Authentication complexity is blocking passwordless adoption, survey finds

At a glance

What this is: Axiad’s survey says passwordless momentum is real, but authentication complexity, fragmented controls, and poor visibility are still blocking adoption.

Why it matters: IAM teams need to treat authentication as a governance problem across human, NHI, and agentic access, because complexity drives bypasses, weak oversight, and control gaps.

By the numbers:

• Axiad’s survey of 252 U.S. security and IT executives found that 86% plan to implement a passwordless strategy in the next 12 months, or already have done so.
• 70% of survey respondents said they are overwhelmed by the complexity of their authentication systems.
• 42% of respondents said their organization’s biggest authentication challenges involve a lack of visibility across all authentication practices.

👉 Read Axiad's analysis of authentication complexity and passwordless adoption

Context

Passwordless authentication promises to reduce phishing exposure and remove one of the most abused human identity failure points. In practice, the article shows that many enterprises still struggle with fragmented authentication estates, inconsistent controls, and administrative burden, which makes rollout harder than the strategy itself.

For IAM programmes, the lesson extends beyond human login journeys. When authentication becomes a patchwork of silos, visibility drops and bypass behaviour rises, which affects human access, machine access, and the governance model needed to keep both under control.

Key questions

Q: How should security teams implement passwordless authentication without creating new bypasses?

A: Start by mapping every login, recovery, and exception path, then remove any route that lets users fall back outside central policy. Passwordless only reduces risk when the organisation can govern the full authentication lifecycle, including enrollment, recovery, and support escalation. If those paths are inconsistent, users will route around the control and the programme will not deliver the intended assurance.

Q: Why does authentication complexity create security risk for IAM programmes?

A: Complexity creates risk because it fragments control ownership, weakens visibility, and makes policy enforcement inconsistent across systems. Once authentication is split across silos, teams cannot reliably tell which users, applications, or privileged paths are using approved methods. That opens the door to bypasses, shadow recovery flows, and control drift.

Q: How do teams know if passwordless authentication is actually working?

A: Look for lower reliance on password fallback, fewer support-driven recoveries, consistent enforcement across all business units, and reduced user pressure to bypass controls. A passwordless programme is working when the organisation can prove the intended method is used by default and the exception rate is both visible and controlled.

Q: What should IAM leaders do when users keep bypassing authentication controls?

A: Treat bypass behaviour as evidence that the control design is misaligned with user reality. Revisit recovery steps, device trust requirements, exception policy, and support processes before adding more enforcement. If users can work around the process easily, the organisation has a governance problem, not just an adoption problem.

Technical breakdown

Why authentication complexity creates governance drift

Authentication complexity is not just an implementation inconvenience. It usually means multiple directories, duplicated policies, inconsistent MFA paths, and varying exceptions across business units or platforms. That creates governance drift, where the organisation can no longer answer the simple question of which authentication controls apply to which identity and under what conditions. Once the estate fragments, risk decisions are made locally instead of centrally, and control assurance becomes unreliable. The article’s evidence points to a familiar failure mode: the more layered the environment, the easier it becomes for users to bypass controls or for teams to lose sight of enforcement consistency.

Practical implication: map every authentication pathway and eliminate unmanaged exceptions before expanding passwordless further.

Passwordless adoption depends on reducing user bypass pressure

Passwordless programs fail when they treat user friction as secondary. If authentication feels slower, more brittle, or harder to recover from than passwords, employees and partners will route around it by using weak fallback paths, shadow workarounds, or informal support requests. That is why friction, administration effort, and recovery design are governance issues, not just UX issues. In a mature model, passwordless must include recovery, device trust, and exception handling that are understandable enough for users and support teams to follow without creating new insecure habits.

Practical implication: test fallback and recovery paths with real users, not just security teams, before enforcing passwordless at scale.

Authentication visibility is the control that turns policy into assurance

Visibility is the difference between declared authentication policy and actual authentication behaviour. Without unified telemetry across directories, applications, devices, and privileged workflows, teams cannot tell whether MFA, passwordless, or certificate-based flows are operating as intended. Visibility also matters for non-human identity, where service accounts and tokens often bypass the user-centric controls that human IAM teams monitor most closely. The article’s concern about disjointed silos is really a control assurance problem: if authentication data is scattered, then risk management is based on assumptions instead of evidence.

Practical implication: consolidate authentication telemetry into one reviewable control plane before using passwordless as a risk-reduction claim.

Threat narrative

Attacker objective: The objective is to exploit weak or inconsistent authentication paths to gain access or force users into insecure workarounds that weaken the overall identity control plane.

1. Entry occurs through fragmented authentication paths that allow users or attackers to reach inconsistent login surfaces, fallback methods, or bypassable workflows.
2. Escalation follows when poor visibility and disjointed silos prevent teams from seeing which identities are still using weaker methods or unsafe recovery paths.
3. Impact is broader phishing exposure, more bypass behaviour, and a weaker ability to prove that authentication controls actually reduce enterprise risk.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication complexity is a governance failure before it is a technology problem. The article’s core signal is not that passwordless is unpopular, but that fragmented estates make assurance hard to maintain. When multiple silos, inconsistent policies, and uneven recovery paths coexist, identity teams lose the ability to govern one authentication standard across the enterprise. The practical conclusion is that authentication architecture must be simplified before passwordless can be trusted at scale.

Visibility is the real control plane for modern authentication programmes. The survey’s concern about lack of visibility exposes a wider problem: organisations cannot validate control effectiveness when the authentication path is scattered across systems and user groups. This is especially relevant for IAM leaders who must govern human identities, service accounts, and privileged workflows through the same assurance lens. Practitioners should treat unified telemetry as a prerequisite for policy confidence, not an afterthought.

End-user friction is an access-control signal, not just a UX complaint. When 42% of respondents cite friction and 50% say users bypass security controls, the governance issue is clear: controls that are hard to use are controls that will be worked around. That dynamic affects passwordless, MFA, and certificate-based flows alike. The implication is that identity programmes must measure bypass pressure as part of control design and lifecycle governance.

Named concept: authentication sprawl debt. The article describes the accumulated cost of layered silos, inconsistent recovery, and overlapping controls that make identity assurance expensive to operate and hard to defend. This debt grows when teams add new methods without retiring old ones, and it eventually turns authentication into a collection of local exceptions rather than a governed programme. Practitioners should see this as an operating-model problem, not a feature gap.

Passwordless adoption will expose weak lifecycle discipline if governance is immature. Moving away from passwords does not remove the need for access recertification, recovery governance, or exception handling. In fact, it makes those processes more visible because the remaining trust anchors become easier to audit. Teams that cannot document how identities are enrolled, recovered, and retired will struggle to turn passwordless enthusiasm into durable control. The practitioner takeaway is to align authentication change with lifecycle control maturity.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• That same remediation gap is explored further in The 52 NHI breaches Report, where credential persistence repeatedly outlives detection and response.

What this signals

Authentication sprawl debt: the practical risk is not simply that passwordless projects stall, but that every added exception, recovery path, and fallback method increases the cost of proving control effectiveness. When IAM teams cannot see the full path, they cannot govern the trust boundary with confidence.

The next phase for enterprise identity programmes is consolidation, not just adoption. Teams that connect human authentication, non-human access, and privileged workflows into one control model will be better positioned to retire weak fallback paths without creating operational backlash.

The governance signal is clear: if users can still work around the control, the control is not finished. Passwordless succeeds only when recovery, telemetry, and lifecycle processes are mature enough to make bypass behaviour both visible and unnecessary.

For practitioners

• Inventory every authentication path Document primary, fallback, and recovery methods across all applications and identity stores so teams can see where inconsistent authentication policies exist today.
• Eliminate local exceptions that create bypasses Review business-unit and application-specific exemptions, then retire any exception that lets users bypass approved authentication policy without central approval.
• Measure friction and support burden together Track help-desk resets, fallback use, and user complaints as one control health indicator so passwordless adoption does not silently increase workarounds.
• Build unified authentication telemetry Bring login, recovery, and policy-enforcement events into a single view so IAM, security, and audit teams can validate whether controls are being applied consistently.

Key takeaways

• Authentication complexity is the central obstacle to passwordless adoption because fragmented controls prevent consistent governance.
• Axiad’s survey shows strong intent to move to passwordless, but visibility gaps and user bypass pressure still weaken assurance.
• IAM teams should simplify authentication pathways, consolidate telemetry, and align recovery governance before expanding passwordless at scale.

Key terms

• Passwordless Authentication: An authentication approach that removes the password as the primary login secret and relies on stronger methods such as phishing-resistant authenticators or cryptographic devices. In practice, it only improves security when enrollment, recovery, and fallback paths are governed with the same discipline as the primary login flow.
• Authentication Sprawl: The accumulation of multiple login methods, recovery paths, exceptions, and policy variants across an enterprise. It weakens assurance because identity teams can no longer easily see which method applies where, making governance inconsistent and giving users more opportunities to bypass intended controls.
• Fallback Path: A secondary authentication route used when the primary method fails or is unavailable. Fallback paths are necessary for resilience, but they become a security liability when they are less controlled than the main method, because users and attackers often converge on the weakest available route.

Deepen your knowledge

Passwordless authentication and authentication governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising identity controls while reducing bypass pressure, it is worth exploring.

This post draws on content published by Axiad: Don’t Let Underlying IT Complexity Block Your Road to Successful Authentication. Read the original.