TL;DR: Growing demand for API-driven CIAM and passwordless authentication that fits existing identity stacks is reflected in KuppingerCole’s Rising Star recognition for Authsignal, with FIDO2, biometrics, and policy-based orchestration called out in the report. The real issue is not the rating itself, but the move toward modular identity fabrics that reduce friction without weakening access control.
At a glance
What this is: This is an analysis of KuppingerCole’s Rising Star recognition for Authsignal and the report’s view that API-first, passwordless CIAM aligns with Identity Fabric design.
Why it matters: It matters because IAM teams need to decide how far to modernise customer authentication without disrupting existing IDPs, policy enforcement, or risk-based access decisions.
By the numbers:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
Context
Passwordless authentication is becoming a practical response to the limits of password-based customer identity, especially where phishing, account takeover, and recovery friction create avoidable risk. The article frames CIAM as a layer that should adapt to context and user interaction, not sit as a static gate in front of applications.
The governance question for IAM teams is how to modernise customer authentication without replacing the entire identity stack. That makes Identity Fabric thinking relevant because it connects policy, orchestration, and multiple identity services across cloud, on-premises, and hybrid environments.
Key questions
Q: How should security teams modernise customer authentication without rebuilding their identity stack?
A: They should use an API-first integration approach that lets new authentication methods sit alongside existing identity providers, policy engines, and application flows. That reduces migration risk and preserves continuity, but it only works if governance covers session assurance, fallback logic, and how decisions are propagated across systems.
Q: Why does passwordless authentication reduce risk in CIAM?
A: Passwordless reduces dependence on shared secrets, which are a common source of phishing and account takeover. Strong authenticators such as passkeys and biometrics can improve assurance and reduce user friction, but the benefit depends on secure recovery, controlled fallback, and policy enforcement across the full customer journey.
Q: What breaks when risk-based authentication rules are poorly governed?
A: The user experience can remain smooth while the control model becomes inconsistent. If step-up, fallback, and rejection rules are not auditable, teams lose visibility into why users were challenged or allowed through, which makes troubleshooting, assurance, and compliance reviews much harder.
Q: What is the difference between passwordless authentication and identity fabric?
A: Passwordless is an authentication approach, while identity fabric is an architectural model that connects multiple identity services through consistent policy and orchestration. Passwordless can be one service inside an identity fabric, but the fabric is what lets teams govern many identity capabilities together across environments.
Technical breakdown
API-first CIAM and identity fabric architecture
An API-first CIAM service is designed to integrate into existing identity providers and application flows rather than replace them. In identity fabric terms, that means authentication, orchestration, and policy enforcement can be composed across systems instead of hardwired into one monolithic platform. The practical effect is architectural flexibility, but also a need to govern how policy, session state, and assurance levels travel between layers. If the integration layer is weak, the experience may be seamless while the security model becomes inconsistent.
Practical implication: map where authentication decisions are made, and make sure policy enforcement stays consistent across every integrated identity path.
Passwordless authentication with FIDO2 and orchestrated MFA
Passwordless authentication removes the shared secret as the primary factor and replaces it with stronger authenticators such as FIDO2 passkeys, biometrics, and orchestrated multifactor flows. Orchestration matters because customer journeys often need step-up decisions based on device trust, transaction risk, or channel confidence. The architecture is not just about removing passwords. It is about choosing the right verifier at the right point in the journey while keeping recovery, fallback, and exception handling controlled.
Practical implication: design passwordless as a journey with controlled fallback paths, not as a single login method.
Risk-based decisioning in customer identity
Risk-based decisioning evaluates context such as device signals, channel quality, and user behaviour before selecting an authentication path. In CIAM, that is the bridge between security and usability because not every interaction needs the same assurance level. The article points to a rules engine that can enforce those decisions without major architectural change. The governance challenge is to keep those rules explainable and auditable, especially when they affect recovery, step-up, and account takeover controls.
Practical implication: document which risk signals trigger step-up, fallback, or rejection, and review those rules as part of access governance.
NHI Mgmt Group analysis
Passwordless CIAM is becoming an architecture problem, not just an authentication choice. The article’s emphasis on API-driven orchestration and Identity Fabric design shows that customer identity now depends on how authentication services interoperate with existing IDPs, policy engines, and application journeys. That means the control question is no longer whether passwordless exists, but whether it can be governed consistently across a fragmented stack. Practitioners should treat the integration layer as part of the access control surface.
Customer authentication is moving toward context-aware decisioning that IAM teams must be able to explain. Once risk-based rules decide whether a user sees passkeys, biometrics, or an MFA fallback, the governance issue becomes traceability. If those decisions are opaque, troubleshooting and audit both suffer. Practitioners should insist that orchestration rules remain reviewable and tied to clear assurance outcomes.
Identity Fabric is a useful concept because it reflects the reality of mixed identity estates. Most organisations are not replacing every identity system at once, so modular authentication and orchestration are often more realistic than wholesale rebuilds. That does not remove governance burden. It shifts it to policy consistency, exception handling, and session assurance across integrated services. Practitioners should judge modernization by control continuity, not by interface polish.
CIAM and workforce IAM are increasingly converging around the same governance themes. The article is about customer identity, but the underlying pattern is familiar to IAM teams: reusable identity services, policy-driven access, and stronger authenticators replacing brittle secret-based flows. That cross-domain convergence matters because programme boundaries often lag the architecture. Practitioners should use the same governance discipline for customer, workforce, and machine-facing identity layers where they intersect.
From our research:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- Another finding from the same report shows that 88.5% of organisations acknowledge their non-human IAM practices lag behind or are merely on par with human IAM.
- That governance gap makes a broader identity-fabric approach more relevant, as discussed in Ultimate Guide to NHIs , The NHI Market.
What this signals
Identity fabric is becoming the practical bridge between customer identity modernisation and broader identity governance. As organisations add passkeys, orchestrated MFA, and policy-based routing, they also need a way to preserve control continuity across human, customer, and machine-facing identity services. The decision is less about adding another auth layer and more about whether the programme can explain every trust transition cleanly.
The same governance discipline that now applies to non-human identities also applies to customer identity journeys that depend on context and fallback. With only 19.6% of security professionals expressing strong confidence in securely managing non-human workload identities, the signal is clear that distributed identity estates are already straining existing control models. Practitioners should expect the same pressure where CIAM, orchestration, and lifecycle governance intersect.
For practitioners
- Map the authentication decision points Identify where passwordless, MFA, step-up, and fallback decisions are made across the customer journey. Confirm that each path enforces the same assurance policy and that exceptions are visible to operations and audit.
- Define controlled fallback paths Treat recovery, reset, and alternate-factor routing as governed control points. Limit insecure fallback methods and document when users can move from passkeys to other verification channels.
- Review policy rules for explainability Keep risk-based rules readable enough for security, privacy, and support teams to understand why a user was challenged or allowed. Where possible, log the signal set that triggered the decision.
- Align CIAM with identity fabric planning Use the article’s architecture pattern to test whether authentication services can be added incrementally without breaking existing identity providers or application dependencies.
Key takeaways
- Passwordless CIAM only improves security if orchestration, fallback, and recovery are governed as tightly as primary authentication.
- Identity Fabric thinking is useful because most organisations need to modernise by integration, not by replacement.
- The real test for practitioners is control continuity across every authentication path, not whether the user experience is cleaner.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Passwordless authentication and authenticators map directly to digital identity assurance. |
| NIST CSF 2.0 | PR.AC-1 | Customer authentication and access control are central to this CIAM discussion. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance applies to customer identity and orchestration paths. |
Align CIAM controls with PR.AC-1 so identity proofing and authentication decisions stay risk-based and auditable.
Key terms
- Identity Fabric: An identity fabric is an integration model that connects multiple identity services through shared policy and orchestration. It does not replace every existing system. Instead, it lets organisations apply consistent control across customer, workforce, device, and machine identity flows while keeping deployment incremental.
- Passwordless Authentication: Passwordless authentication verifies a user without relying on a memorised password as the primary factor. In practice, it uses stronger authenticators such as passkeys, biometrics, or device-bound methods, while still requiring governed recovery and fallback paths to preserve assurance when the primary method is unavailable.
- Risk-Based Authentication: Risk-based authentication changes the authentication path based on contextual signals such as device trust, location, behaviour, or transaction sensitivity. It improves usability and can reduce fraud exposure, but only when the rules are explainable, auditable, and tied to consistent assurance outcomes across the journey.
- CIAM: Consumer Identity and Access Management is the discipline of governing how customers register, authenticate, recover accounts, and access digital services. It must balance scale, privacy, and usability while keeping the organisation in control of assurance, recovery, and access decisions across many user journeys.
What's in the full article
Authsignal's full post covers the operational detail this post intentionally leaves for the source:
- The vendor’s breakdown of its passwordless and MFA orchestration capabilities across passkeys, biometrics, SMS, email, push, and wallet-based credentials.
- The article’s explanation of how its no-code rules engine fits risk-based decisioning and customer journey control.
- The source commentary on Identity Fabric design principles and how they map to modular deployment choices.
- The recognition context from KuppingerCole and the report language that underpins the Rising Star designation.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org