In this post, I will talk about third-party access and show you where friction becomes risk.
Security should not come at the cost of usability. Unfortunately, in many business-to-business (B2B) environments, it still does.
According to the Thales 2025 Digital Trust Index – Third-Party Edition, 87% of respondents place security as their top priority when accessing partner systems. Yet almost all external users still encounter friction: 96% report login issues, one in three wait days to get access, and 40% reset passwords once or twice a month. These access struggles slow work, drain resources, and, most importantly, erode trust in host organizations.
The message is clear: both matter. But too often, organizations get the balance wrong.
Table of Contents
The Pitfalls in Managing Third-Party AccessÂ
B2B identity management looks similar to workforce IAM in many ways, but there are two crucial differences. External users do not flow in from a single source of truth like an HR system, and their onboarding is often handled remotely.
That makes it harder to verify identities, harder to provide direct support, and much more important to strike the right balance between strong controls and ease of use.
In this context, most identity and access management (IAM) tools are either too rigid or too shallow. They slow users down with a poor experience, or they expose the business by relaxing too many controls.
From the report:
- A staggering 96% of external users face login challenges.
- Under half (47%) of users lose time at least once a week due to access problems.
- Some 40% reset passwords once or twice a month.
These are not minor process hiccups. There are moments when partners lose confidence because the host organization’s systems do not reflect the realities of third-party collaboration.
The Consequences of Poor Usability
Access issues hurt productivity. But more importantly, they hurt partnerships.
Third-party users cannot rely on IT desks or training portals. If access is difficult, they stall projects, miss deadlines, or disengage. According to the Digital Trust Index, only 38% are completely satisfied with the clarity of onboarding steps.
Nearly one in three wait more than a business day to receive initial access, and almost all encounter login problems.
These recurring problems show that host organizations are not managing access reliably. As these issues accumulate, trust begins to erode.Â
The Risk of Over-Simplification
Usability problems are only one side of the challenge. The research also highlights how weak controls and slow processes increase exposure. External access that lingers too long or goes untracked does not just create inefficiency. It creates risk. The data shows:
- Just over half (51%) of users retain access long after they should.
- The average time to revoke access is 5.2 business days.
- Less than two-thirds (61%) of businesses struggle to track access across external partners.
- Nearly half (47%) have encountered information they should not have access to.
These are clear signs of processes that cannot keep up with the pace of business. Poorly controlled systems create risk, both operational and regulatory. Credentials are one of the most popular attack vectors and identity-based attacks among the most expensive. Security must remain tight. But it must also be intelligent.
The challenge is not choosing between security and usability; it’s building identity systems that support both at once.
How to Achieve the Balance
1. Build Identity Around Lifecycle, Not Events
Access should not be set once and forgotten. Joiners, movers, and leavers all need different access profiles. These must be updated in real time.
- Automate provisioning and deprovisioning.
- Link access to business roles, not just users.
- Update permissions dynamically as responsibilities change.
Only 48% of users say their access changes give them everything they need. This shows that static identity systems are no longer enough.
2. Standardize Partner Onboarding
The first experience shapes all that follows. If onboarding is slow or unclear, it erodes confidence before work even begins.
- Nearly a third (31%) of users wait more than a day to gain access.
- Documentation and verification steps vary widely.
- Responsibility for access is often shared across departments with no clear owner.
Fix this. Make onboarding clear, fast, and consistent.
Delegated user management is one approach. It gives partners limited administrative rights to manage their own users, within the boundaries you define. This decentralizes control without sacrificing security.
3. Rationalize Authentication Methods
Authentication must be secure, but not obstructive.
- Over half (58%) of firms still use SMS one-time passwords.
- Others rely on physical tokens or email verification.
These methods are outdated and inconsistent. Worse, they frustrate users.
Adopt methods that match risk and context. Use multi-factor authentication where needed. The goal is to move toward passwordless access wherever possible and always prioritize approaches that cut friction without compromising safety.
4. Monitor Access Continuously
Security cannot be a one-time review: it’s ongoing. Regular audits will highlight dormant accounts, outdated permissions, or access granted too broadly.
If a user changes roles or completes a project, their access must reflect that immediately. Anything else creates exposure.
The vast majority (86%) of organizations identified areas where partner access needs improvement. That number won’t improve without better oversight.
A Culture Shift, Not a Toolset
At its heart, balancing security and usability is about how the firm sees its partners.
If you see partners as outsiders, you’ll lock them out. If you see them as extensions of your team, you’ll give them the access they need with the controls to keep your business secure.
IAM systems need to reflect that philosophy.
Security and usability are not opposites; they are dependencies. One cannot work without the other.
The cost imbalance is clear. Where access is hard, trust drops. Where security is weak, risk rises. The answer lies in dynamic, lifecycle-aware identity systems that evolve with your business and the people who power it.
Build systems designed to match the pace of work. Protect the company while enabling your partners. That’s how trust is earned, and value is delivered.
INTERESTING POSTS
About the Author:
Jose Caso, B2B IAM at Thales, is a seasoned product professional with over 15 years of experience in software development, product management, and product marketing. He specializes in aligning technical and business goals to deliver solutions that meet evolving client needs. With a background spanning physical security, cybersecurity, and enterprise solutions, Jose focuses on driving innovation that keeps businesses competitive in a dynamic market.
