Notifications
Clear all
Topic starter
12/06/2026 10:17 pm
TL;DR: Frictionless authentication only works when security design accounts for the full mix of users, administrators, and executives, because friction at any point drives workarounds and weakens MFA adoption, according to Axiad. The deeper issue is programme design: controls that ignore population differences and staffing constraints fail in practice, not theory.
NHIMG editorial — based on content published by Axiad: What’s All the Hype about Frictionless?
By the numbers:
- The number of unfilled cybersecurity roles is expected to grow from 1 million in 2018 to 1.5 million by end of 2020.
Questions worth separating out
Q: How should IAM teams reduce friction without weakening MFA controls?
A: Start by removing unnecessary steps, clarifying enrollment and recovery, and making the secure path the easiest path for each user population.
Q: Why do identity controls fail when they create too much friction?
A: They fail because users optimise for speed and continuity of work.
Q: How do security teams know if frictionless MFA is actually working?
A: Look for lower help desk load, fewer recovery events, fewer bypass requests, and steady completion rates across user populations.
Practitioner guidance
- Map authentication friction by population Track enrollment failures, help desk escalations, bypass requests, and recovery events separately for end users, IT teams, and executives so you can see where friction is driving workarounds.
- Test the support burden before rollout Validate whether the security team can maintain the control with current staffing, training, and tooling, especially if the environment already has a disconnected patchwork of products.
- Build audit evidence into the design Require reporting, certification, and assurance outputs as part of the control baseline so that compliance can be demonstrated without manual reconstruction after the fact.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The vendor's population-by-population breakdown of how friction affects end users, IT teams, and executive stakeholders.
- The supporting commentary on compliance audits, assurance expectations, and what enterprise buyers ask for in higher-assurance environments.
- The original framing of the Frictionless DNA program and how Axiad positions its internal delivery model.
- The article's broader marketing context around authentication and customer engagement.
👉 Read Axiad's blog post on frictionless MFA and enterprise adoption →
Frictionless MFA: what IAM teams miss about adoption and scale?
Explore further
13/06/2026 12:57 am
Friction is a governance failure, not a user complaint. Identity programmes often describe adoption problems as change-management issues, but the deeper issue is control design. If the secure path is slower than the insecure path, users will optimise for work completion, not policy compliance. The implication is that authentication design has to be judged by behaviour under pressure, not by policy intent alone.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when MFA design fails across the enterprise?
A: Accountability sits with the identity and security owners who choose the control design, but it also extends to operations leaders who must sustain it. If auditability, support capacity, and user experience were not built into the programme, the failure is architectural, not just procedural. Governance must cover deployment, operation, and evidence generation together.
👉 Read our full editorial: Frictionless MFA fails when security design ignores user populations
