In business, trust begins with access. If a partner cannot get in, they cannot help you move forward.
The Digital Trust Index Third-Party Edition reveals a hard truth: poor identity management is eroding the foundations of many B2B partnerships. Systems stall, delays mount, frustration grows, and access lingers long after it should be revoked. What begins as a login issue becomes a deeper problem: one of confidence, control, and credibility. reveals a hard truth: poor identity management is eroding the foundations of many B2B partnerships. Systems stall, delays mount, frustration grows, and access lingers long after it should be revoked. What begins as a login issue becomes a deeper problem: one of confidence, control, and credibility.
The High Cost of a Slow Start
Every partnership begins with onboarding. Yet for nearly one in three organizations, that process starts with a delay. 31% of third-party users wait more than one business day to gain access to a partner’s systems. In an environment driven by efficiency, that kind of delay does more than frustrate; it weakens trust before the work has even begun.
When access is slow, relationships stall. Many organizations lack centralized or standardized onboarding processes, forcing third-party users to request access separately for each application. This fragmented approach creates confusion, wastes time, and slows early-stage collaboration.
Only 38% of third-party users are fully satisfied with the clarity of onboarding steps. Fewer than half say they’re satisfied with the overall process. In other words, most external users begin their engagement under a cloud of uncertainty.
Login Issues That Don’t Go Away
Onboarding is only the beginning. Once access is granted, a new layer of friction sets in: the login experience.
According to the same report, 96% of third-party users encounter issues accessing partner systems. These issues are not rare. Nearly half (47%) of respondents say they happen at least once a week. On average, external users lose 48 minutes a month just trying to log in.
What’s the source of the problem? Often, it’s inconsistent authentication methods. SMS-based one-time passwords remain the most common method, used by 58% of firms, according to the Digital Trust Index Third-Party Edition. But SMS is outdated, and it is phishable. Other methods (biometrics, smart cards, passkeys) are gaining traction but lack uniform adoption. The result is a fractured experience with no standard baseline for ease or security.
For third-party users, what begins as a small inconvenience often turns into operational drag. Persistent access issues drive them to reuse passwords, share accounts, and bypass security — actions that steadily undermine trust.
Movers Delayed, Access for Leavers Lingers
Identity management is not just about how users get in. It is also about how their access changes when they move into new roles or leave entirely.
When a third-party user moves within their organization, their access should reflect their new role. That rarely happens in practice. 35% of organizations take up to a week to adjust access permissions after a role change. In the meantime, workers are locked out of what they need, or worse, left with access they no longer require. Poor access management hampers both productivity and security.
Not even half (48%) of users receive the correct permissions following a role change. Misalignment between responsibilities and access is not just inefficient, it is dangerous. Old permissions accumulate. Systems become porous. Sensitive data remains exposed to individuals who should no longer see it.
These gaps in managing role changes often set the stage for an even bigger problem: removing access when someone leaves. Unfortunately, when it comes to revoking access entirely, the risks grow even sharper.
Over half of respondents say they’ve retained access to partner systems days, weeks, or even a month after they no longer needed it. On average, users maintain access to 2.3 systems beyond necessity. It takes more than five business days, on average, to revoke that access.
Delayed offboarding is a real risk. Forty-seven percent of users said they could still access information they should no longer be able to see. In regulated industries like insurance and pharmaceuticals, that number rises to 55%.
This is not only a security concern, but also a compliance issue and contractual liability. It could also become a reputational hazard, and in certain instances, a legal one.
Delegation and Automation: A Better Way Forward
What’s needed is a shift in mindset. Not every identity decision should sit with central IT. Not every access request should require a ticket. Delegated user management offers an alternative.
With delegated models, host organizations retain control over the identity infrastructure. However, they empower trusted contacts within partner organizations to manage access for their own users. A partner manager or regional lead can grant, update, or revoke access within defined boundaries. This keeps systems secure while aligning identity processes to real-world relationships.
Automation also plays a role. Automated access provisioning and revocation reduce the risk of manual errors. They ensure access changes happen in real time, not days later. Regular audits catch permissions that linger too long. Real-time monitoring flags unusual behavior early.
Rebuilding Trust, One Control at a Time
There’s a clear takeaway for businesses to consider: identity management is not a back-office function. It is a business enabler or a business risk.
A staggering 86% of respondents said partner access management needs improvement. When asked about priorities for improving partner systems, security came first (87%), followed by privacy (82%) and user experience (66%).
None of these can be achieved without strong identity foundations.
For B2B partnerships to thrive, organizations must rethink how they handle third-party users. From onboarding to offboarding, every step should be structured, consistent, and fit for purpose. That means moving away from patchwork systems and legacy processes. It means recognizing that trust is not given; it is designed.
And it begins, quite simply, with access.
