Enhanced authentication choices: what IAM teams need to weigh

TL;DR: Authentication complexity is overwhelming 70% of security and IT professionals, while almost 85% of organisations experienced a cyberattack last year and nearly 9 in 10 plan passwordless adoption, according to Axiad and cited survey data. The real issue is not feature choice but whether MFA, phishing resistance, and user friction are governed as one identity programme.

NHIMG editorial — based on content published by Axiad: Navigating the Path to Enhanced Authentication

By the numbers:

• 70% of Security/IT Professionals say they are overwhelmed by the complexity of their authentication systems.
• almost 85% of organizations experiencing a cyberattack in the last year
• almost 9 in 10 told us in a recent survey that they are planning to implement a passwordless strategy in the next 12 months (or have already done so).

Questions worth separating out

Q: How should security teams choose between different MFA methods?

A: They should choose based on phishing resistance, assurance strength, and operational fit, not on the generic label MFA.

Q: Why do authentication silos create security risk?

A: Authentication silos create risk because different applications and identity systems enforce different assurance levels, recovery paths, and exception rules.

Q: When should organisations prioritise passwordless over legacy password-based login?

A: Organisations should prioritise passwordless when they can replace the weak fallback paths, exception handling, and user friction that often keep password systems alive.

Practitioner guidance

• Classify authentication methods by assurance level Separate phishing-resistant methods, push-based MFA, OTP, and passwordless flows into a formal control catalogue so business owners can see which paths still rely on weaker approval patterns.
• Remove disjointed authentication silos Map all IAM ecosystems, operating systems, and major applications to the authentication methods they accept, then eliminate duplicate control stacks where they create inconsistent policy and support overhead.
• Prioritise phishing-resistant access for high-risk roles Apply the strongest available authentication to administrator, financial, developer, and remote access paths first, since those sessions produce the greatest compromise impact if approval abuse succeeds.

What's in the full article

Axiad's full blog covers the decision framework this post intentionally leaves for the source:

• Side-by-side discussion of MFA options and where each one tends to break down in practice
• The infographic-style decision points the article uses to compare risk tolerance and implementation paths
• The article's original reasoning for balancing friction, phishing resistance, and authentication complexity
• The source post's framing for building an internal business case for authentication changes

👉 Read Axiad's analysis of enhanced authentication choices and MFA tradeoffs →

Enhanced authentication choices: what IAM teams need to weigh?

Explore further

View Full Forum →  |  NHI Foundation Course →