Enhanced authentication shows why MFA strategy is still fragmented

At a glance

What this is: This is an analysis of why authentication programmes remain fragmented, with MFA, phishing resistance, and passwordless adoption creating competing implementation pressures.

Why it matters: It matters because IAM teams must align human authentication, machine access, and lifecycle governance without creating bypasses, usability backlash, or disconnected control planes.

By the numbers:

• 70% of Security/IT Professionals say they are overwhelmed by the complexity of their authentication systems.
• 85% of organizations experienced a cyberattack in the, in the last year.
• 9 in 10 told us in a recent, recent survey that they are planning to implement a passwordless strategy in the next 12 months or have already done so.

👉 Read Axiad's analysis of enhanced authentication and MFA strategy

Context

Authentication is the control layer that proves a user or machine is who or what it claims to be, and this article argues that the challenge is no longer just access verification. The primary keyword here is enhanced authentication, but the real problem is fragmentation across MFA methods, silos, and user experience trade-offs that create inconsistent assurance.

For IAM teams, the issue is not whether to use stronger authentication but how to avoid building disconnected control paths that attackers can route around. That affects human sign-in flows, machine identity access, and the governance work needed to keep authentication policy coherent across environments.

Key questions

Q: How should security teams decide which authentication methods to prioritise?

A: Prioritise methods that resist phishing, replay, and prompt abuse, especially for privileged access and sensitive applications. Then compare the full user journey, including enrollment and recovery, because weak fallback paths can undermine a strong primary method. The right decision is not about having more factors, but about having consistent assurance across the highest-risk access paths.

Q: Why do multiple MFA systems create more risk in an IAM programme?

A: Multiple MFA systems create risk when they enforce different assurance levels, recovery rules, and exception handling. Attackers look for the least protected route, so a single permissive app or fallback process can undercut stronger controls elsewhere. The governance challenge is to make one policy apply across the whole authentication estate.

Q: How do you know if passwordless is actually improving security?

A: Passwordless is improving security when it reduces password reuse, removes phishing-prone flows, and applies the same assurance standard across all critical applications. If teams still need exceptions, alternate recovery steps, or separate policy stacks, the control is only partially improving the programme. Measure consistency, not just adoption.

Q: Who is accountable when weak authentication is left in place?

A: Accountability sits with the identity, security, and application owners who approve the weaker path and allow it to persist. Authentication risk is a governance issue, so it should be tied to access policy ownership, exception review, and periodic control validation. If no owner can explain the weakest route, the programme has a governance gap.

Technical breakdown

Why MFA is not a single control

MFA is an umbrella term, not one uniform mechanism. Different implementations rely on different factors, transport paths, and recovery workflows, which means the security outcome varies widely. Push approvals, SMS codes, one-time passwords, and phishing-resistant authenticators all create different attack surfaces. The article’s core point is that buying or enabling MFA does not automatically eliminate credential abuse, because the protocol and recovery path matter as much as the second factor itself.

Practical implication: classify each MFA method by resistance to phishing, replay, and prompt bombing before treating it as equivalent protection.

Authentication silos and policy drift

When organisations run multiple disconnected authentication systems across platforms, they create policy drift. One app may enforce phishing-resistant MFA, another may accept weaker factors, and a third may use a separate recovery process that becomes the easiest path in. Those differences matter because attackers do not need to break every control, only the weakest authenticator or the most permissive fallback. This is especially dangerous when user populations move between cloud, legacy, and mobile access patterns without a single assurance policy.

Practical implication: map all sign-in paths and recovery paths so that one weak silo does not undercut the stronger controls elsewhere.

Passwordless as an assurance and usability shift

Passwordless is not just a convenience upgrade. It is a design response to credential fatigue, phishing pressure, and user bypass behaviour that appears when authentication becomes too cumbersome. The article links reduced friction with broader adoption because overly complex authentication often drives shadow workarounds. From an identity perspective, the question is whether passwordless is deployed as a consistent policy model or as another isolated option that leaves the programme still fragmented.

Practical implication: treat passwordless as part of a broader policy redesign, not as a drop-in replacement for passwords in only one channel.

NHI Mgmt Group analysis

Authentication complexity is now a governance problem, not just a user experience problem. When 70% of security and IT professionals say they are overwhelmed, the signal is that authentication design has outgrown ad hoc control selection. Fragmented MFA choices create uneven assurance, uneven recovery, and uneven enforcement. The practical conclusion is that identity teams must govern authentication as a portfolio, not a feature checklist.

Phishing resistance is the real differentiator, and weak MFA still counts as a compromise path. The article shows why attackers target the easiest factor, not the nominally strongest policy. If one environment accepts a weaker factor or a permissive fallback, the overall authentication programme inherits that weakness. Practitioners should evaluate whether their strongest control is actually the default control everywhere.

Disjointed authentication silos erode identity assurance across human and machine use cases. The same programme that leaves users with multiple MFA experiences also creates gaps for service access, recovery, and administrative exceptions. That makes consistency the central governance issue, because a policy that cannot be enforced uniformly is not a policy but a preference. The conclusion is to unify assurance rules across IAM ecosystems before expanding methods further.

Passwordless adoption is accelerating because organisations are trying to remove the friction that drives bypass behaviour. The article’s survey signal points to a wider truth: users resist controls that slow them down, and that resistance pushes them toward riskier workarounds. The security task is therefore to remove password dependency without creating a new patchwork of partial exceptions. Practitioners should judge adoption by consistency of enforcement, not by rollout count.

Enhanced authentication is the wrong label if the programme still tolerates inconsistent assurance. A stronger factor in one app and a weaker one in another does not produce stronger identity security overall. The meaningful metric is whether every authentication path maps to the same risk threshold and recovery standard. That is the governance line teams should hold.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why authentication governance cannot stop at human sign-in flows.
• For a broader control view, see Top 10 NHI Issues for the governance patterns that keep weak identity paths alive.

What this signals

Identity programmes that treat authentication as a set of separate products will keep producing inconsistent assurance. The next planning step is to unify policy across human sign-in, machine access, and recovery so the weakest path is visible before it becomes the attacker’s entry point.

The practical signal is that passwordless, phishing resistance, and MFA rationalisation now belong in the same roadmap discussion. If teams cannot show one assurance standard across applications, they are not modernising authentication, they are multiplying exceptions.

Assurance drift: when authentication strength varies by app, the organisation has not improved identity security, it has redistributed risk into less visible paths.

For practitioners

• Audit every authentication path Inventory primary sign-in, step-up authentication, and account recovery paths across all major applications so you can see where weak methods still exist.
• Standardise phishing-resistant controls Set a baseline that prioritises phishing-resistant factors for high-risk access, privileged accounts, and administrative workflows instead of mixing equivalent and non-equivalent methods.
• Remove silos between IAM systems Align policy, recovery, and assurance rules across disconnected IAM ecosystems so that one permissive platform does not become the fallback route for attackers.
• Use passwordless as a policy reset Treat passwordless adoption as an opportunity to simplify authentication policy, reduce credential reuse, and eliminate user-driven bypass patterns rather than adding another optional method.

Key takeaways

• Authentication complexity is a governance symptom, not just an implementation inconvenience, because it creates uneven assurance across the identity estate.
• The strongest protection is the one that remains consistent across sign-in, recovery, and exception handling, not the one that looks best in isolation.
• IAM teams should use passwordless and phishing resistance to simplify policy, reduce bypass behaviour, and close the weakest authentication paths.

Key terms

• Phishing-resistant authentication: Authentication that is designed to prevent credential interception and replay by removing easy user-facing secrets from the sign-in process. In practice, it means the factor resists common phishing flows, not just password guessing, and it should be enforced consistently across high-risk applications and recovery paths.
• Authentication silo: A disconnected authentication environment where different applications, platforms, or business units enforce different methods and assurance levels. Silos make policy drift more likely, because attackers can move to the least protected path and organisations struggle to maintain one consistent identity standard.
• Passwordless: An authentication approach that removes passwords from the primary sign-in experience and replaces them with stronger methods such as device-based or cryptographic authentication. It reduces password reuse and phishing exposure, but only improves security when recovery and fallback processes are equally well governed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Navigating the Path to Enhanced Authentication. Read the original.