Passwordless access and conditional controls can reduce security friction

At a glance

What this is: This is an analysis of how security friction drives user bypass behaviour, and why passwordless authentication plus Conditional Access can reduce that pressure.

Why it matters: It matters because IAM teams must balance control strength with adoption, or they risk creating the very workarounds that weaken human identity governance.

👉 Read JumpCloud's analysis of passwordless authentication and Conditional Access

Context

Security friction is what happens when identity controls make it harder for people to do their jobs than to work around them. In human IAM, that usually shows up as password fatigue, MFA pushback, or unmanaged app use when approved access feels too slow.

The article argues that better security is not just stronger policy, but policy that fits the workflow. That places passwordless authentication and Conditional Access at the centre of human identity design, where usability is part of the control surface rather than an afterthought.

Key questions

Q: How should security teams reduce login friction without weakening identity security?

A: Security teams should replace high-friction, low-assurance controls with phishing-resistant authentication and context-aware access policies. The goal is to make the secure path easier than the workaround. That means strong enrollment, reliable recovery, and step-up checks only when risk signals such as device health or location warrant them.

Q: Why do strict security policies sometimes increase shadow IT risk?

A: Strict policies can increase shadow IT risk when they make sanctioned access slower or harder than unsanctioned alternatives. Users then choose personal accounts, unmanaged apps, or credential workarounds to keep working. That creates a governance problem because the organisation loses visibility, auditability, and control over access paths.

Q: What does a good Conditional Access programme need to get right?

A: A good Conditional Access programme needs accurate signals, clear policy logic, and minimal false friction. If device posture, location, or application risk data are unreliable, the control either blocks legitimate work or trusts risky sessions too easily. The best programmes step up only when context truly changes.

Q: What should IAM leaders measure if they want to know whether controls are actually working?

A: IAM leaders should measure adoption, bypass behaviour, and support burden together. If password resets, duplicate accounts, and shadow application use are rising, the control design is creating friction that users are escaping. Effective security should reduce risk without pushing people out of the governed path.

Technical breakdown

How passwordless authentication changes the attack surface

Passwordless authentication removes the password as a reusable secret and replaces it with factors such as biometrics or hardware-backed keys. That changes the attack surface from credential guessing and reuse to device possession, local trust, and account recovery paths. It also reduces the incentive for users to store or reuse passwords when controls are overly burdensome. In practice, the security value depends on strong enrollment, resilient recovery, and enforcement consistency across applications.

Practical implication: move high-risk user populations to phishing-resistant passwordless methods where recovery and enrollment are tightly governed.

Conditional Access as a context-aware access control layer

Conditional Access evaluates access requests using signals such as device health, network location, and application risk. Rather than applying the same friction to every request, it can step up verification only when the context looks unfamiliar or unsafe. That makes it closer to adaptive risk control than a fixed gate. The control works best when device inventory, compliance posture, and policy logic are accurate enough to avoid both false trust and unnecessary friction.

Practical implication: align conditional policies to device trust and location signals so higher scrutiny is reserved for genuinely risky sessions.

Why friction can create shadow IT pressure

When approved access is slow or cumbersome, users often search for the fastest workable path, including personal accounts, unsanctioned collaboration tools, or duplicated credentials. That is not just a behaviour problem. It is an identity governance failure caused by controls that are technically sound but operationally misaligned. The result is visibility loss, weaker auditability, and a larger unmanaged access surface across the organisation.

Practical implication: treat user workarounds as a control-design signal and review where approved access is slower than the shadow alternative.

NHI Mgmt Group analysis

Security friction is itself an identity risk, not just a user-experience problem. When authentication and access controls make normal work harder than the workaround, users rationally choose the workaround. That shifts risk from the front door to the edges of the identity estate, where shadow IT, credential reuse, and unmanaged accounts accumulate. Practitioners should treat friction as an access-governance signal, not a service-desk annoyance.

Passwordless authentication changes the economics of human identity abuse. The main value is not convenience alone. It removes reusable secrets from the user journey, which narrows opportunities for phishing, password reuse, and manual workarounds that bypass policy. For identity teams, that makes phishing-resistant authentication a governance control as much as a login mechanism.

Conditional Access is most effective when it reduces unnecessary friction while increasing scrutiny at the right moment. The article points to a dynamic model: trusted device and trusted location can flow more smoothly, while unfamiliar context triggers step-up checks. That is the right direction for NIST CSF-aligned access governance because it applies protection where risk is highest without turning every access request into a productivity tax.

User friction boundary: the point at which security controls become easier to bypass than to follow is where governance breaks down. That boundary is often invisible until shadow IT appears, which is why programme owners should measure adoption, workaround volume, and help desk friction together rather than in isolation.

Human IAM success should be judged by control adoption, not policy count. A policy framework with poor usability can look mature on paper while driving employees toward weaker identity paths. Practitioners should prioritise controls that are both enforceable and broadly usable, because security that users abandon is not real control.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For the adjacent governance problem, read NHI Lifecycle Management Guide for a practical view of lifecycle controls that reduce unmanaged access paths.

What this signals

Human identity programmes are entering a usability-led governance phase. When controls are too rigid, people do not stop accessing systems, they redirect to ungoverned paths, which means identity teams need to treat workaround behaviour as a core risk indicator rather than an edge case.

User friction boundary: once the approved path becomes harder than the shadow path, the control no longer governs behaviour. That is why passwordless rollout, step-up policy design, and recovery workflows must be evaluated together, not as separate projects.

The strategic signal is that access design is now a control plane issue. Teams that combine strong authentication with context-sensitive policy will reduce both support load and bypass pressure, while teams that keep adding friction will continue to create the very risk they are trying to prevent.

For practitioners

• Map friction hotspots in the login journey Review the points where users encounter repeated prompts, password resets, or failed device checks, then compare those pain points to shadow IT tickets and account recovery requests.
• Prioritise phishing-resistant passwordless rollout Start with populations that face the highest credential theft risk, and make sure enrollment, recovery, and exception handling are documented before broader enforcement.
• Tune Conditional Access to real risk signals Use device compliance, location, and application risk together so trusted sessions stay low friction while unfamiliar access is stepped up for additional verification.
• Track policy bypass as a governance metric Monitor when employees use personal accounts, duplicate credentials, or unsanctioned applications, because those behaviours indicate security controls are too hard to live with.

Key takeaways

• Security controls that create too much friction can unintentionally increase shadow IT, credential reuse, and support load.
• Passwordless authentication and Conditional Access work best when they reduce routine friction while reserving extra scrutiny for risky sessions.
• IAM teams should measure user bypass behaviour, not just policy coverage, because adoption determines whether security is real or merely documented.

Key terms

• Passwordless Authentication: An authentication method that verifies a user without a reusable password. It typically relies on biometrics, device-bound cryptographic keys, or security hardware, reducing exposure to password reuse, phishing, and manual credential handling while improving the usability of sign-in flows.
• Conditional Access: A policy layer that changes access decisions based on contextual signals such as device health, location, or application risk. It allows security teams to apply stronger verification when conditions look suspicious and keep trusted sessions smoother for legitimate users.
• Shadow IT: Technology, applications, or access paths used without organisational approval or visibility. In identity governance terms, it often appears when sanctioned controls are too slow or inconvenient, creating unmanaged accounts, weaker oversight, and gaps in auditability.
• Security Friction: The operational burden that legitimate users feel when security controls slow down normal work. When friction is too high, users tend to bypass controls, seek shortcuts, or create parallel access paths, turning usability failure into a governance and risk problem.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by JumpCloud: Updated analysis of the security paradox, passwordless authentication, and Conditional Access. Read the original.