Passwords and productivity: what 2,000 workers reveal about IAM

At a glance

What this is: Axiad’s survey shows password friction and lockouts are directly disrupting work, with a majority of respondents reporting authentication-related productivity loss.

Why it matters: It matters because authentication design affects human IAM, but the same governance lessons also carry into NHI credential management and autonomous access control.

By the numbers:

• 60% admit that authentication processes have stopped them from doing their job.
• 59% have had to contact the IT department at their workplace because they were locked out of their computer.
• 5 hours (4 hours 43 minutes) to fix
• 46% said their own IT departments had never asked them to use anything other than passwords.

👉 Read Axiad's survey on passwords and workplace productivity

Context

Password friction is not just an end-user inconvenience. When authentication breaks work, it exposes a governance gap between how identity systems are designed and how employees actually operate across devices, apps, and support channels.

This survey, based on 2,000 US office workers, shows that password-based access still creates avoidable downtime, help desk demand, and communication disruption. For IAM teams, the issue is no longer whether passwords are disliked, but whether the current authentication model is fit for the work it is meant to support.

Key questions

Q: How should IAM teams reduce password-related productivity loss?

A: They should start by measuring where password failures interrupt work most often, then redesign the highest-friction journeys first. That means stronger recovery flows, clearer enrolment, and expanding phishing-resistant methods where business impact is highest. If the programme cannot show reduced lockouts and faster restoration, the control change has not yet improved identity operations.

Q: Why do passwords create more than a security problem?

A: Passwords create a productivity problem because every forgotten credential, lockout, and reset interrupts work and consumes support time. In practice, the risk is not only compromised access, but also operational drag across collaboration tools, endpoints, and business applications. A healthy identity programme should reduce both exposure and interruption.

Q: How do you know if passwordless authentication is actually working?

A: Look for fewer lockouts, fewer reset tickets, and shorter time to restore access without increasing help desk escalation. If users still rely on password recovery as the normal path back in, the programme has not removed the underlying friction. Adoption should show up as smoother access, not just a new login method.

Q: What role should MFA play when passwords remain in use?

A: MFA should be the baseline control for sensitive access, but it will not solve poor recovery design or inconsistent enforcement. Teams need to make MFA mandatory where risk justifies it, then ensure enrolment and fallback paths do not push users back to passwords. Otherwise, the weakest path stays in place.

Technical breakdown

Password-based authentication and help desk load

Password resets, lockouts, and failed sign-ins create a repeatable support burden because the authentication event is tied to memory, reuse, and recovery workflows. In practical IAM terms, every password failure becomes an operational interruption, not just an access issue. The survey data shows that repeated recovery loops consume employee time and IT time at the same moment, which makes the authentication control part of the productivity stack as much as the security stack.

Practical implication: measure lockout volume and reset frequency as operational risk, not just support metrics.

Passwordless authentication and user experience

Passwordless authentication reduces dependence on memorised secrets by shifting verification to stronger factors such as device-bound credentials or phishing-resistant methods. The point is not convenience alone. It is to remove a brittle identity step that interrupts work, increases support contacts, and encourages weak fallback behaviour. If users still need password recovery as the primary path back into work, the programme remains exposed to avoidable friction.

Practical implication: prioritise passwordless paths for high-friction user groups and critical applications first.

MFA awareness versus enforcement gaps

Awareness of multi-factor authentication does not equal operational adoption. The survey shows a gap between what employees know exists and what their IT departments actually require, which is a common IAM failure mode when policy, rollout, and exception handling are misaligned. In practice, authentication improvements stall when teams treat MFA as a user choice instead of a baseline control with managed rollout and clear recovery paths.

Practical implication: audit where MFA is optional in practice, then close those policy exceptions before expanding rollout.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Password friction is a governance failure, not just a user complaint. When authentication repeatedly interrupts work, the identity programme is measuring control enforcement without measuring operational cost. That disconnect matters because IAM controls are only effective if people can complete their work without bypassing them. Practitioners should treat high lockout rates as evidence that the access model is misaligned with business use.

Authentication recovery time is a hidden identity risk metric. An average recovery window of almost five hours turns a single access failure into a material productivity event. That is long enough to affect collaboration, service continuity, and support capacity. Teams that do not track recovery duration are blind to the real cost of their authentication design, especially where password fallback remains the default.

Passwords create an avoidable exception economy. When nearly half of respondents say IT never asked them to use anything other than passwords, the issue is not just user preference. It is a control design that normalises weaker paths because the stronger path was never operationalised. That pattern also matters beyond human IAM, because any identity programme that depends on fallback credentials will accumulate exception handling and support debt.

Passwordless access is a lifecycle issue as much as an authentication issue. Identity teams often frame passwordless as a front-end improvement, but the real work is in enrolment, recovery, device trust, and exception handling. Those governance steps determine whether the control reduces friction or simply moves it elsewhere. Practitioners should align authentication changes with lifecycle policy, not treat them as isolated UX fixes.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity oversight remains in many environments.
• The 52 NHI Breaches Analysis shows how exposed credentials and weak lifecycle controls turn identity gaps into real incidents.

What this signals

Password friction is a sign that identity governance is being measured too narrowly. If teams only track authentication success, they miss the operational cost of access recovery and the support burden that follows. That same blind spot often appears in NHI programmes when credential sprawl is monitored less rigorously than user convenience. The governance lesson is to measure time lost, exception handling, and fallback usage as first-class identity outcomes.

A strong authentication programme should reduce reliance on recoverable secrets and make the intended path easier than the exception path. That principle applies across human IAM, NHI governance, and emerging agent access patterns. When recovery becomes the default, the control model has already drifted into unmanaged exception handling.

Identity teams should expect growing pressure to connect authentication design with productivity, resilience, and lifecycle governance. The practical response is not to remove all friction, but to remove avoidable friction while tightening oversight where access is high risk. That is where programmes begin to align security intent with day-to-day execution.

For practitioners

• Measure authentication friction as an operational control metric Track lockouts, reset volume, and mean time to restore access for critical user groups. Use those numbers to identify which applications and populations create the most downtime, then redesign recovery paths before expanding enforcement.
• Prioritise passwordless for the highest-friction workflows Start with the applications that generate the most help desk traffic or business interruption. Introduce phishing-resistant methods where device trust and enrolment can be governed cleanly, then reduce password fallback gradually.
• Close MFA policy gaps where adoption remains optional Map where MFA is only recommended, selectively enforced, or bypassed through exceptions. Standardise enforcement for those paths and make recovery workflows explicit so users are not forced back to passwords by default.
• Treat recovery design as part of identity governance Define who can recover access, which proofs are required, and how quickly recovery should complete for each application tier. If the process is inconsistent, users will keep falling back to the easiest credential path instead of the intended control.

Key takeaways

• Password-related friction is a measurable governance problem because it interrupts work, not just logins.
• The survey shows that lockouts and recovery time create real operational cost, making authentication design a productivity issue.
• IAM teams should use recovery metrics, MFA enforcement, and passwordless rollout together rather than treating them as separate projects.

Key terms

• Passwordless Authentication: A sign-in method that removes the password as the primary proof of identity and replaces it with stronger verification such as device-bound credentials or phishing-resistant factors. In practice, the value comes from reducing recovery debt, lockouts, and weak fallback paths that keep password controls alive.
• Authentication Friction: The delay, confusion, and support burden created when users cannot complete sign-in cleanly. In IAM programmes, friction is a governance signal because it drives resets, exceptions, and workarounds. If users routinely hit the recovery path, the authentication design is not yet operationally stable.
• Fallback Path: A secondary access route used when the primary authentication method fails. Fallback paths matter because they often become the real control in day-to-day use. If they are easier than the intended method, the organisation will drift toward them and weaken its identity posture.

Deepen your knowledge

Authentication design, passwordless rollout, and recovery governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising access across human and non-human identities, it is worth exploring.

This post draws on content published by Axiad: Do passwords impact productivity? Read the original.