Notifications
Clear all
Topic starter
12/06/2026 10:11 pm
TL;DR: Passwordless adoption is accelerating, but credential issuance and lifecycle friction still drive help-desk load, policy workarounds, and delayed access, according to Axiad and Gartner figures cited in the post. The governance problem is not password removal alone, but whether organisations can issue, enroll, and manage new credentials without creating shadow workarounds.
NHIMG editorial — based on content published by Axiad: Don’t let issuing credentials stand in your way to passwordless
By the numbers:
- By 2022, Gartner predicted that 60% of global companies would use passwordless solutions to authenticate their users and devices, and 90% of mid-size businesses would.
- These credential issues lead to over 40% of users’ help desk calls.
Questions worth separating out
Q: How should security teams reduce friction in passwordless enrollment without weakening assurance?
A: Security teams should collapse credential issuance into a small number of governed paths and remove unnecessary handoffs between portals, help desks, and device-specific tooling.
Q: Why does passwordless adoption sometimes increase help-desk demand before it reduces it?
A: Passwordless can increase help-desk demand when users must navigate multiple credential platforms, recovery steps, and device-specific workflows.
Q: How can IAM teams tell whether a passwordless programme is actually working?
A: Look for completion rates, exception volumes, support calls, and the frequency of policy bypass behaviour.
Practitioner guidance
- Standardise credential issuance paths Map every supported credential type to a single front-door enrollment flow, including mobile authenticators, hardware tokens, smart cards, and device-bound certificates.
- Measure policy bypass pressure Track help-desk volume, abandoned enrollment attempts, and policy workarounds as identity risk indicators.
- Separate user convenience from assurance design Keep the user journey simple, but preserve the trust checks that matter, such as PIN creation and device possession validation.
What's in the full article
Axiad's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step One Click Issuance flow for mobile authenticators, YubiKeys, smart cards, and OTP tokens
- User-facing enrollment mechanics, including PIN creation and device possession checks
- How the portal handles different credential types inside a single web-based workflow
- The product-specific explanation of how Axiad positions simplified issuance for passwordless adoption
👉 Read Axiad's analysis of passwordless credential issuance friction →
Passwordless credential issuance: why user friction still matters?
Explore further
13/06/2026 12:48 am
Passwordless adoption fails when organisations treat enrollment as a convenience layer instead of a governance control. The article shows that credential issuance, not authentication theory, is where users lose time and security teams lose control. When multiple credential types each require different portals and workflows, the programme creates operational drag that undermines adoption. Practitioners should see enrollment as part of access governance, not as a back-office task.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity control starts from partial inventory rather than reliable governance data.
A question worth separating out:
Q: Who should own credential issuance for passwordless and privileged access?
A: Ownership should sit with the identity governance and access teams, with PAM involvement for elevated access. Credential issuance is part of lifecycle control, not a one-time technical setup task. Clear ownership is what keeps enrollment, recovery, and revocation aligned with policy.
👉 Read our full editorial: Passwordless credential issuance still creates identity friction
