What Is Pass-Through Authentication?

Pass-Through Authentication (PTA) lets users log in with their existing credentials by sending the authentication request to a trusted internal server. Instead of verifying passwords in the cloud, PTA routes login attempts to a central system, typically an on-premises directory, such as Active Directory, which works with Microsoft Entra ID via the PTA authentication agent, and returns a simple "allow" or "deny" response. This method centralizes password management and simplifies access to multiple systems, eliminating the need for separate logins.

Since the password never leaves the local environment, PTA satisfies organizations with strict regulatory or data residency requirements. This makes it a common authentication choice in healthcare, finance, government, and other high-compliance sectors. PTA also supports integration with MFA, conditional access, and other policy controls.

PTA offers convenience, but it’s still a one-time, front-loaded trust mechanism. Once the login is approved, PTA assumes that the user remains in control for the remainder of the session. In clinical environments, that’s a dangerous assumption. A clinician logs in at a shared workstation, PTA authenticates the password, and that “trust” is passed to the EHR and other apps. However, minutes later, another staff member sits down and uses the same session without re-authenticating. That’s not theoretical, it's common.

PTA isn’t phishing-resistant or session-aware; it’s just a credential relay. In hospitals, where logins are shared, sessions are handed off, and care can’t pause for reauthentication, this model breaks down fast. 

Why Hospitals Adopt PTA

Hospitals typically choose PTA for one or more of the following reasons:

• Cloud-first identity models like password hash sync or SSO via SAML are incompatible with their compliance requirements
• They need tight control over credential management for clinical staff and contractors across multiple locations
• Shared workstations and federated identity models complicate the enforcement of authentication policies
• They want to layer MFA or conditional access on top of local controls without exposing credentials to the cloud

For security teams, PTA is a compelling approach to centralize access without compromising data ownership. It offers a lightweight alternative to full-federated identity architectures, which can be complex to manage and administer.

In a healthcare environment where many users don’t have assigned devices, PTAs’ ability to authenticate on shared workstations and maintain policy consistency across multiple endpoints makes it appear as a practical fit.

The Clinical Workflow Problem

Hospitals don’t operate like offices; every second counts, and every delay can impact patient outcomes.

In PTA-enabled environments, the login and access flow typically looks like this:

1. A clinician begins their shift with a badge tap + password login
2. PTA authenticates the user against the on-prem domain and grants access to the primary session and all downstream apps
3. For the rest of the shift, the clinician uses badge taps alone to resume sessions or access shared workstations—no password required
4. PTA continues to “pass through” the original trust, copying that login context to any application or endpoint they access

This system is designed for speed, but not for identity security.

Why PTA Creates a False Sense of Security

If a clinician walks away without explicitly logging out, anyone who walks up to the next can inherit the session and its access. In many cases, the original user’s password remains accessible, creating an even greater risk of credential exposure.

This exposes hospitals to serious security and compliance gaps, including:

• Session hijacking: Unauthorized access by staff using someone else’s active session
• Drive-by access: Unlocked terminals in patient rooms or nurses' stations that anyone can use
• Credential sharing: Widespread during high-urgency handoffs, where speed is prioritized over policy
• Regulatory violations: Lack of individual session accountability in high-compliance environments

PTA wasn’t built for the realities of clinical workflows. It assumes static identity in a dynamic environment, leaving critical systems open to misuse, error, or attack. While it looks secure on paper because passwords are on-premises, here’s some of the risk it introduces that can often go overlooked:

• Storing unhashed passwords
• Exposing downstream applications to unauthorized access
• Lacks real-time identity verification on shared workstations

These are not just gaps; they are significant blind spots, and in healthcare, that is a risk that many CISOs are not willing to take, leaving organizations to tackle with long, complex passwords or other authentication methods that require heavy user action and new hardware.

The Department of Health and Human Services (HHS) has emphasized the need for phishing-resistant, continuous authentication methods. PTA doesn’t meet that standard, as it is static and it assumes the initial login is the only identity check that matters.

Shared Workstations Expose the Flaws

The biggest weakness of PTA becomes apparent in the clinical environment, where access meets urgency.

• Shared workstations in patient rooms, operating rooms, and nursing stations
• Users are constantly rotating between shared terminals
• PTA assumes every login = one user, introducing significant risks like session misuse or the potential to access a stored unhashed password

PTA is not designed to handle that, and it doesn’t matter if you pair it with SSO. Even if SSO is used during login, that trust is still copied downstream. There’s no real-time validation that the person using the session is still the one who logged in.

That’s not passwordless, it’s credential forwarding.

Securing Shared Workstations

Twosense is a Continuous Authentication and Continuous Access Evaluation (CAE) platform that enables a passwordless user experience without the risks of pass-through authentication.

It is a software-only solution that delivers invisible, persistent identity verification from the start of a session to its end. Instead of relying on traditional MFA methods, Twosense uses each user's unique behavioral biometrics—such as typing rhythm, mouse movement, and interaction patterns—as a continuous “something-you-are” factor.

Here’s how it works:

• A lightweight agent runs invisibly on shared workstations, continuously collecting behavioral biometric signals during a session.
• These signals are securely transmitted to the Twosense platform, where machine learning models verify whether the user matches their established trust profile.
• When confidence is high, Twosense lets the user continue working as usual.
• If behavior deviates from the known profile, Twosense flags or blocks the session, detecting threats such as account sharing and session hijacking.

This behavioral “trust score” becomes a live, context-aware signal used to satisfy identity security and access requirements in real time, without interrupting clinicians or requiring manual input.

Twosense automates over 91% of user authentications and includes an SLA guaranteeing detection of unauthorized use within 8.5 minutes of a session or account takeover, closing the window for lateral movement. By eliminating the friction and delays of traditional authentication, Twosense enables hospitals to implement a passwordless user experience without the risks associated with pass-through authentication.

Eliminating Passwords in a Leading U.S. Healthcare System

After deploying Twosense across 17,000 users and 173 critical applications, one leading U.S. hospital saw:

• 979,000+ passwordless logins were completed successfully
• 91% of authentications automated without user prompts 
• Failed login attempts dropped by 89%, reducing delays, especially during handoffs and shift changes
• Login-related help desk calls decreased sharply, freeing both IT and clinical teams to focus on higher-priority work
• User satisfaction soared—many clinicians requested to be enrolled after seeing colleagues benefit

Clinicians began to look for Twosense-enabled workstations for their speed and ease of use. Administrators reported faster logins across the board, along with a noticeable improvement in the speed of care delivery.

This level of automation is crucial in environments where every second spent on authentication is a second not spent on patient care.

Secure Clinical Workstations
Without Slowing Down Patient Care

Improve the delivery of care and reduce clinician burnout with Continuous Authentication, which secures shared workstations without disruption.

Read the case study
Get a Demo

Why It Works

Twosense is built for the realities of clinical environments. Unlike traditional authentication solutions, it doesn’t rely on phones, tokens, cameras, or user training. It fits seamlessly into existing infrastructure and uses behavioral biometric signals to deliver:

• Passwordless access on shared workstations 
• Continuous access evaluation after login
• Better user experience for clinicians and non-clinical staff
• Secures every session, not just the login
  
  

Final Takeaway for Hospital Security Leaders

Pass-through authentication addresses one aspect of the identity challenge in healthcare, ensuring that credentials are secure and centrally managed. While it simplifies access, it also leaves a critical hole: once logged in, users aren’t verified again. In clinical environments, that’s not just a UX flaw; it’s a security risk.

Twosense fixes that. It enables hospitals to deploy a truly secure, passwordless system with Continuous Authentication that is designed for clinical workflows.

If your hospital uses PTA and is struggling with security blind spots or session-based risks, Twosense can help. Talk to our team of healthcare identity experts today.