Digital Trust Is Dying by a Thousand Login Screens

The Trust Problem Nobody Talks About in Security Briefings

Ask a CISO what keeps them up at night and they will mention ransomware, supply chain attacks, or data exfiltration. They rarely mention the sign-up form that times out halfway through, the MFA code that expires before the user types it in, or the access approval that sits in a queue for three days. These moments feel like UX problems, not security problems. According to the 2026 Thales Digital Trust Index, they are both. Digital trust — the confidence users place in the systems, organisations, and processes that handle their data and identities — is not built through privacy policies or compliance certificates. It is built, or destroyed, through the texture of everyday digital interactions. When those interactions repeatedly frustrate users, trust erodes. When trust erodes, users find workarounds. When users find workarounds, security breaks down. For UK and New Zealand businesses operating digital services, this is not an abstract concern. It has direct consequences for customer retention, regulatory exposure, and the effectiveness of the security controls you have already paid to deploy.

What Does the 2026 Thales Digital Trust Index Actually Show?

The Thales Digital Trust Index 2026 surveyed consumer experiences across digital services globally, tracking how everyday friction shapes long-term trust in organisations. The findings are worth taking seriously. Most consumers reported encountering problems when using websites or applications — problems that were not dramatic enough to trigger a complaint but persistent enough to register. Slow authentication flows, repeated login steps, and access requests that take longer than expected have become background noise in digital life. Users do not necessarily attribute these experiences to poor security design. They attribute them to the organisation being untrustworthy or incompetent. Here is the compounding risk: users who lose trust in digital services do not simply stop using them. They adopt behaviours that create genuine security exposure — reusing passwords across platforms to avoid repeated registration, sharing credentials with colleagues to bypass slow access approval processes, or disabling security features they find disruptive. The friction that was meant to protect them ends up working against the controls protecting the business. Put simply, when your security experience is bad enough, users start defeating it themselves.

Why Authentication Friction Is a Security Risk, Not Just an Annoyance

There is a persistent assumption in security design that more steps equal more security. In principle, that is true. In practice, it depends entirely on whether users complete those steps as intended. MFA adoption provides a useful illustration. When authentication flows are smooth and well-integrated, MFA meaningfully reduces account compromise risk — Microsoft's own data has shown that MFA blocks over 99% of automated credential attacks. When MFA flows are clunky, time out frequently, or generate repeated prompts for the same session, users begin to push back. Worse, they become conditioned to approve MFA requests without scrutiny — a behaviour that directly enables MFA fatigue attacks, where threat actors send repeated push notifications until an exhausted or inattentive user approves access. The Scattered Spider group, responsible for high-profile breaches at MGM Resorts and Caesars Entertainment in 2023, exploited exactly this pattern. They did not break the MFA system. They exploited the human response to a poorly designed one. For businesses that have invested in identity and access management tooling, this should be a calibration check, not a product problem. The tooling is often sound. The configuration, the user experience around it, and the communication to end users about why these steps matter — that is where trust and security diverge.

How Poor Digital Experiences Create Measurable Business Risk

The business case for fixing authentication friction goes beyond user satisfaction scores. Consider four specific risk areas. First, credential reuse. When users find registration or login processes burdensome, they reuse credentials across services. This turns every third-party breach into a potential credential stuffing vector against your platform. According to the 2023 Verizon Data Breach Investigations Report, stolen credentials remain the leading method of initial access in confirmed breaches. Second, shadow IT. When internal access approval processes are slow or opaque, employees route around them. They adopt unauthorised SaaS applications, share files through personal accounts, or grant access outside approved channels. Each of these creates attack surface that your security team cannot see and therefore cannot protect. Third, phishing susceptibility. Users who are accustomed to being asked to verify their identity repeatedly are more likely to comply with phishing emails that mimic those familiar requests. Friction normalises verification requests; attackers exploit that normalisation. Fourth, regulatory exposure. Under the UK GDPR and New Zealand's Privacy Act 2020, organisations are expected to implement appropriate technical and organisational measures to protect personal data. If your authentication design is demonstrably poor and a breach results from credential compromise that better identity controls would have prevented, that design choice becomes part of the regulatory conversation. These are not theoretical risks. They are documented breach patterns that map directly back to the friction points the Thales index describes.

• Credential reuse amplifies the blast radius of third-party breaches into your own platform
• Shadow IT spawned by access friction creates blind spots that attack surface tools cannot monitor if they are never onboarded
• MFA fatigue attacks target users conditioned to approve prompts without scrutiny
• Regulatory frameworks in both the UK and New Zealand treat inadequate access controls as an organisational failure, not a user failure

The Attack Surface You Cannot See Is the One That Matters Most

One pattern the Thales findings reinforce is that organisations tend to measure their security posture by the controls they have deployed, not by how those controls appear to the outside world or behave under real user conditions. A business might have a modern identity provider, enforce MFA across all applications, and run regular penetration tests against known assets. What it may not know is that an acquired subsidiary still runs a legacy customer portal with weaker authentication. Or that a third-party SaaS integration exposes an OAuth endpoint that bypasses the main identity stack. Or that an expired certificate on a secondary domain creates a browser warning that trains users to click through security alerts. Each of these is a trust and security gap that does not show up in a quarterly vulnerability scan. They show up in the experience of the user trying to log in, and they show up in breach investigation reports. Continuous attack surface monitoring — the kind that maps externally facing assets, identifies authentication anomalies, and flags configuration drift before threat actors find it — is increasingly the difference between an organisation that knows its real posture and one that only knows what it has deployed. Hadrian, which Kyanite Blue offers as part of its attack surface management stack, runs AI-driven continuous reconnaissance against your external footprint, surfacing exactly these kinds of gaps before they become incidents. Details are available at /products/hadrian.

Supply Chain Trust: The Third-Party Login Problem

Digital trust does not operate at the level of individual organisations in isolation. Most digital services are assemblies of third-party components — identity providers, payment processors, analytics platforms, customer support tools — each of which handles user data and contributes to the authentication experience. When a third-party component in that chain has weak security controls, the breach that results carries the reputational weight of the organisation whose brand the user saw on the login screen. From the consumer's perspective, they were using your service. From a legal and regulatory standpoint, the same framing often applies. The 2024 Okta breach, in which threat actors accessed Okta's customer support system and exposed data linked to clients including 1Password and Cloudflare, is a precise example of this dynamic. Okta's customers had implemented strong identity controls. Their trust in Okta's own security posture was the gap. For businesses that depend on third-party identity infrastructure, access management tools, or any SaaS platform that sits within the authentication chain, third-party risk assessment is not a procurement checkbox. It is an ongoing operational requirement. Panorays, available through Kyanite Blue at /products/panorays, provides continuous third-party security posture monitoring — assessing vendors against real-world security criteria rather than self-reported questionnaires.

How to Protect Your Business Against Digital Trust Failures

The risks the Thales Digital Trust Index describes are not fixed by a single product or policy. They require a layered response that addresses the technical, human, and organisational dimensions of authentication and identity security. Here is where to start. Map your authentication attack surface. Before fixing anything, understand what your authentication flows look like from the outside. Hadrian's continuous attack surface monitoring identifies exposed authentication endpoints, misconfigured identity integrations, and legacy login infrastructure that may no longer meet current security standards. This gives you an evidence-based starting point rather than an assumed one. See /products/hadrian. Assess your third-party identity risk. If your login infrastructure depends on third-party providers, those providers' security posture is your security posture. Panorays allows you to continuously monitor the security controls of every vendor in your supply chain, including those that sit within your authentication stack, flagging deterioration before it becomes a breach. See /products/panorays. Deploy endpoint and email protection that catches credential theft before it reaches your login screen. Most authentication attacks begin with phishing or endpoint compromise. Coro, which Kyanite Blue offers for the UK market, provides unified coverage across endpoint, email, and cloud — blocking the credential theft attempts that turn weak authentication into a breach. See /products/coro. For businesses in New Zealand and Australia, ESET provides enterprise-grade endpoint protection with proven detection rates. See /products/eset. Stop data exfiltration if authentication fails. When attackers do gain access, the goal is almost always data theft. BlackFog's anti data exfiltration technology operates at the process level, blocking outbound data transfers that do not match authorised behaviour — meaning that even if a threat actor authenticates successfully with stolen credentials, they cannot move data out. See /products/blackfog. Digital trust is not recovered through a press release. It is recovered through consistent, secure, low-friction interactions that demonstrate competence over time. Getting the security architecture right is the foundation. If you are unsure where your authentication and access controls stand today, Kyanite Blue's team can walk you through a structured assessment of your current posture. Start with a two-minute data exfiltration risk check at /data-exfiltration-risk, or contact us directly at /contact to discuss a full security review.

Frequently Asked Questions