When ‘standard’ authentication doesn’t fit the real world

Explore why standard authentication often fails and how to adapt it for real-world conditions.

By Nicole Joubert, Product Manager @Steer73
Digital image depicting authentication and access control in modern software.

In theory, authentication should be simple. Add a login screen, apply a strong password policy, bolt on multi-factor authentication, and you’re done. In practice? Things are rarely that neat.

In digital transformation projects, we often encounter environments where users don’t have the basics in place to meet those “standard” security measures. No corporate email addresses. Shared or outdated devices. Weak, reused passwords. Sometimes even a total absence of identity verification processes.

That’s where things get interesting. Our job isn’t just to enforce best practice security in a vacuum. It’s to design authentication that works for real people in less-than-perfect conditions, without leaving the system exposed.

The real challenge

Most security models assume ideal users:

  • A unique corporate identity.
  • A secure device.
  • Reliable communication channels (email, SMS, authenticator apps).
  • The patience to follow a flow designed for maximum security.

But real-world users don’t always look like that. And if you design only for the ideal, you risk building a process people can’t actually use – which is just as dangerous as no security at all.

How we approach it

When the basics aren’t in place, we step back and think differently about where trust should sit. Sometimes that means shifting the focus from the user to the device. Sometimes it means layering security options so no single weak link breaks the whole chain.

A few areas we always consider:

  • Password reality check – Are passwords actually providing security, or just creating friction? If everyone shares a weak default password, you don’t have authentication at all.
  • Device-level security – Can we lean on device features (secure storage, biometrics, PINs) to compensate where user identity is shaky?
  • Recovery options – Do users have reliable ways to reset or recover access? If not, what’s the fallback that won’t leave night shift workers stranded when a head-office team aren’t around?
  • Auditability – Even if the system isn’t perfectly locked down, can we still track who did what and when?
  • Human impact – What happens to real users if they get locked out? Is there a safe balance between control and continuity?

A checklist for designing authentication in messy environments

When you’re dealing with a workforce that doesn’t fit the “standard model,” here are some key questions we ask:

  • Who are the users, really? Do they all have unique identities?
  • What devices do they actually use day to day?
  • How consistent and reliable is the user data (emails, phone numbers)?
  • What happens if someone is locked out during a critical shift?
  • Are existing security measures doing anything meaningful, or just adding noise?
  • Where is the right place to anchor trust – user, device, or both?
  • How will admins monitor, audit and intervene when things go wrong?

The bottom line

Authentication isn’t about ticking a box. It’s about protecting systems while keeping real people moving. In digital transformation, that often means adapting best practice to messy reality – finding the middle ground where users can get on with their work, and organisations can still sleep at night knowing the system is secure.

Subscribe to our newsletter

For regular insights into UX, product management, innovation and technology, sign up to our newsletter.