Passkeys and CIAM consolidation are reshaping customer identity in 2023

At a glance

What this is: This is Strivacity’s year-end CIAM analysis, and its key finding is that passkeys and market consolidation are changing customer identity expectations at the same time.

Why it matters: It matters because IAM teams must now align customer authentication, journey design, and vendor strategy across human identity controls and broader identity governance decisions.

👉 Read Strivacity's year-end analysis of passkeys and CIAM market consolidation

Context

Customer identity and access management is shifting in two directions at once: passwordless authentication is becoming normal, while the CIAM vendor landscape is becoming more concentrated. That combination changes how teams think about login experience, migration planning, and authentication risk.

For IAM practitioners, the question is no longer whether customers will expect easier sign-in. The harder issue is how to keep authentication resilient, portable, and governable when platform choices, merger activity, and user expectations all move together.

Key questions

Q: How should organisations roll out passkeys in customer identity journeys?

A: Start with the journeys that see the most password fatigue, phishing exposure, or reset volume, then add passkeys where device-bound authentication improves both experience and risk. Keep fallback and recovery paths tightly governed, because those paths become the real control boundary once passwords are reduced or removed.

Q: When does CIAM consolidation become a security governance problem?

A: It becomes a governance problem when customer login, recovery, federation, and admin workflows are tightly coupled to one vendor's roadmap or product direction. At that point, a merger or acquisition can change support models, transition timing, and technical dependencies fast enough to become an operational risk.

Q: Why do passkeys change the way teams think about customer identity risk?

A: Passkeys remove the reusable secret that attackers usually target, so the main risks shift toward device trust, recovery abuse, and fallback methods. That means customer identity teams need to govern the whole journey, not just the authentication step, if they want the security gains to hold.

Q: What should IAM teams do before their CIAM platform roadmap changes?

A: Inventory the journeys, integrations, and recovery flows that would be hardest to move, then document the operational dependencies that would block a rapid transition. If the platform changes direction, those dependencies are what determine whether the organisation can adapt cleanly or ends up with a costly migration.

Technical breakdown

Passkeys and phishing-resistant customer authentication

Passkeys are a passwordless authentication method built on FIDO2, using device-bound cryptographic keys and local biometrics or device unlock instead of reusable shared secrets. That shifts the attack surface away from password guessing, phishing, and credential stuffing because there is no password to steal and reuse. In CIAM, the important design change is that authentication becomes resistant to the most common consumer login abuse patterns without adding password complexity for the user. The practical trade-off is that journey design, device recovery, and cross-device access now matter more than password policy tuning.

Practical implication: treat passkey rollout as an authentication architecture change, not just a UX feature.

CIAM consolidation and vendor migration risk

CIAM consolidation changes the operational assumptions behind customer identity programmes because platform roadmaps, support models, and product direction can shift after merger activity. When a market narrows, buyers face more than feature comparison. They face migration planning, integration uncertainty, and possible redesign of customer journeys if a chosen platform changes direction. For identity teams, this is a governance problem as much as a technology problem because authentication, account recovery, federation, and branding decisions all become coupled to vendor strategy.

Practical implication: maintain exit readiness, data portability plans, and documented journey dependencies before consolidation forces a rushed transition.

Frictionless login still needs identity governance

Login convenience does not remove governance requirements. Features such as remembered devices, optional MFA, enterprise SSO, and hosted verification components reduce user friction, but they also expand decision points around assurance, recovery, and fraud resistance. The technical challenge is balancing lower-friction customer journeys with controls that still prove account continuity and limit takeover risk. In practice, CIAM teams need to understand which user populations can use lower-friction paths, which require stronger verification, and where recovery paths become the weakest link.

Practical implication: map assurance levels to customer segments and recovery flows instead of applying one authentication path everywhere.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passkeys are forcing customer identity programmes to move from password control to device-bound trust. That changes the centre of gravity in CIAM because reusable secrets are no longer the main defensive object. The governance question becomes how organisations validate device continuity, recovery, and exception handling without rebuilding password-era assumptions. Practitioners should treat passkey adoption as a shift in trust architecture, not just a login upgrade.

CIAM consolidation is a governance event, not just a market event. When fewer vendors control more customer identity estates, migration risk, roadmap dependence, and lock-in all rise together. That narrows the range of practical choices for brands that need stable customer journeys over long time horizons. Practitioners should re-evaluate how much of their login and recovery flow depends on a single supplier trajectory.

Low-friction authentication only works when recovery is equally well governed. Passkeys reduce reliance on passwords, but account recovery, device replacement, and fallback MFA often become the real security boundary. If those paths are weak, attackers simply move to the easiest re-entry point. Practitioners should audit recovery flows with the same seriousness as sign-in flows.

Customer identity teams should stop treating experience and security as separate goals. The article shows they are now coupled: users expect seamless sign-in, while brands need stronger resistance to phishing and credential abuse. The result is that CIAM design choices increasingly shape both fraud exposure and customer retention. Practitioners should align authentication policy, recovery policy, and journey design under one governance model.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• If you are building stronger identity hygiene alongside authentication modernisation, the Top 10 NHI Issues resource is a useful next step for mapping governance gaps across machine and customer-facing systems.

What this signals

Passkey adoption will not simplify governance unless recovery logic is equally mature. Customer identity programmes should expect the weakest part of the stack to move from password policy to fallback authentication, device recovery, and trust restoration. That shift is already visible across broader identity programmes, where governance often lags the user experience redesign.

As vendor consolidation continues, teams should assume that platform dependencies will become harder to unwind after the fact. The practical response is to keep journey maps, federation dependencies, and recovery ownership explicit so identity changes do not turn into hidden operational debt.

For practitioners

• Prioritise passkey enablement for high-volume customer journeys Identify the sign-in flows that create the most password-reset demand or credential abuse exposure, then pilot passkeys where device-bound authentication will remove the most friction and risk.
• Document your CIAM exit assumptions now Map which customer journeys depend on a single platform's federation, branding, recovery, and administration features so you can estimate migration effort before market consolidation forces change.
• Review fallback authentication and recovery paths Test how users regain access when a passkey device is lost, replaced, or unavailable, and make sure fallback methods do not become a weaker takeover path than the password they replace.
• Separate assurance levels by customer risk tier Apply stronger verification to higher-risk accounts, then reserve lower-friction login and remembered-device options for scenarios where the account impact of takeover is lower.

Key takeaways

• CIAM is moving into a phase where passwordless authentication and market consolidation are changing the same operating model.
• Passkeys reduce credential abuse risk, but they shift the hardest governance questions toward device trust, fallback methods, and recovery.
• Identity teams that document dependencies and recovery paths now will be better positioned if platform roadmaps or vendor ownership change later.

Key terms

• Passkey: A passkey is a passwordless sign-in method that uses public-key cryptography tied to a device, plus local biometrics or device unlock for user verification. It removes the reusable secret from the login flow, which reduces phishing and credential stuffing exposure while shifting governance toward recovery and device trust.
• Customer Identity And Access Management: Customer Identity and Access Management, or CIAM, is the set of controls used to authenticate, authorise, and manage external users at scale. It covers sign-up, sign-in, federation, recovery, consent, and journey design, and it must balance customer experience with fraud resistance and operational governance.
• Fallback Authentication: Fallback authentication is the alternative path a user takes when the primary sign-in method is unavailable, such as a lost device or failed verification. It is often the weakest part of a customer identity design because attackers target it after stronger controls like passkeys are introduced.

Deepen your knowledge

Passkey adoption, recovery governance, and CIAM lifecycle decisions are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising customer identity from a similar starting point, it is worth exploring.

This post draws on content published by Strivacity: a year-end CIAM analysis covering passkeys, consolidation, and product enhancements. Read the original.