Passwords are still slowing work and exposing authentication gaps

At a glance

What this is: Axiad’s survey shows that password-based authentication is still causing measurable productivity loss and repeated lockouts for office workers.

Why it matters: IAM teams need to treat authentication friction as a governance and resilience issue because the same weak experience that slows humans also normalises risky fallback behaviour across identity programmes.

By the numbers:

• 60% admit that authentication processes have stopped them from doing their job
• 59% have had to contact the IT department at their workplace because they were locked out of their computer
• 5 hours (4 hours 43 minutes) to fix
• 67% of respondents said they are aware of multi-factor authentication as an alternative to passwords

👉 Read Axiad's survey on passwords and productivity

Context

Passwords are a human identity control, but they often behave like an operational bottleneck when users are forced into repeated resets, lockouts, and help desk calls. In this survey, Axiad frames the problem as productivity loss, but the underlying issue for identity teams is that weak authentication design leaks into workflow disruption, support cost, and avoidable risk.

For IAM and security architects, the more interesting signal is not simply that passwords are disliked. It is that organisations still depend on them even when workers already know about alternatives such as MFA, which suggests a governance gap between awareness, rollout, and real adoption. That gap matters across human identity programmes and also influences how teams think about NHI controls and access recovery.

Key questions

Q: How should organisations reduce password-related lockouts without weakening security?

A: They should move the highest-friction user groups to stronger authentication methods, then track whether lockouts, reset calls, and recovery time fall. The goal is not to remove assurance, but to remove dependency on memorised secrets as the default access method. If the same users keep failing login, the authentication design is not aligned with how they work.

Q: Why do passwords still create productivity problems in mature IAM programmes?

A: Passwords still create problems because they depend on human memory, frequent reuse, and manual recovery. Even where stronger options exist, organisations often leave legacy methods in place too long, so the business keeps paying for lockouts, resets, and help desk intervention. Mature IAM is not just about policy strength, it is about reducing avoidable interruption.

Q: How can teams tell whether authentication improvements are actually working?

A: Look for declining reset volume, fewer lockout incidents, shorter recovery times, and lower help desk demand for identity issues. If those signals do not improve after a rollout, the new method may exist on paper but not be embedded in daily use. Success means users spend less time recovering access and more time doing work.

Q: What should security and IAM leaders do when users know about MFA but still use passwords?

A: They should treat that as a rollout and governance failure, not a knowledge problem. The organisation must examine default policy, application compatibility, and exception handling to understand why stronger methods are optional in practice. Awareness without enforcement leaves the password as the path of least resistance.

Technical breakdown

Why password lockouts create an identity operations bottleneck

Password lockouts create a bottleneck because the identity system shifts failure handling from the authentication layer into the support function. When users cannot authenticate, they stop working, call IT, and often wait for manual recovery. That turns routine identity events into service interruptions. The survey data shows this is not occasional friction. It is a repeated operational drag caused by a control model that still relies on memorised secrets and human recall under pressure.

Practical implication: reduce dependency on password recovery flows and measure authentication failure as a service availability issue, not only an access issue.

Passwordless adoption and the gap between awareness and rollout

Awareness of MFA or passwordless methods does not equal deployment. The survey suggests that many workers know alternatives exist, yet their organisations have not moved them beyond passwords. That mismatch usually reflects policy inertia, inconsistent platform support, and uneven lifecycle planning for authentication methods. From an identity governance perspective, the key problem is not the existence of better controls but the failure to operationalise them consistently across the workforce.

Practical implication: map which user groups still depend on passwords and prioritise rollout where support burden and business interruption are highest.

Human authentication friction as a broader identity governance signal

Authentication friction is often treated as a user-experience issue, but it is also a governance signal. High friction means access methods are not aligned with how people work, which increases the chance of insecure workarounds, repeated resets, and exception handling. In mature IAM programmes, authentication should support both assurance and continuity. When it fails repeatedly, the programme is revealing that policy, technology, and workforce behaviour are out of sync.

Practical implication: track authentication failure rates alongside user support metrics and use them to drive identity programme redesign.

NHI Mgmt Group analysis

Password friction is an identity governance failure, not just a usability complaint. When 60% of workers say authentication stopped them doing their jobs, the control is no longer merely inconvenient, it is breaking business flow. The programme lesson is that authentication design must be judged by operational continuity as well as assurance.

Human identity controls still fail when adoption lags behind awareness. The survey shows that 67% know MFA exists, yet 46% say IT never asked them to use anything other than passwords. That gap exposes a rollout and governance problem, not a technology shortage. Practitioners should treat policy enforcement, exception handling, and method migration as the real control plane.

Password-based recovery creates avoidable support load that scales with the size of the workforce. A system where 59% contact IT for lockouts and workers spend almost five hours fixing authentication issues is a programme-level drag. The implication is that access design, help desk load, and identity resilience are linked metrics, not separate concerns.

Identity programmes need a named concept for this pattern: authentication productivity debt. It is the accumulated business cost created when routine login failures consume work time, support effort, and user patience. The debt grows when organisations delay passwordless or stronger authentication adoption. Practitioners should treat this as a measurable design defect in the human identity stack.

Zero trust for human users depends on reducing legacy password dependence. Authentication cannot remain a weak, interruptive step while the rest of the programme asks for continuous verification and stronger assurance. The lesson for identity leaders is that authentication modernisation is part of security architecture, not a separate UX project.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams are still operating without complete machine identity inventory.
• For a wider view of lifecycle and offboarding controls, read Ultimate Guide to NHIs alongside 52 NHI Breaches Analysis.

What this signals

Password friction is often the first visible sign that an identity programme is carrying too much legacy state. When authentication is built around memorised secrets, the help desk becomes part of the access control surface, and that creates an operational cost that security leaders need to measure explicitly.

Authentication productivity debt: this is the growing business cost of repeated login failures, lockouts, and recovery steps. As organisations modernise workforce identity, they should expect pressure to shift from password policy debates toward measurable outcomes such as fewer resets, faster recovery, and lower exception rates.

For teams aligning with NIST Cybersecurity Framework 2.0, the signal here is that protect and govern functions have to be evaluated through user outcomes as well as policy compliance. In practice, a better authentication model should reduce friction while preserving assurance.

For practitioners

• Measure authentication friction as an operational risk Track lockout frequency, reset volume, and time lost to authentication recovery alongside normal IAM metrics. Use those figures to identify where password dependence is creating the most disruption.
• Prioritise passwordless rollout for the most interrupted user groups Focus first on teams that report frequent lockouts, heavy app dependence, or repeated IT contact. That makes the change visible in support cost and business continuity, not just in policy documents.
• Remove informal password exceptions from policy paths Review departments that still rely on passwords by default even where MFA or stronger methods are already available. Close the gap between what users know exists and what the organisation actually requires.
• Tie authentication method decisions to help desk trends Use service desk data to identify recurring authentication failures and build them into authentication roadmap decisions. That creates a direct link between identity design and day-to-day productivity impact.

Key takeaways

• Password friction is already affecting business performance, which makes authentication a governance issue, not just a convenience issue.
• The survey shows a large gap between awareness of stronger authentication and actual rollout, which points to policy and adoption failures.
• Identity leaders should reduce lockouts, shorten recovery time, and move users away from memorised secrets where support impact is highest.

Key terms

• Authentication friction: Authentication friction is the operational burden created when users struggle to prove who they are and access the systems they need. It shows up as lockouts, resets, support calls, and lost time. In mature identity programmes, it is a measurable sign that the access model is misaligned with daily work.
• Passwordless authentication: Passwordless authentication is an access method that removes the need for users to memorise and enter a shared secret as the primary login step. It typically relies on stronger factors such as device-backed credentials or cryptographic authenticators, improving both resilience and user experience when deployed consistently.
• Authentication productivity debt: Authentication productivity debt is the accumulated cost of repeated login failures, recovery steps, and support intervention caused by weak or poorly rolled out authentication controls. The debt is paid in lost work time, service desk volume, and user frustration. It is a useful lens for workforce identity governance.
• Help desk identity load: Help desk identity load is the volume of support effort generated by access problems, especially password resets, lockouts, and account recovery. High load indicates that authentication controls are shifting routine identity events into manual operations. This is both a cost issue and a maturity indicator for IAM.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Do passwords impact productivity? Read the original.