By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: Prove IdentityPublished August 7, 2025

TL;DR: A Prove survey of 2,000 Americans found that 83% are frustrated by the complexity of creating new online accounts, 60% would abandon account opening if verification takes more than 40 seconds, and 51% would switch brands because of slow identity verification. Slow identity proofing is no longer a UX nuisance, but a conversion and trust control issue that IAM and identity verification teams must treat as a governance problem, not just a design choice.


At a glance

What this is: This survey shows that consumers are losing patience with passwords and slow identity verification, with abandonment and brand switching now tied to verification friction.

Why it matters: It matters because identity verification, authentication flow design, and account-opening controls increasingly shape fraud risk, conversion rates, and customer trust across identity programmes.

By the numbers:

👉 Read Prove Identity's survey on password fatigue and identity verification friction


Context

Consumer identity verification fails when organisations optimise for frictionless onboarding in one place and rely on brittle, password-heavy flows in another. In this survey, the pressure point is clear: customers are comparing speed, trust, and convenience at the moment of account creation, not only during login.

For IAM, fraud, and identity verification teams, the issue is not just user annoyance. Slow proofing creates drop-off, weakens conversion, and can push users toward workarounds that increase account recovery risk and policy exceptions. That makes it a lifecycle governance problem, not simply a front-end experience issue.


Key questions

Q: How can organisations reduce repeated identity verification without losing assurance?

A: By standardising identity evidence across systems so the same subject is not forced to re-prove identity at every touchpoint. Centralised proofing policy, shared assurance signals, and tighter lifecycle governance reduce friction while keeping the trust decision consistent across onboarding, access, and recovery.

Q: Why do slow verification flows increase fraud and abandonment risk?

A: Slow flows push legitimate users to quit, reuse passwords, or choose easier recovery paths, which creates openings for abuse. The problem is not speed alone but the temptation to trade assurance for completion. Strong programmes measure both customer friction and fraud outcomes together.

Q: What do security teams get wrong about passwordless authentication?

A: The most common mistake is treating passwordless as a user-experience upgrade instead of an identity control change. Teams often focus on the login screen and ignore recovery, lifecycle governance, and fallback authentication, which is where many of the real risks emerge.

Q: Who is accountable when identity verification causes customer drop-off?

A: Accountability usually sits across IAM, fraud, product, and digital experience teams because verification design affects security, revenue, and customer trust at the same time. The right governance model assigns clear ownership for approval thresholds, fallback paths, and recovery controls.


Technical breakdown

Why slow identity proofing breaks account opening flows

Identity proofing is the process of establishing that a real person is who they claim to be before granting access or creating an account. When the process takes too long, users abandon the flow, reuse weak credentials, or move to channels with weaker controls. In regulated environments, that tradeoff affects both fraud posture and customer acquisition. The technical problem is often not authentication alone, but the number of step-ups, data entry points, and manual checks inserted before trust is established.

Practical implication: reduce unnecessary proofing steps and measure abandonment at each verification stage.

Phone-based authentication and the shift away from passwords

Phone-based authentication typically uses the device, SIM, network signal, or cryptographic token binding to anchor identity to a possession factor. That can reduce the burden of memorised passwords, but only if the implementation resists SIM swap, number recycling, and recovery abuse. The architectural point is that the phone is not inherently a guarantee of identity. It is one signal in a risk-based identity stack that should be evaluated alongside device history, behavioural signals, and fraud indicators.

Practical implication: treat phone signals as one input in a layered assurance model, not as a standalone trust decision.

Why verification speed and fraud controls must be designed together

A faster onboarding path can still be secure if the assurance decision is built from lower-friction signals and targeted step-up checks. The key is separating routine low-risk enrolment from higher-risk cases that justify stronger verification. This is where identity governance intersects with fraud operations. Teams need policy logic that routes users based on risk rather than forcing every applicant through the same high-friction sequence, which is usually where abandonment rises most sharply.

Practical implication: implement risk-based routing so higher assurance is reserved for genuinely higher-risk registrations.


Threat narrative

Attacker objective: The objective is to exploit weak or rushed identity processes to gain fraudulent access, reuse customer accounts, or benefit from degraded onboarding controls.

  1. Entry occurs during account creation, where slow or confusing verification pushes users toward weaker workarounds or abandonment.
  2. Escalation follows when recovery paths, reused passwords, or rushed proofing increase exposure to identity fraud and account takeover.
  3. Impact lands in lost conversions, weaker trust, and a larger operational burden on support and fraud teams.

NHI Mgmt Group analysis

Slow identity verification is now a governance issue, not a UX nuisance. Consumers are signalling that verification friction directly affects whether they finish onboarding, which means identity teams cannot evaluate assurance in isolation from conversion and abandonment. The practical lesson is that identity verification policy must be measured as part of business risk, not only security risk.

Identity proofing needs a named design concept: verification friction debt. This is the accumulated cost of adding steps, checks, and recovery paths without understanding how they erode trust and increase workarounds. When verification friction debt grows, users either leave or take shortcuts, and both outcomes weaken the control environment. Practitioners should treat this as a lifecycle management problem spanning enrolment, recovery, and re-authentication.

Phone-centric signals can reduce password dependence, but they do not remove identity risk. A phone is a useful possession signal, yet it can be undermined by SIM swap, number recycling, and account recovery abuse. The identity governance challenge is to decide where the phone is enough, where it is only one signal, and where stronger assurance is required.

Digital identity programmes should align assurance with user value and fraud exposure. High-friction flows are hard to justify for low-risk transactions, but low-friction pathways can create exposure if they are not bounded by risk scoring and step-up logic. Teams should redesign assurance policies so that friction is deliberate, measurable, and linked to account value and abuse potential.

Consumer tolerance for delay is collapsing faster than many identity roadmaps. The survey data suggests that customer patience has become a control variable, not a soft preference. Practitioners should use that reality to challenge legacy onboarding designs that still assume users will tolerate repeated password resets, manual verification, and lengthy exceptions.

What this signals

Verification friction debt is becoming a useful way to describe the hidden operational cost of over-complex identity journeys. When onboarding, recovery, and authentication are designed independently, organisations accumulate friction that users convert into abandonment or risky shortcuts. That is why identity verification should be governed as a lifecycle control, not just a front-end journey.

The shift toward phone-centric trust signals will keep pressure on IAM and fraud teams to define what counts as sufficient assurance in different contexts. Mature programmes will separate low-risk customer journeys from high-risk ones, then use policy to route users into the lightest control that still meets the risk target.

The identity lesson is broader than consumer onboarding: if 80% of identity breaches involve compromised non-human identities, according to the Ultimate Guide to NHIs, then organisations already understand how costly weak identity governance can be. The same discipline now needs to extend to customer identity flows, where poor design can create both security exposure and commercial loss.


For practitioners

  • Measure abandonment at each verification step Instrument the onboarding funnel so you can see exactly where users drop out, including identity proofing, step-up challenges, and recovery handoffs. Use that data to distinguish necessary assurance from avoidable friction.
  • Replace password-centric onboarding with layered assurance Reduce dependence on memorised credentials by combining device signals, possession checks, and risk scoring. Keep passwords out of the critical path where a lower-friction trust signal can safely do the job.
  • Design step-up rules for high-risk registrations Reserve stronger verification for transactions, geographies, or account types with greater fraud exposure. A single policy for all users usually creates more friction than it prevents.
  • Review recovery flows as part of identity governance Audit account recovery, password reset, and phone-number change paths for abuse opportunities. Recovery is often where otherwise strong identity controls are bypassed.
  • Link verification policy to fraud and conversion metrics Track fraud loss, support load, and completion rates together so security decisions can be evaluated against customer impact. Identity verification should be tuned as a business control, not a static compliance step.

Key takeaways

  • Slow identity verification is now a control problem because it affects both abandonment and fraud exposure.
  • The survey data shows that consumer patience is limited, with 60% willing to abandon onboarding after 40 seconds.
  • IAM and identity verification teams should treat verification friction as measurable governance debt, not a cosmetic UX issue.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing and enrollment are central to this consumer verification survey.
NIST CSF 2.0PR.AC-1Identity proofing and access establishment map to identity and credential management.
GDPRArt.32Consumer identity verification processes often involve personal data and security safeguards.
NIST SP 800-53 Rev 5IA-4Identifier management is directly relevant to account creation and recovery flows.
NIST Zero Trust (SP 800-207)Risk-based access decisions support continuous verification in zero trust designs.

Use zero trust principles to route users into the least-friction verification path that still meets risk.


Key terms

  • Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before account creation or access is granted. In practice, it combines documents, device signals, behavioural evidence, and policy checks to reach an assurance level appropriate to the risk.
  • Access Friction: Access friction is the delay, inconsistency, or effort a person experiences when trying to reach a system or task. It becomes a governance issue when it is high enough to encourage shortcuts, exceptions, or support-heavy workarounds that weaken the intended control model.
  • Step-Up Authentication: Step-up authentication is an additional verification requirement triggered when risk increases, such as a new device, high-value transaction, or suspicious location. It allows organisations to keep routine journeys light while applying stronger controls only where assurance needs rise.
  • Phone-Centric Identity: Phone-centric identity uses mobile device, number ownership, and reputation signals to infer trust. It is designed to reduce dependence on physical documents by leveraging indicators that are harder to counterfeit and easier to reassess during onboarding, recovery, and ongoing authentication.

What's in the full report

Prove Identity's full survey report covers the operational detail this post intentionally leaves for the source:

  • The full breakdown of password habits and abandonment thresholds across the 2,000-person survey sample.
  • Additional findings on preferred authentication methods, including phone-based identity and biometric sentiment.
  • The survey's consumer-response detail for financial services, banking, and account-opening journeys.
  • The broader methodology and question set behind the 2022 Passwords & Authentication Consumer Trends Report.

👉 The full Prove Identity report includes the survey findings, methodology, and consumer authentication preferences.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and identity lifecycle controls. It helps security practitioners build the governance discipline needed to manage identity risk across human and non-human programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org