Identity security must work for everyone, or it risks working for no one, says Steven Connelly, Head of Identity at the cyber firm and Microsoft partner Kocho.ย
Identity security is now embedded into almost every interaction at work, and for good reason. Authentication and policy checks determine whether people can reach systems, data, and applications across cloud and onโpremises environments. To meet rising threats and regulatory demands, organisations have rightly strengthened identity security through measures such as multiโfactor authentication and Zero Trust architectures, as well as the growing use of biometrics.
However, there is growing evidence that poorly designed controls increase stress and disrupt focus. When that happens, people begin to take shortcuts to keep work moving. Over time, these behaviours can undermine even wellโdesigned security. Coverage and compliance may look strong on paper, but identity security only holds when it can be used reliably under real working conditions.
When identity controls ignore human experience
Access controls that appear robust in theory often rest on a narrow assumption: a technically confident user, working in a stable environment, with the time and attention to evaluate each authentication prompt carefully. That describes only a small portion of any real workforce.
In practice, people process information and interruptions differently, and as a result, respond differently under pressure. For some, authentication flows are routine. For others, unclear error messages, repeated prompts, or unexpected access denials introduce stress that affects concentration and decisionโmaking in the moments that follow. Security systems tend to present the same experience to everyone and measure success by whether access was granted or blocked, not by what the interaction demanded of the person on the other side.
This is further compounded by role and environment. A deskโbased employee on a managed device has a very different authentication experience from someone using shared hardware, working under time pressure, or operating in lowโconnectivity conditions. Privileged users face a related challenge. Frequent authentication is intentional, but repetition shapes behaviour over time. What begins as careful verification becomes reflexive response.
Why account for human behaviour
Organisations that face this problem often respond by increasing training or tightening supervision. That reaction is understandable, but it risks missing the root cause.ย The problem is one of design. Systems built on the expectation that every employee behaves perfectly, even when under pressure or interrupted, do not reflect reality. Poorly calibrated friction, unclear prompts, difficult recovery, or a high volume of requests all have the same effect: attention narrows and people begin to adapt their behaviour.
Attackers understand this dynamic โ and come to expect it. MFA fatigue attacks exploit repetition and exhaustion rather than technical weakness, sending repeated approval requests until one is accepted. At enterprise scale, even a low rate of mistaken approval becomes exploitable. The vulnerability is created by the system, but responsibility is often placed on the user.
The impact of this misalignment does not stop at individual interactions โ they ripple through the organisation. Support desks absorb rising volumes of access issues and lockouts, while onboarding slows as new joiners struggle through complex access paths. Security teams spend time resolving avoidable friction instead of focusing on genuinely risky activity. Over time, trust erodes, and security can increasingly feel punitive instead of enabling.
Building empathy into your security strategy
Empathy in identity security is often misunderstood as lowering standards. In practice, it is about reliability. Effective security depends on designing verification that people can complete consistently under real conditions. This means designing authentication that adjusts to context and risk, rather than the same level of challenge being applied uniformly, reducing unnecessary friction without weakening protection. It also means making interactions clearer and easier to recover from, so users are not left confused at the point of failure or forced to improvise unsafe alternatives when authentication breaks down.
Inclusive design matters here in a practical sense. Authentication methods do not work equally well for everyone, in every context. Biometric authentication can reduce friction for many users, but for others it proves unreliable due to physical positioning, environmental conditions, or inconsistent recognition. When a single method is treated as default, the users it does not work for do not disappear. They adapt, often by finding alternative paths that weaken control integrity.
Providing multiple viable authentication options, such as deviceโbound credentials, passkeys, or stepโup verification methods calibrated to risk and context, keeps users inside governed systems and strengthens security overall.
Inclusive design is a security improvement, not a trade-off
Reducing friction is different from reducing protection. It is about improving reliability. Organisations need strong and effective security that is no longer defined by hard edges or user friction. Increasingly, identity security is judged by how well it performs when people are under pressure, working to deadlines, or operating with limited attention. Systems that make intense, unpredictable demands risk eroding confidence and trust over time.
The most resilient organisations design identity security around human behaviour as well as advanced technology. Making security easy to use isnโt a nice-to-have; it is what allows people to act securely and consistently in the real world.
When security is designed for every user, protection is greater for everyone. ย Itโs how resilient identity systems are built.
