TL;DR: Authentication complexity is overwhelming 70% of security and IT professionals, while almost 85% of organisations experienced a cyberattack last year and nearly 9 in 10 plan passwordless adoption, according to Axiad and cited survey data. The real issue is not feature choice but whether MFA, phishing resistance, and user friction are governed as one identity programme.
At a glance
What this is: This is an analysis of enhanced authentication and the tradeoffs between MFA, phishing resistance, passwordless access, and user friction.
Why it matters: It matters because authentication design decisions now affect human IAM, NHI access patterns, and the governance assumptions that teams use across identity programmes.
By the numbers:
- 70% of Security/IT Professionals say they are overwhelmed by the complexity of their authentication systems.
- almost 85% of organizations experiencing a cyberattack in the last year
- almost 9 in 10 told us in a recent survey that they are planning to implement a passwordless strategy in the next 12 months (or have already done so).
- almost 1 in 2 of security executives say that multiple, disjointed authentication silos are a top challenge for improving their cybersecurity practices.
👉 Read Axiad's analysis of enhanced authentication choices and MFA tradeoffs
Context
Enhanced authentication is no longer just a human login problem. It sits at the intersection of identity assurance, phishing resistance, user friction, and programme sprawl, especially when organisations run multiple MFA methods across separate IAM stacks. The core keyword here is authentication, but the real governance question is whether control choices reduce attack surface or simply add more disconnected checkpoints.
The article argues that organisations are moving toward passwordless and phishing-resistant approaches because legacy password dependence is no longer defensible on its own. That makes authentication design a policy and architecture issue, not a product selection exercise. For identity teams, the challenge is coordinating assurance, usability, and consistency across human access, service credentials, and any machine-facing authentication flows.
Key questions
Q: How should security teams choose between different MFA methods?
A: They should choose based on phishing resistance, assurance strength, and operational fit, not on the generic label MFA. Push approval, OTP, and token-based methods do not provide the same level of protection. High-risk access should use authenticators that bind the session to the real user and reduce replay or approval abuse.
Q: Why do authentication silos create security risk?
A: Authentication silos create risk because different applications and identity systems enforce different assurance levels, recovery paths, and exception rules. That inconsistency makes governance harder and creates gaps attackers can exploit. A uniform policy model reduces confusion, support overhead, and weak fallback behaviour across the enterprise.
Q: When should organisations prioritise passwordless over legacy password-based login?
A: Organisations should prioritise passwordless when they can replace the weak fallback paths, exception handling, and user friction that often keep password systems alive. Passwordless only improves security if it removes shared-secret dependence without creating brittle recovery workflows or shadow bypasses.
Q: How can teams tell whether authentication controls are actually working?
A: They should measure bypass rates, exception volumes, help desk reset demand, and the consistency of authenticator strength across applications. If users keep escaping into weaker paths or support teams keep creating local exceptions, the control is not functioning as a stable programme.
Technical breakdown
MFA fragmentation and authentication silos
Multi-factor authentication is not a single control. Different implementations rely on push approval, one-time codes, hardware tokens, FIDO-style phishing-resistant methods, or layered combinations of these. When organisations deploy multiple methods across teams, applications, and operating systems without a common policy model, the result is inconsistent assurance and uneven user experience. That creates bypass pressure, exception handling, and administrative drift. The article points to this fragmentation as a practical barrier to improving security posture, not just a usability nuisance.
Practical implication: standardise authentication policy across applications and identity stores so silos do not create uneven control strength.
Phishing resistance versus prompt bombing
Phishing-resistant MFA is designed to bind the authentication event to the legitimate user and the intended destination, reducing replay and social engineering risk. By contrast, some push-based MFA methods can be abused through prompt bombing, where repeated approvals wear down the user until one request is accepted. That is a failure of control design, not user discipline. The article uses this contrast to show why the label MFA is too broad to guide governance decisions on its own.
Practical implication: differentiate between MFA categories and prioritise phishing-resistant methods for high-value access paths.
Passwordless adoption and user friction
Passwordless strategies aim to remove the shared secret from the login flow, which can reduce credential theft and lower user burden if implemented well. But the governance issue is not only whether passwords disappear. It is whether the new method preserves strong assurance while avoiding excessive friction that leads users to bypass controls or reuse weaker paths. The article’s point is that secure authentication has to be operationally usable, or teams will create shadow exceptions that undermine the programme.
Practical implication: evaluate passwordless rollouts against both security assurance and exception rates, not convenience alone.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Authentication complexity is an identity governance failure, not a user inconvenience. The article shows that many organisations now run overlapping MFA methods, siloed identity systems, and inconsistent user experiences. That is a governance problem because assurance becomes uneven across access paths, and uneven assurance is easier to bypass. Practitioners should treat authentication architecture as a policy standardisation issue, not a collection of local tooling choices.
Phishing-resistant authentication is the control boundary that matters, not generic MFA adoption. Push-based MFA can still be defeated through pressure-based approval abuse, while stronger methods bind the user to the session and reduce replay. The editorial lesson is that teams must stop treating all MFA as equivalent. Practitioners should separate authenticators by resistance level and apply stronger controls to higher-risk access.
Authentication silos create assurance debt: when different business units, platforms, or operating systems use different authentication patterns, the organisation inherits a permanent inconsistency in trust decisions. That inconsistency is hard to measure and harder to govern over time. It also increases exception handling, which is where identity programmes often weaken. Practitioners should read fragmented authentication as a control debt problem, not a roadmap detail.
Passwordless is a governance simplification only if it removes both friction and weak fallback paths. The article correctly points out that users will route around overly complex systems. That means passwordless adoption has to be judged on how completely it replaces vulnerable flows, not on whether it adds another option. Practitioners should treat fallback design as part of the control itself.
Enhanced authentication only becomes durable when identity teams align assurance, usability, and policy enforcement. The article’s broader signal is that authentication is now a programme-wide control surface spanning human access and adjacent machine access patterns. The organisations that win here will be the ones that standardise decision criteria across environments instead of accumulating exceptions. Practitioners should use the authentication programme to rationalise identity architecture.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- For the lifecycle and rotation side of this problem, see Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
Authentication debt is becoming identity debt. As teams add more methods to solve phishing, usability, and recovery problems, they often create a wider policy surface instead of a simpler one. The programme signal is clear: consolidate assurance rules before the exception list becomes the real authentication architecture.
With 97% of NHIs carrying excessive privileges according to Ultimate Guide to NHIs, authentication is only one side of the access problem. The other side is whether the session, once established, is constrained tightly enough to limit damage. Teams that separate login design from privilege design will miss the real control gap.
Assurance consistency gap: this is the point where organisations believe they have a single authentication standard, but operational reality shows multiple levels of trust across apps and platforms. That gap will matter more as passwordless and phishing-resistant methods spread unevenly. Teams should map where stronger authentication stops and weaker fallback still governs.
For practitioners
- Classify authentication methods by assurance level Separate phishing-resistant methods, push-based MFA, OTP, and passwordless flows into a formal control catalogue so business owners can see which paths still rely on weaker approval patterns.
- Remove disjointed authentication silos Map all IAM ecosystems, operating systems, and major applications to the authentication methods they accept, then eliminate duplicate control stacks where they create inconsistent policy and support overhead.
- Prioritise phishing-resistant access for high-risk roles Apply the strongest available authentication to administrator, financial, developer, and remote access paths first, since those sessions produce the greatest compromise impact if approval abuse succeeds.
- Design passwordless rollouts with fallback governance Require explicit approval for fallback methods, document when they are allowed, and review whether they reintroduce the same password or approval weaknesses the programme was meant to remove.
Key takeaways
- Authentication programmes fail when MFA methods are treated as interchangeable, because assurance strength varies materially across implementations.
- The scale of the problem is visible in the data: many organisations are overwhelmed by authentication complexity, while weak or fragmented controls remain common.
- The practical response is to standardise assurance, eliminate siloed authentication paths, and reserve the strongest methods for the highest-risk access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Authentication assurance and phishing resistance are central to the article. | |
| NIST CSF 2.0 | PR.AC-7 | Access control enforcement depends on consistent authenticator policy. |
| NIST Zero Trust (SP 800-207) | 3.5 | Continuous verification depends on resistant authentication, not just any MFA. |
Tie higher-assurance authentication to high-risk access paths within the zero-trust architecture.
Key terms
- Phishing-resistant authentication: Authentication that resists credential replay and adversary-in-the-middle attacks by binding the login event to the user and the intended service. In practice, it reduces the value of stolen secrets and approval-based fraud, making it the preferred option for sensitive access paths.
- Authentication silo: A fragmented authentication environment where different applications, platforms, or teams use incompatible login methods and assurance rules. This creates uneven trust decisions, inconsistent recovery processes, and more exception handling, which weakens governance and increases operational complexity.
- Passwordless authentication: An authentication approach that removes the traditional password from the primary login path and replaces it with stronger methods such as device-backed or cryptographic verification. The governance challenge is ensuring fallback, recovery, and exception paths do not quietly reintroduce the same weak controls.
Deepen your knowledge
Authentication assurance, phishing-resistant MFA, and passwordless rollout strategy are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to simplify access without increasing bypass risk, it is worth exploring.
This post draws on content published by Axiad: Navigating the Path to Enhanced Authentication. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
