Passwordless authentication is exposing identity governance gaps

At a glance

What this is: Axiad's interview argues that passwordless authentication is becoming necessary because current employee authentication approaches are too brittle, too fragmented, and too disruptive.

Why it matters: It matters because IAM teams now have to balance user experience, phishing resistance, and governance across human, machine, and digital interactions without letting weak fallback paths reintroduce risk.

By the numbers:

• 60% admitted that authentication processes have stopped them from doing their job.
• 60% also said they had to contact the, contact the IT department at their workplace because they were locked out of their computer.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Axiad's interview on passwordless authentication and identity friction

Context

Passwordless authentication is not just a user convenience discussion. It is an identity governance problem that sits at the intersection of assurance, device management, and operational resilience. When employees keep falling back to older credentials or alternate methods, the programme is already signalling that the control design is not aligned with how people actually work.

The article is really about how organisations manage transition friction while strengthening trust in users and machines. That makes it relevant to human IAM first, but it also has clear implications for how enterprises govern machine identities and other non-human access paths that often inherit the same weak fallback habits.

The primary keyword for this post is passwordless authentication, but the deeper issue is authentication governance. A programme that cannot simplify login without creating shadow workarounds will struggle to sustain zero trust, recertification, and access policy enforcement at scale.

Key questions

Q: How should organisations implement passwordless authentication without creating fallback risk?

A: Start by inventorying every route that still allows users to authenticate with passwords, recovery codes, or helpdesk overrides. Then phase passwordless enforcement so users cannot keep both the old and new path indefinitely. The goal is not just stronger login, but the removal of insecure alternatives that keep legacy risk alive.

Q: Why do passwordless programmes fail in practice?

A: They fail when organisations treat them as a technical rollout instead of an identity governance change. Users often revert to whatever is fastest if the new process creates friction, and IT teams may keep exceptions open too long. Without lifecycle controls, the weakest authentication path survives.

Q: What signals indicate authentication governance is working?

A: Look for reduced helpdesk lockouts, lower fallback usage, and consistent adoption of the intended method across user groups. If users are still switching between multiple MFA methods or calling support to bypass the process, the programme has not stabilised. Good governance shows up as fewer exceptions and less recovery traffic.

Q: How can security teams balance user experience with stronger identity controls?

A: Design the process around the tasks employees need to complete, then remove unnecessary branching in login and recovery. Stronger identity controls succeed when users can complete work without detours, but convenience cannot be allowed to preserve weak methods. Better experience should come from fewer options, not more exceptions.

Technical breakdown

Passwordless authentication and fallback credential risk

Passwordless authentication replaces reusable secrets with stronger factors such as device-bound keys, biometrics, or phishing-resistant methods. The technical problem is not the new factor itself, but the fallback path. If users can continue using old passwords, unmanaged apps, or ad hoc support resets, the enterprise still carries the weakest assurance path forward. That creates a mixed trust model where the official control and the operational reality diverge. In practice, passwordless adoption fails when the transition is treated as a feature rollout instead of an access-policy migration.

Practical implication: remove weak fallback routes and require policy enforcement before users regain normal access.

Phishing-resistant MFA and identity assurance

Phishing-resistant MFA strengthens authentication by binding access to a legitimate device or cryptographic credential that is harder to intercept or replay. This is most effective when the identity proofing and credential lifecycle are governed together, not as separate projects. A modern identity stack can include FIDO, smart cards, Windows Hello for Business, and PKI, but the assurance value depends on consistent issuance, revocation, and reporting. Without those controls, the organisation improves the login method but not the identity governance model behind it.

Practical implication: align credential issuance, revocation, and audit reporting with the authentication method you deploy.

Centralised management of people and machines

The article points to a single platform approach for managing people, machines, and digital interactions. That matters because identity sprawl often creates different control planes for each population, which increases operational gaps and user confusion. When organisations unify administration, they can enforce consistent policy, but only if they preserve separation of duties and actor-specific assurance requirements. The important technical point is that a shared management layer does not mean shared risk tolerance. Human identities, machine identities, and service access still need distinct governance rules.

Practical implication: unify administration where possible, but keep actor-specific policy and lifecycle rules intact.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless authentication is an identity governance migration, not a UX upgrade. The article shows that employees do not simply adopt new authentication methods because they exist. They revert to older credentials, alternate devices, and support workarounds when the transition is poorly managed. That means the governance problem is persistence of legacy access paths, not just password fatigue. Practitioners should treat passwordless programmes as policy and lifecycle changes, not interface changes.

Authentication friction creates shadow identity behaviour. When 60% of workers say authentication has stopped them from doing their jobs, the programme is producing operational resistance rather than control adoption. That resistance often leads to insecure bypasses, duplicated methods, and fragmented support workflows. The field should stop assuming that stronger authentication automatically produces stronger governance. Practitioners need to measure whether users are following the intended path or escaping it.

Phishing-resistant MFA only delivers value when the credential lifecycle is controlled end to end. The article's emphasis on multiple credential types, unified management, and standard-based integration reflects a broader governance truth. Authentication assurance breaks down when enrolment, recovery, replacement, and revocation are managed inconsistently across devices and user groups. The implication for IAM teams is to govern the whole lifecycle of the factor, not only the login experience.

Unified identity tooling must still respect actor differences. A single interface can simplify operations, but human authentication, machine access, and regulated exchange workflows are not interchangeable. If governance collapses all three into one undifferentiated policy model, assurance gaps will appear where the risk profiles differ most. The practical conclusion is that centralisation should reduce operational complexity without flattening the identity model.

Credential sprawl: the real risk is not passwordless adoption itself, but the uncontrolled spread of fallback credentials, devices, and recovery methods. That sprawl is what keeps legacy authentication alive even after a modern programme is announced. When organisations manage the migration as a lifecycle problem, they can see which access paths still undermine the intended control state. Practitioners should measure and retire every fallback path before declaring the programme complete.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why credential governance fails when fallback paths are left untracked.
• The 52 NHI Breaches Analysis shows how visibility and lifecycle gaps turn identity shortcuts into repeatable attack paths across machine and service identities.

What this signals

Passwordless programmes now function as governance tests. If the organisation still needs password resets, repeated MFA exceptions, or opaque recovery paths, then the new method has not displaced the old control model. Security leaders should treat fallback reduction as a measurable programme outcome, not an implementation detail. That is where the real risk reduction lives, and it is also where adoption usually stalls.

Identity teams should expect authentication and lifecycle work to converge. A passwordless rollout forces decisions about enrolment, revocation, replacement, recovery, and reporting that often sit across IAM, PAM, and helpdesk operations. The sharper the authentication policy, the more visible the governance seams become. Teams that link passwordless controls to lifecycle oversight will be better placed to support zero trust without creating user-driven bypasses.

Authentication modernisation is exposing credential debt. The longer an enterprise supports multiple login methods, the more recovery paths, exception rules, and device dependencies accumulate. That is why passwordless adoption should be paired with visibility into where legacy methods still remain active. For teams building a broader identity programme, the first job is to understand which authentication routes are still carrying risk rather than value.

For practitioners

• Map every fallback authentication path Inventory passwords, device resets, alternate MFA apps, helpdesk recovery flows, and any legacy login route that still grants access. Remove or restrict the paths that let users bypass the intended passwordless method.
• Enforce policy before normal access resumes Require users to activate new devices or update credentials before they can continue work, rather than after the fact. Tie this to access restoration workflows so insecure methods cannot remain in use for convenience.
• Standardise credential management across populations Use one governance model for issuance, revocation, and reporting, but keep separate assurance rules for people, machines, and regulated exchange use cases. Centralisation should simplify control, not erase actor-specific requirements.
• Track adoption against productivity exceptions Measure lockouts, helpdesk escalations, and repeated fallback use as governance signals. If authentication is stopping work, the issue is not just user training, it is a control design that needs adjustment.

Key takeaways

• Passwordless authentication solves only part of the problem if legacy login and recovery paths remain available.
• The article's core signal is that authentication friction drives bypass behaviour, which turns user experience into a governance issue.
• IAM teams should measure fallback reduction, not just rollout progress, if they want stronger identity assurance.

Key terms

• Passwordless Authentication: An authentication approach that removes reusable passwords and replaces them with stronger methods such as device-bound credentials, cryptographic keys, or biometrics. In practice, it only improves security when fallback paths, recovery workflows, and legacy login options are also governed tightly.
• Phishing-Resistant MFA: Multi-factor authentication designed to resist interception, replay, and credential theft during the login process. The strongest implementations bind authentication to a trusted device or cryptographic credential, but the control loses value if recovery and exception handling still allow weaker sign-in methods.
• Authentication Fallback Path: Any alternate route that lets a user get into a system when the primary authentication method fails. Fallback paths are often the hidden weakness in modern identity programmes because they preserve older secrets, support workarounds, or emergency access flows that attackers can target.
• Credential Lifecycle: The full set of steps covering issuance, use, replacement, recovery, revocation, and retirement of an identity credential. For passwordless programmes, lifecycle control is as important as the login method itself because unmanaged transitions leave older access paths in circulation.

Deepen your knowledge

Passwordless authentication, phishing-resistant MFA, and identity lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are managing a transition from legacy authentication to stronger identity controls, it is worth exploring.

This post draws on content published by Axiad: Jerome Becquart on why current approaches to authentication are failing employees. Read the original.