Passwordless authentication exposes the limits of current employee identity

At a glance

What this is: This interview argues that passwordless authentication is becoming necessary because current employee authentication methods create both security exposure and operational friction.

Why it matters: It matters because IAM teams must balance phishing resistance, user productivity, and policy enforcement across human identity, machine identity, and broader access governance.

By the numbers:

• 60% admitted that authentication processes have stopped them from doing their job.
• Just under 60% also said they had to contact the IT department at their workplace because they were locked out of their computer.

👉 Read Axiad's interview on passwordless authentication and employee identity

Context

Password-based authentication creates two problems at once: it is easy for users to mishandle and expensive for IT teams to support. In this interview, the primary issue is employee authentication, but the governance lesson extends into IAM programme design because the control model still assumes users will tolerate repeated prompts, device changes, and friction without compensating workarounds.

The article frames passwordless authentication as a response to that mismatch. For identity teams, the real question is not whether passwords are inconvenient, but how to replace them with standard-based authentication that improves assurance without pushing employees toward bypass behaviour or support escalation.

Key questions

Q: How should security teams implement passwordless authentication without creating user workarounds?

A: Start by simplifying the authenticator set, defining one clear recovery path, and removing duplicate login journeys. Then tie enrolment, replacement, and revocation to the same lifecycle process so users are not forced to bypass policy when a device changes or a credential fails. Success depends on usability and governance together, not cryptography alone.

Q: Why do employee authentication problems become security problems so quickly?

A: When authentication is frustrating, people reuse older credentials, delay updates, or ask for exceptions. Those behaviours create weaker assurance, more support tickets, and more opportunities for attackers to exploit fallback paths. Identity teams should treat repeated lockouts and MFA confusion as evidence that the control design is misaligned with how people actually work.

Q: What do organisations get wrong about passwordless MFA adoption?

A: They often focus on the factor technology and ignore the operating model around it. If recovery, device change, and policy enforcement are inconsistent, users will not adopt the new path cleanly. The result is shadow recovery processes and lingering password dependence, which undermines the intended security gains.

Q: Who should own passwordless authentication across IAM, IGA, and PAM teams?

A: Ownership should sit with the identity governance function, but implementation must be shared across IAM, IGA, and PAM because authentication, enrolment, revocation, and exception handling touch all three. Treat passwordless as a programme, not a point solution. That keeps policy consistent across user access, privileged access, and credential lifecycle management.

Technical breakdown

Why passwordless authentication changes the employee access model

Passwordless authentication replaces shared human memory of secrets with device-bound or cryptographic credentials, such as FIDO keys, Windows Hello for Business, smart cards, biometrics, and TPM-backed trust. The technical advantage is not just fewer password resets. It is that the authentication event becomes harder to phish, harder to reuse, and easier to bind to a managed device or approved credential lifecycle. That only works if the organisation can issue, manage, and revoke the underlying credential consistently across the estate. Without that lifecycle control, passwordless simply shifts the burden from passwords to device and credential administration.

Practical implication: standardise credential types and lifecycle processes before scaling passwordless across the enterprise.

Phishing-resistant MFA and zero trust for human identity

Phishing-resistant MFA is a stronger form of multi-factor authentication because the credential cannot be easily relayed or replayed in a phishing flow. In zero trust terms, this supports stronger identity assurance at the front door, but it does not remove the need for continuous policy enforcement after login. The article’s point about multiple MFA systems is operationally important: if users cannot quickly tell which authenticator applies, they drift to older credentials or call the service desk. That weakens the overall identity control plane even when the cryptography is sound.

Practical implication: reduce authenticator sprawl so users do not fall back to weaker login paths.

Unified credential management across people and machines

A unified interface for managing credentials matters because enterprises rarely run a single identity type in isolation. The same organisation may govern employees, devices, and machine identities through different assurance and administrative paths. When those paths fragment, policy enforcement becomes inconsistent and audit evidence becomes harder to trust. The article points to a distributed and flexible IAM approach, which is essentially a management layer that can adapt to different credential types without forcing users or operators into separate tool silos. That is especially relevant in regulated environments where assurance and traceability both matter.

Practical implication: align human authentication, machine identity, and access governance under one operational model where possible.

NHI Mgmt Group analysis

Password friction is not a usability side issue. It is an identity control failure. When employees cannot complete authentication cleanly, they route around policy by reusing older credentials, delaying enrolment, or escalating to IT for exceptions. That turns the access layer into a productivity bottleneck and a security bypass channel. The implication is that identity programmes should treat user friction as a measurable security exposure, not a helpdesk nuisance.

Phishing-resistant MFA only works when the surrounding experience is coherent. Cryptographic strength does not help if users face multiple authenticators, unclear recovery paths, or inconsistent device prompts. This article shows that authentication success depends on the whole operating model, not just the factor itself. Practitioners should view fragmented MFA estates as a governance problem that weakens assurance even when each tool is technically sound.

Standard-based credential management is the only scalable way to support passwordless at enterprise scale. The article’s emphasis on interoperable credentials reflects a broader IAM reality: isolated tools do not solve identity assurance when employees, devices, and regulated workflows all need different forms of trust. Passwordless adoption becomes durable only when lifecycle, policy, and reporting sit in a common operational model. Teams should optimise for integration, not point-product novelty.

Identity assurance for people and machines is converging, but the governance burden is increasing. The same enterprise that modernises employee authentication also has to manage machine trust, reporting, and revocation across a wider identity surface. That convergence means IAM, IGA, and PAM teams can no longer treat human authentication as a standalone problem. Practitioners should plan for shared governance across credential classes, not separate programmes that drift apart.

From our research:

• 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why identity programmes that expand beyond human login flows need governance discipline, not just better authentication.
• For the broader lifecycle view, Ultimate Guide to NHIs , Key Challenges and Risks connects visibility, rotation, and offboarding into one operational model.

What this signals

Passwordless programmes will increasingly be judged on whether they reduce failure demand, not just whether they strengthen assurance. If employees still need to contact IT for recovery, the organisation has modernised the factor but not the control plane.

Authentication sprawl debt: the longer an enterprise runs multiple MFA methods, fallback paths, and device recovery patterns, the harder it becomes to retire weak login behaviour. Teams should expect passwordless to succeed only when they also simplify identity governance and service operations.

For identity leaders, the signal is clear: employee authentication, device trust, and machine identity governance are converging into one operational problem. The organisations that win here will measure user friction, lifecycle consistency, and policy adherence as a single programme outcome.

For practitioners

• Measure authentication friction as a security metric Track lockouts, password reset volume, MFA failures, and helpdesk escalations together so you can see where users are being pushed toward workarounds.
• Rationalise MFA methods before expanding passwordless Reduce duplicate authenticator options and define a clear recovery path so employees know which credential to use and where to fix issues.
• Tie passwordless rollout to credential lifecycle controls Make enrolment, device change, revocation, and exception handling part of the same operational process so stronger authentication does not create unmanaged exceptions.
• Align employee authentication with machine identity governance Use the passwordless transition to review how people, devices, and service credentials are governed, reported, and audited across the IAM stack.

Key takeaways

• Current authentication failures are not just inconvenient. They create predictable workarounds that weaken identity assurance.
• Passwordless succeeds only when credential lifecycle, recovery, and policy enforcement are designed as one operating model.
• IAM teams should treat user friction, MFA sprawl, and identity governance as linked controls, not separate problems.

Key terms

• Passwordless Authentication: An authentication approach that replaces memorised passwords with stronger methods such as cryptographic keys, device-bound credentials, or biometrics. The goal is to reduce phishing risk and user friction while improving assurance, but only if recovery, enrolment, and revocation are managed consistently.
• Phishing-resistant MFA: Multi-factor authentication designed so the credential cannot be easily relayed, copied, or reused by an attacker during a phishing attempt. In practice, this usually relies on cryptographic binding to a device or trusted authenticator, making the factor harder to intercept than SMS or reusable codes.
• Identity Assurance: The degree of confidence an organisation has that an authenticated identity is really the intended user or system. It depends on the strength of the authenticator, the quality of lifecycle controls, and the consistency of policy enforcement across login, recovery, and exception handling.
• Credential Lifecycle: The end-to-end management of a credential from issuance through use, replacement, revocation, and retirement. Strong lifecycle control is what keeps passwordless or MFA programmes from drifting into unmanaged exceptions, stale access, or inconsistent user recovery paths.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Jerome Becquart on why current approaches to authentication are failing employees. Read the original.