TL;DR: A 2022 Authentication Survey of 252 U.S. security and IT executives found 86% plan to implement passwordless or already have, while 70% say authentication complexity overwhelms them, according to Axiad. That gap shows authentication programmes still fail when architecture, visibility, and user experience are treated separately.
At a glance
What this is: This is Axiad's survey-based analysis of why authentication programmes stall, with complexity, visibility gaps, and user friction emerging as the main blockers to passwordless adoption.
Why it matters: It matters because authentication decisions now shape risk management, admin effort, and control bypass across human identity programmes, even when the end goal is broader IAM simplification.
By the numbers:
- An overwhelming 86% told us they plan to implement a passwordless strategy in the next 12 months, or already have done so.
- 70% of survey respondents said they are overwhelmed by the complexity of their authentication systems.
- 46% of respondents said navigating their underlying IT complexity is one of their biggest authentication challenges.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read Axiad's survey analysis on authentication complexity and passwordless adoption
Context
Authentication programmes fail when the environment is too fragmented to support consistent decisions about identity, access, and user experience. In this case, the core problem is not passwordless as a concept, but the underlying complexity that makes it difficult to operate securely at enterprise scale.
For IAM teams, the lesson is that authentication design cannot be separated from governance. When visibility is weak and controls are disjointed, users look for shortcuts, administrators absorb too much overhead, and the security model becomes harder to defend even before the organisation reaches passwordless maturity.
Key questions
Q: How should teams roll out passwordless authentication without creating new bypass risks?
A: Start with the authentication paths that create the most friction and operational inconsistency, then simplify the control model before broad rollout. Passwordless works best when recovery, fallback, and exception handling are designed up front. If users or helpdesk teams can route around the intended path, the programme has not reduced risk, it has redistributed it.
Q: Why does authentication complexity increase security risk even when controls are stronger?
A: Complexity increases risk because strong controls do not help if they are applied inconsistently across silos, legacy systems, and recovery paths. When the environment is fragmented, users bypass controls and administrators lose visibility into how identity is actually being verified. Security fails when assurance is uneven, not only when controls are absent.
Q: What signals show that a passwordless programme is not working in practice?
A: Rising helpdesk volume, repeated fallback use, excess admin effort, and growing exception requests are all signs that the programme is fragile. If those signals appear, the issue is usually not the authentication method itself but the surrounding operating model. A workable programme should reduce friction while preserving consistent assurance.
A: If authentication paths are fragmented, visibility is poor, and support effort is already high, stabilising the current environment comes first. Modernisation without simplification usually adds another layer of inconsistency. Teams should fix the control plane, then scale passwordless where the operating model can support it.
Technical breakdown
Why fragmented authentication architectures create control gaps
Fragmented authentication usually means multiple silos, inconsistent policies, and overlapping tools that do not share a single control model. That creates drift between what security teams think is enforced and what users actually experience. In practice, the more disjointed the authentication stack becomes, the easier it is for exceptions, bypasses, and unreviewed access paths to accumulate. The problem is not only operational inefficiency. It is that every disconnected decision point weakens assurance across the identity lifecycle, from enrolment to step-up verification and recovery.
Practical implication: map every authentication path and remove duplicate control ownership before pursuing broader passwordless rollout.
Passwordless adoption depends on balancing security and usability
Passwordless succeeds only when it reduces risk without making access so awkward that users or support teams work around it. The article's findings show that friction is not a secondary concern. It is a security factor because frustrated users will bypass controls, and overloaded administrators will struggle to maintain policy consistency. A mature programme treats user experience, helpdesk load, and assurance as linked variables rather than separate goals. That is especially important where phishing resistance, certificate handling, and recovery processes must coexist.
Practical implication: test passwordless flows against real support, recovery, and fallback scenarios before scaling to the wider workforce.
What underlying IT complexity does to authentication operations
Underlying IT complexity is the accumulation of legacy applications, inconsistent directories, and mixed authentication methods that make policy enforcement hard to standardise. In this environment, teams spend too much time on exception handling, expired credentials, and manual remediation. The result is that security is maintained by effort rather than by design. When authentication operations rely on heroics, they do not scale. The programme may still function, but it becomes expensive, brittle, and difficult to audit.
Practical implication: prioritise automation and rationalisation of legacy authentication dependencies before expanding policy scope.
NHI Mgmt Group analysis
Authentication complexity is a governance failure, not just an implementation nuisance. The article shows that 70% of respondents are overwhelmed by authentication complexity while 42% cite a lack of visibility across practices. That combination means the control plane is already fragmented before any passwordless migration begins. The practitioner conclusion is that authentication governance has to be redesigned as a system, not patched product by product.
Identity attack surface grows when authentication is managed as a set of disconnected exceptions. Multiple silos, inconsistent user journeys, and separate admin processes create more places where assurance can break down. This is where the named concept of authentication sprawl matters: the more paths that exist to prove identity, the harder it is to enforce consistent assurance across them. The practitioner conclusion is to reduce path diversity before adding new methods.
Friction is a security signal because users and administrators both route around pain. The survey found 42% of respondents called end-user friction a top challenge, while 45% pointed to high administrative effort. That tells us passwordless programmes fail when the operating model ignores human behaviour and support load. The practitioner conclusion is that adoption depends on making the secure path the easiest path.
Passwordless is not a finish line if recovery and exception handling remain weak. The article's strongest implication is that eliminating passwords does not eliminate operational risk if backup access, reset workflows, and legacy application dependencies are still brittle. A modern authentication programme must account for the cases that fall outside the ideal flow. The practitioner conclusion is to treat fallback and recovery as core governance controls, not edge cases.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For broader lifecycle context, the Top 10 NHI Issues shows how visibility and rotation failures combine into persistent identity risk.
What this signals
Authentication sprawl: as organisations add more login methods, recovery paths, and exception workflows, the governance challenge shifts from user sign-in to control-plane consistency. The more places assurance can diverge, the more likely teams are to trade security for convenience. That is why passwordless programmes need an operating model, not just a new authentication method.
With only 5.7% of organisations having full visibility into their service accounts, according to the Ultimate Guide to NHIs, identity teams should expect the same visibility problem to surface wherever authentication is fragmented. The programme signal is clear: simplify paths first, then automate the ones that remain.
Teams that pursue passwordless without cleaning up legacy dependencies will keep paying the cost in exceptions, admin effort, and support load. The near-term priority is to make authentication measurable, governable, and recoverable across all user journeys.
For practitioners
- Inventory every authentication path Document primary login flows, step-up paths, recovery processes, and application-specific exceptions so you can see where the same user is being authenticated in different ways. Align control ownership across identity, security, and application teams before adding new methods.
- Reduce authentication silos before expanding passwordless Consolidate duplicated directories, authentication policies, and admin workflows where possible. The goal is to eliminate inconsistent enforcement points that create bypass opportunities and operational drift.
- Measure friction as a security metric Track helpdesk calls, reset volume, fallback usage, and bypass requests alongside authentication success rates. If those numbers rise after a rollout, the programme is creating workarounds rather than reducing risk.
- Automate the repetitive recovery work Use automation for expired credentials, reset workflows, and routine remediation so administrators are not the control plane. That reduces cost while improving consistency in high-volume authentication operations.
Key takeaways
- Authentication complexity, not passwordless itself, is the main blocker when identity controls are fragmented across silos and recovery paths.
- The survey shows broad intent to adopt passwordless, but the same organisations still struggle with visibility, friction, and administrative load.
- Teams should simplify and automate the existing authentication control plane before scaling new methods, or users will bypass the programme.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication assurance depends on consistent access control decisions across systems. |
| NIST SP 800-63 | Digital identity assurance and recovery are central to passwordless adoption. | |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero Trust requires continuous verification across fragmented identity paths. |
Standardise authentication policy enforcement and remove inconsistent access paths before expanding passwordless.
Key terms
- Authentication sprawl: Authentication sprawl is the condition where an organisation uses too many login methods, recovery paths, and policy exceptions to maintain consistent assurance. It creates overlapping control points that are difficult to govern, audit, and standardise across the enterprise, especially when legacy applications remain in use.
- Passwordless authentication: Passwordless authentication is a login approach that removes the password as the primary factor and replaces it with stronger methods such as cryptographic keys, device-bound credentials, or biometrics. Its security value depends on the surrounding recovery, fallback, and governance model, not on the method alone.
- Authentication visibility: Authentication visibility is the ability to see how identity is actually being verified across applications, devices, and user journeys. It matters because inconsistent or hidden authentication paths create blind spots, making it hard to enforce policy, measure risk, or prove that controls are working as intended.
- Recovery flow: A recovery flow is the process used when a user cannot complete their normal authentication path. In mature identity programmes, recovery is governed as a security control because weak reset or fallback processes can become the easiest way around stronger authentication methods.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Axiad: Don’t Let Underlying IT Complexity Block Your Road to Successful Authentication. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
