Notifications
Clear all
Topic starter
07/06/2026 8:20 pm
TL;DR: Organisations moving off legacy or homegrown systems can follow three CIAM migration paths, including bulk import with password hashes, just-in-time migration, and bulk reset-based migration, according to Strivacity. The real issue is not migration convenience but how teams preserve trust, reduce support load, and avoid carrying old identity debt into the new platform.
NHIMG editorial — based on content published by Strivacity: customer identity migration approaches for legacy CIAM platforms
Questions worth separating out
Q: How should teams choose between bulk import and just-in-time CIAM migration?
A: Choose bulk import when password hashes can be exported and verified in the target system, because it preserves login continuity and limits user disruption.
Q: What breaks when CIAM migration forces a password reset?
A: A reset-only migration turns identity continuity into a customer support and adoption problem.
Q: How can security teams tell whether a CIAM migration is actually working?
A: A migration is working when active users are moving without repeated login failures, support tickets are falling, and the legacy system is shrinking on schedule.
Practitioner guidance
- Map credential portability before selecting a migration path Confirm whether the legacy system can export password hashes, which hash algorithms are supported, and whether the target CIAM can verify them without a reset.
- Run a parallel-state plan for just-in-time migration Keep the legacy CIAM active long enough to capture live logins, monitor migration completion by active-user cohort, and define the decommission trigger in advance.
- Design the reset journey as a trust-preservation flow If hashes are unavailable, build a reset and re-enrolment path that minimises drop-off, supports stronger authentication like passkeys or MFA, and reduces support spike risk.
What's in the full article
Strivacity's full article covers the operational detail this post intentionally leaves for the source:
- Hash-algorithm compatibility guidance for bulk import scenarios, including supported legacy formats and portability checks.
- Step-by-step orchestration details for just-in-time migration when users must be moved during live login events.
- Password-reset planning considerations for bulk migration without hashes, including customer communication and support load.
- Journey Builder and Lifecycle Event Orchestration configuration specifics for teams ready to implement rather than evaluate.
👉 Read Strivacity's guide to CIAM migration paths and credential portability →
CIAM migration paths: what teams should plan for now?
Explore further
07/06/2026 10:11 pm
CIAM migration is a continuity problem, not a replatforming problem: The real challenge is preserving identity state while changing the control plane underneath it. Password hashes, login state, and customer trust all move at different speeds, so the migration method has to match the source system's technical constraints. Practitioners should treat migration design as an identity lifecycle decision, not a procurement afterthought.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which shows how quickly identity operations drift into unsafe workarounds.
A question worth separating out:
Q: What should teams do if their legacy CIAM cannot export password hashes?
A: Treat the project as a controlled credential reset and re-enrolment exercise. Communicate the change clearly, prepare support for a spike in reset requests, and use the opportunity to move users toward stronger methods such as passkeys or MFA. The goal is to make the reset path safer and less disruptive, not merely mandatory.
👉 Read our full editorial: Customer identity migration methods that reduce CIAM lock-in
