSO, and cloud resources. However, the first point of contact remains the same: the user at the Windows or macOS login screen.
RSA emphasizes that these devices—especially remotely—contain sensitive information and access to internal networks, yet they still authenticate using credentials that can be stolen through phishing, malware, or leaks. “Passwords fail everywhere, and desktop login is no exception,” the company underscores.
With these new capabilities, RSA aims to close that gap: bringing the passwordless model to the device itself, not only to applications, and doing so consistently across the entire organization.
What RSA includes: NFC, offline mode, and Bluetooth proximity
On the technical side, the new offerings are supported by several key components:
- Tap-and-go login with RSA iShield Key 2
Users can authenticate simply by bringing their NFC iShield Key 2 close to a compatible reader, without physically inserting it. This usage model is especially useful in sectors like healthcare or industry, where stations are shared and quick access is critical. - Additional options for offline passwordless login
RSA introduces new alternatives so users can continue authenticating even when the device has no connectivity, including OTP and FIDO2. Furthermore, the company plans to support offline QR codes starting January 2026, ensuring the passwordless flow doesn’t depend on network access. - Proximity verification via Bluetooth
Also starting January 2026, support for proximity checks via Bluetooth for QR-based logins is planned. The goal is to verify that the device generating or approving the authentication is physically near the device, increasing security against remote abuse attempts. - Full support for passwordless login on macOS
Beyond Windows, RSA extends the passwordless experience to macOS environments, which is increasingly demanded by companies with mixed fleets of laptops and workstations.
All these capabilities are integrated into RSA® ID Plus, a comprehensive identity and access management platform, and into RSA ID Plus for Microsoft M1, which adds an extra layer of security on top of Microsoft Entra ID.
Beyond Entra ID: covering legacy systems, OT, and data centers
One of the clearest messages from the announcement is RSA’s intention to reach areas where native solutions from major cloud providers don’t always cover comprehensively.
According to RSA, RSA ID Plus enables strong and passwordless authentication for:
- Data centers and mainframes.
- Devices joined to Active Directory and PCs/servers using Entra, even with outdated operating system versions.
- Critical web applications and other services not directly integrated with Microsoft Entra ID.
- OT environments and non-Microsoft systems.
For security and infrastructure leaders, the appeal lies in orchestrating consistent access policies across hybrid and multi-cloud environments, avoiding “islands” of poorly protected identities in legacy systems.
Regulated sectors: a single factor for doors, PCs, and applications
RSA also places special focus on governments, healthcare, energy, and other highly regulated sectors, where identity is often the key to both physical and logical access.
The new RSA iShield Key 2 is designed for this scenario:
- Compatible with MIFARE standards for physical access control.
- Field-updatable firmware, enabling responses to zero-day vulnerabilities without replacing the fleet of keys.
- Compliance with FIPS 140-3 and key US regulatory frameworks, such as Executive Order 14028 and OMB M-22-09 and M-24-14 guidelines.
Practically, this allows unifying access to buildings, desktop login, and authentication to critical applications into a single authentication factor, reducing complexity and attack surfaces.
Bringing passwordless to portals and external users
An important point for a tech-savvy audience is the reinforcement of the RSA API to enable passwordless authentication for company portals and personalized web experiences.
Organizations can:
- Integrate registration and use of passkeys in their B2B or B2C portals.
- Enhance partner, customer, and supplier access without relying on passwords.
- Design authentication flows that maintain branding and usability, but are based on modern standards like FIDO2.
This opens the door for passwordless to move beyond IT internal use and become part of the company’s digital experience strategy.
Identity as a security posture: the role of AI
RSA also emphasizes its Identity Security Posture Management (ISPM) approach. Under this term, it groups capabilities that leverage Artificial Intelligence to identify identity risks before they become incidents.
These functions allow for:
- Discovering identities with excessive privileges or orphaned permissions.
- Detecting risky configurations and compliance gaps.
- Prioritizing actions in complex environments with thousands of users, service accounts, bots, and AI agents.
In a context where identity has become the new “perimeter” of the network, this kind of visibility is crucial to implementing realistic Zero Trust strategies.
A clear commitment to a “passwordless-first” identity
With over 9,000 organizations and 60 million identities managed across on-premises, hybrid, and multi-cloud environments, RSA aims to solidify its position as a leading player in high-security identity solutions.
During the Gartner IAM Summit, the company invited attendees to see demos at booth 318 and scheduled a dedicated session with Product Manager Kenn Chong, focused on deploying phishing-resistant passwordless authentication and managing the entire credential lifecycle.
The core message is that the near future of identity is moving toward a passwordless-first model, where passwords are phased out in favor of more robust, reusable, and scalable factors.
FAQs (Frequently Asked Questions)
1. What are the benefits of passwordless login on the desktop versus traditional passwords?
Passwordless desktop login greatly reduces exposure to phishing attacks, credential theft, and password reuse. It also improves user experience by eliminating the need to remember and update complex passwords, and supports Zero Trust policies focused on identity and device security.
2. Can RSA’s passwordless solution be deployed in environments with legacy systems and older Windows versions?
Yes. RSA ID Plus and RSA ID Plus for Microsoft M1 are designed to extend strong and passwordless authentication to data centers, mainframes, Active Directory-connected devices, and PCs/servers with outdated operating systems, enabling a gradual move to a modern model without a total infrastructure overhaul.
3. What does RSA iShield Key 2 offer for regulated sectors like healthcare, energy, or public administration?
iShield Key 2 combines logical authentication and physical access control in a single device, supports standards like MIFARE and FIPS 140-3, and allows firmware updates to respond to emerging threats. This simplifies compliance, reduces credential management complexity, and minimizes the number of tokens or cards each user must carry.
4. Can a company use RSA’s APIs to offer passwordless login to clients and partners on their own portals?
Yes. Latest enhancements to RSA’s API enable integration of passkey registration and authentication, along with other passwordless factors, into custom portals. This helps organizations improve external access security while maintaining brand-consistent user experiences and workflows.
via: Open Security