TL;DR: Shopify Plus is shifting new customer accounts toward passwordless, API-driven authentication, while advanced features like passkeys, SSO, and custom auth logic now require an external OAuth or OIDC provider, according to Descope. That makes identity architecture a conversion and security decision, not just a storefront setting.
NHIMG editorial — based on content published by Descope: Add Auth to Your Shopify Plus Storefront With Descope
By the numbers:
- 42% of consumers said they’d abandoned a purchase because of a forgotten password.
- 78% of people reusing credentials on at least one account, much of the risk is out of your control.
- As of February 2026, Shopify Legacy Customer Accounts have been deprecated, further limiting built-in auth options.
Questions worth separating out
Q: How should security teams handle Shopify customer authentication after legacy account deprecation?
A: Teams should move customer authentication onto a standards-based federation model and test it as part of the wider identity architecture.
Q: When does external identity provider integration become necessary for Shopify Plus?
A: It becomes necessary when the organisation needs passkeys, enterprise SSO, custom auth logic, or unified sign-in across applications and storefronts.
Q: What do teams get wrong about passwordless customer login on ecommerce platforms?
A: They often treat passwordless login as a user-experience upgrade only.
Practitioner guidance
- Map authentication dependencies before migrating off legacy accounts. Inventory every login, template, and Multipass dependency that still supports Shopify customer access.
- Validate OIDC provider behaviour under real customer journeys. Test redirect handling, token refresh, session persistence, and logout behaviour across storefronts before production cutover.
- Design one customer identity model across sites. If the organisation runs a main website and Shopify store, define whether the same IdP, refresh-token strategy, and assurance policy apply to both.
What's in the full article
Descope's full blog covers the operational detail this post intentionally leaves for the source:
- The exact Shopify configuration fields needed to wire an external OIDC provider into Customer Accounts.
- The Descope flow setup steps for magic links, passkeys, and A/B testing of authentication journeys.
- The custom liquid implementation pattern used to host the login flow inside Shopify.
- The cross-domain refresh-token approach for unifying sign-in across a website and a Shopify store.
👉 Read Descope’s blog on Shopify Plus authentication changes and OIDC setup →
Shopify Plus auth changes: are your login controls ready for 2026?
Explore further
Shopify Plus auth is no longer a storefront feature problem. It is an identity architecture problem. Once passwordless login, passkeys, and enterprise SSO depend on an external OIDC provider, the control boundary moves out of the commerce platform and into federation, token handling, and session governance. That means IAM and IGA teams must evaluate customer auth as part of the broader identity stack, not as a point solution. Practitioners should align storefront login decisions with the same standards they use for other federated identity patterns.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: How can organisations unify customer identity across a website and Shopify store?
A: They need a single identity layer that can handle authentication once and maintain continuity across domains. That usually means one external IdP, a consistent refresh-token strategy, and aligned policy for both properties so users do not face separate identity experiences for the same organisation.
👉 Read our full editorial: Shopify Plus auth now depends on OIDC extensibility for modern login