Multiple credentials and MFA sprawl: what IAM teams should do

TL;DR: Multiple credentials across badges, YubiKeys, Office 365 logins, phone tokens, and admin access create friction, lockout risk, and lifecycle overhead for organizations, according to Axiad. The governance problem is not credential quantity alone but fragmented management that makes access recovery, deprovisioning, and assurance levels harder to control.

NHIMG editorial — based on content published by Axiad: Manage all of your credentials from a single platform

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams reduce credential sprawl without weakening MFA?

A: Security teams should consolidate lifecycle management, not weaken assurance.

Q: Why do multiple credentials create more risk in enterprise environments?

A: Multiple credentials increase risk because each one adds its own lifecycle, recovery process, and revocation path.

Q: What do IAM teams get wrong about centralized credential platforms?

A: They often assume centralization automatically improves control.

Practitioner guidance

• Inventory every credential path Map badges, workstation logins, application tokens, privileged credentials, and recovery methods to one inventory so the team can see where lifecycle ownership is split across platforms.
• Remove ad hoc temporary password recovery Replace emailed temporary passwords with approved recovery workflows that preserve MFA assurance and record who approved the restoration of access.
• Test offboarding across all credential classes Run offboarding exercises that confirm credentials are revoked for users, devices, systems, and applications, not only the primary account used for daily login.

What's in the full article

Axiad's full blog post covers the operational detail this post intentionally leaves for the source:

• A practical explanation of how the platform consolidates user, device, system, and application credentials into one operational view
• Details on the Self Help Portal and Airlock workflows that reduce help desk involvement while preserving authentication controls
• The article's discussion of higher-assurance use cases such as FIPS, CMMC, and NIST SP800-171 environments
• The vendor's description of private cloud deployment and how it affects control ownership and visibility

👉 Read Axiad's blog post on managing multiple credentials from a single platform →

Multiple credentials and MFA sprawl: what IAM teams should do?

Explore further

View Full Forum →  |  NHI Foundation Course →