Passwordless authentication: what it means for IAM teams

TL;DR: Passwordless authentication is gaining traction because 60% of workers say authentication has stopped them from doing their jobs and almost half have been locked out of productivity tools, according to Axiad's interview. The real issue is not just user friction but whether identity governance can keep pace when multiple credentials, devices, and assurance methods must be managed across the enterprise.

NHIMG editorial — based on content published by Axiad: Jerome Becquart on why current approaches to authentication are failing employees

By the numbers:

• 60% admitted that authentication processes have stopped them from doing their job.
• 60% also said they had to contact the, contact the IT department at their workplace because they were locked out of their computer.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations implement passwordless authentication without creating fallback risk?

A: Start by inventorying every route that still allows users to authenticate with passwords, recovery codes, or helpdesk overrides.

Q: Why do passwordless programmes fail in practice?

A: They fail when organisations treat them as a technical rollout instead of an identity governance change.

Q: What signals indicate authentication governance is working?

A: Look for reduced helpdesk lockouts, lower fallback usage, and consistent adoption of the intended method across user groups.

Practitioner guidance

• Map every fallback authentication path Inventory passwords, device resets, alternate MFA apps, helpdesk recovery flows, and any legacy login route that still grants access.
• Enforce policy before normal access resumes Require users to activate new devices or update credentials before they can continue work, rather than after the fact.
• Standardise credential management across populations Use one governance model for issuance, revocation, and reporting, but keep separate assurance rules for people, machines, and regulated exchange use cases.

What's in the full article

Axiad's full article covers the operational detail this post intentionally leaves for the source:

• Survey results on worker lockouts and authentication friction across 2,000 US office workers
• Credential and device examples, including FIDO mobile MFA, Windows Hello for Business, YubiKeys, smart cards, TPM, and biometrics
• The Airlock access workflow and how directives are enforced before employees regain full system access
• The vendor's discussion of regulated environments such as FBCA, SAFE-BioPharma, and WebTrust

👉 Read Axiad's interview on passwordless authentication and identity friction →

Passwordless authentication: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →