Notifications
Clear all
Topic starter
07/06/2026 9:17 pm
TL;DR: Customer identity fraud remains costly, with Javelin Strategy & Research cited by Strivacity showing new account fraud rose 109% and account takeover losses rose 90% in 2021, while the average victim loss exceeded $1,000. The practical lesson is that CIAM trust now depends on verifiable controls across authentication, security, and accessibility, not brand claims.
NHIMG editorial — based on content published by Strivacity: CIAM certifications, passkeys, and accessibility
By the numbers:
- In 2021 new account fraud rose 109% and account takeover losses increased 90% year over year.
- The average per-victim loss across all types of identity fraud was more than $1,000.
- Credit card use more than tripled from 15.6B transactions in 2000 to 51.1B in 2021.
Questions worth separating out
Q: How should security teams evaluate CIAM providers beyond marketing claims?
A: Security teams should ask for independent evidence of control design, audit scope, and operating effectiveness, then test whether those controls actually cover login, recovery, and maintenance journeys.
Q: When does passwordless authentication create new governance risk?
A: Passwordless becomes risky when organisations focus only on the happy path and ignore enrolment, device binding, fallback recovery, and support-mediated reset flows.
Q: Why does accessibility matter in identity and access management?
A: Accessibility matters because identity control is only effective if legitimate users can complete authentication and account maintenance without bypassing security or relying on unsafe manual help.
Practitioner guidance
- Validate external assurance claims Require evidence for certifications, audit scope, and control coverage before accepting a CIAM provider into a customer-facing trust path.
- Test passwordless recovery end to end Review enrolment, device binding, fallback authentication, and support-assisted recovery together so passkeys do not create a new weak link.
- Bake accessibility into security testing Include WCAG checks for labels, error states, focus order, and timeout behaviour in every login and account-maintenance release.
What's in the full article
Strivacity's full post covers the operational detail this post intentionally leaves for the source:
- The vendor's own explanation of how PCI DSS, FIDO2, SOC 2, and WCAG map to customer identity assurance.
- Context on why the company chose to emphasise external validation across security, privacy, and accessibility.
- The article's specific commentary on passkeys, passwordless login, and multi-device customer experience.
- The source's direct framing of how these standards support customer trust in sign-in and account maintenance journeys.
👉 Read Strivacity's post on CIAM certifications, passkeys, and accessibility →
CIAM certifications, passkeys, and accessibility: what changes now?
Explore further
08/06/2026 9:10 am
CIAM trust is now an evidence problem, not a branding problem. External certifications matter because customer identity systems sit at the boundary between fraud, privacy, and usability. When a provider points to SOC 2, PCI DSS, FIDO2, and WCAG together, the useful signal is that trust must be demonstrated across distinct control domains, not asserted as a platform virtue. Practitioners should treat assurance as a validation exercise across evidence, not a marketing checklist.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- Another 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, which shows that lifecycle complexity is still outrunning governance.
A question worth separating out:
Q: Should customer identity teams use fraud trends to prioritise controls?
A: Yes. Rising new account fraud and account takeover losses are direct signals that identity journeys need stronger assurance, especially around registration, authentication, and recovery. Teams should use fraud data to decide where to invest in phishing-resistant authentication, stronger recovery controls, and usability testing that reduces unsafe workarounds.
👉 Read our full editorial: CIAM certifications change the trust calculus for customer identity
