CIAM certifications, passkeys, and accessibility: what changes now?

TL;DR: Customer identity fraud remains costly, with Javelin Strategy & Research cited by Strivacity showing new account fraud rose 109% and account takeover losses rose 90% in 2021, while the average victim loss exceeded $1,000. The practical lesson is that CIAM trust now depends on verifiable controls across authentication, security, and accessibility, not brand claims.

NHIMG editorial — based on content published by Strivacity: CIAM certifications, passkeys, and accessibility

By the numbers:

• In 2021 new account fraud rose 109% and account takeover losses increased 90% year over year.
• The average per-victim loss across all types of identity fraud was more than $1,000.
• Credit card use more than tripled from 15.6B transactions in 2000 to 51.1B in 2021.

Questions worth separating out

Q: How should security teams evaluate CIAM providers beyond marketing claims?

A: Security teams should ask for independent evidence of control design, audit scope, and operating effectiveness, then test whether those controls actually cover login, recovery, and maintenance journeys.

Q: When does passwordless authentication create new governance risk?

A: Passwordless becomes risky when organisations focus only on the happy path and ignore enrolment, device binding, fallback recovery, and support-mediated reset flows.

Q: Why does accessibility matter in identity and access management?

A: Accessibility matters because identity control is only effective if legitimate users can complete authentication and account maintenance without bypassing security or relying on unsafe manual help.

Practitioner guidance

• Validate external assurance claims Require evidence for certifications, audit scope, and control coverage before accepting a CIAM provider into a customer-facing trust path.
• Test passwordless recovery end to end Review enrolment, device binding, fallback authentication, and support-assisted recovery together so passkeys do not create a new weak link.
• Bake accessibility into security testing Include WCAG checks for labels, error states, focus order, and timeout behaviour in every login and account-maintenance release.

What's in the full article

Strivacity's full post covers the operational detail this post intentionally leaves for the source:

• The vendor's own explanation of how PCI DSS, FIDO2, SOC 2, and WCAG map to customer identity assurance.
• Context on why the company chose to emphasise external validation across security, privacy, and accessibility.
• The article's specific commentary on passkeys, passwordless login, and multi-device customer experience.
• The source's direct framing of how these standards support customer trust in sign-in and account maintenance journeys.

👉 Read Strivacity's post on CIAM certifications, passkeys, and accessibility →

CIAM certifications, passkeys, and accessibility: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →