Skip to content
Operationsecurity-uxLast updated 2026-06-09

The friction-versus-security dial that never stops moving.

Who feels it

securitymarketingproduct

What triggers the evaluation

MFA adoption stalls after a conversion drop · a credential-stuffing or bot-driven ATO wave · a passkey rollout

Once a CIAM deployment is live, the friction-versus-security dial never stops moving. Every added step measurably drops conversion, so MFA adoption stalls as marketing watches sign-in and sign-up rates fall. Pushing in the other direction, credential stuffing and bot-driven account takeover make more friction feel necessary. The two forces do not resolve; they have to be balanced continuously.

The way out of a fixed trade-off is to stop applying friction uniformly. Adaptive, risk-based authentication applies step-up only when the signals warrant it, so the low-risk majority stay frictionless and the risky minority get challenged. That depends on real signals: device and behavioral risk, bot-detection, and breached-password detection feeding a policy engine rather than a blanket MFA prompt.

Passkeys change the shape of this but do not end it. They remove the phishable password from the primary path, but users are spread across devices and ecosystems, and the fallback flow, the path for a user whose passkey is not available, quietly reintroduces the phishable methods passkeys were meant to eliminate. Evaluate the fallback as carefully as the happy path. See passkeys, adaptive risk-based authentication, and account-takeover defense.

How teams recognize it

  • Each added auth step measurably reduces conversion
  • MFA adoption stalls because friction hurts sign-in and sign-up
  • Credential stuffing and bot-driven ATO push toward more friction
  • Passkey fallback flows quietly reintroduce phishable paths

How to evaluate vendors for this

The exact questions to put to vendors. Match each answer against the capabilities in the comparison below.

  1. 01Is authentication adaptive and risk-based, so friction is applied only when warranted?
  2. 02How is step-up authentication triggered, and how granular is the policy?
  3. 03What bot-detection and breached-password signals are built in?
  4. 04For passkeys, what is the fallback flow, and does it stay phishing-resistant?

Capabilities that solve this

The vendors that cover the capabilities this pain maps to, scored on just those axes. See the full matrix on each vendor profile.

CapabilityAkamai Identity Cloud100% coveredAuth0100% coveredCyberArk Identity100% coveredDescope100% coveredForgeRock100% coveredIBM Verify100% coveredMicrosoft Entra External ID100% coveredMojoAuth100% covered
Adaptive MFA✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Step-up auth✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
WebAuthn / passkeys✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Bot detection✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Breached password detection✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes

See every vendor ranked for this pain

Related pain points

Keep going