Notifications
Clear all
Topic starter
08/06/2026 4:08 pm
TL;DR: Passwordless adoption is accelerating, with Gartner cited in the source saying 60% of global companies and 90% of mid-size businesses were expected to use it by 2022, but the real barrier is credential issuance and lifecycle friction that drives help-desk load and workarounds. Security value falls apart if users cannot issue or update credentials quickly and safely.
NHIMG editorial — based on content published by Axiad: Don’t let issuing credentials stand in your way to passwordless
By the numbers:
- By 2022, Gartner predicted that 60% of global companies will use passwordless solutions to authenticate their users and devices, and 90% of mid-size businesses will.
- 42% of employees admit to frequently ignoring company policy just to do their job.
Questions worth separating out
Q: How should security teams reduce passwordless friction without weakening control?
A: Security teams should simplify enrolment, recovery, and device replacement so the approved path is the easiest path.
Q: Why do passwordless programmes still need strong lifecycle governance?
A: Passwordless shifts risk from passwords to issuance, recovery, and revocation.
Q: What breaks when users cannot quickly issue or replace a credential?
A: The control breaks at the point of use.
Practitioner guidance
- Map enrolment friction end to end Document every step a user takes to issue or replace each credential type, then remove duplicate approvals, platform hopping, and redundant device checks.
- Unify credential recovery workflows Define a single recovery path for lost, replaced, or re-enrolled credentials so users do not fall back to unsafe exceptions.
- Measure bypass pressure as a security signal Track help-desk volume, failed enrolments, exception requests, and policy overrides together.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step one-click issuance flow across mobile authenticators, YubiKeys, smart cards, and OTP tokens
- User portal behaviour for device enrolment, PIN creation, and physical token verification
- Implementation context for reducing help-desk escalations when multiple credential types are in use
- How the portal keeps users inside a single governed workflow rather than separate management platforms
👉 Read Axiad's post on removing credential issuance friction in passwordless adoption →
Passwordless credential issuance: what IAM teams keep missing?
Explore further
08/06/2026 5:35 pm
Passwordless programmes fail first at issuance, not at authentication. The article shows that users do not reject stronger authentication in principle; they reject workflows that are too slow, too fragmented, or too hard to recover from. That is a governance problem, because control adoption depends on whether the identity journey is operationally tolerable. The practitioner lesson is to measure friction as a security risk, not just a user-experience metric.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why lifecycle and access governance fail so often in practice.
A question worth separating out:
Q: How do organisations know passwordless is actually working?
A: Look for lower help-desk demand, fewer failed enrolments, fewer exception requests, and fewer policy overrides. If those signals are not improving, the programme may be technically sound but operationally unusable. A working passwordless programme is one that users can complete without friction and without bypassing controls.
👉 Read our full editorial: Passwordless credential issuance still creates identity friction
