Notifications
Clear all
Topic starter
06/06/2026 1:45 am
TL;DR: Recent retail analysis shows account creation, sign-in, password reset, identity verification, rewards access, and shopping-agent consent now determine whether customers convert and stay loyal, according to Strivacity. The governance lesson is that customer identity is no longer a back-office control plane, but a growth-critical system that must balance friction, fraud, and delegated access.
NHIMG editorial — based on content published by Strivacity: retail customer identity, conversion, and AI-assisted shopping journeys
Questions worth separating out
Q: How should retailers reduce login friction without increasing account takeover risk?
A: Use risk-based access controls that keep the default journey fast for known customers, then step up verification only when signals change.
Q: Why do password resets and account recovery need special governance in retail?
A: Because recovery is often the easiest place for an attacker to hijack a customer journey after the first login has already failed.
Q: What do security teams get wrong about customer identity in digital commerce?
A: They often treat customer identity as a pure authentication problem and miss the fact that conversion, trust, and fraud are all shaped by the same journey.
Practitioner guidance
- Reduce registration friction first Strip account creation down to the minimum required to start, then move enrichment into later trust-building steps such as profile completion or loyalty activation.
- Replace static MFA with risk-based step-up Use contextual signals such as device, location, velocity, and unusual behaviour to trigger stronger checks only when risk rises.
- Harden recovery and rewards flows Treat password reset, loyalty redemption, and stored-payment access as high-value journeys with separate monitoring and policy controls.
What's in the full article
Strivacity's full post covers the operational detail this post intentionally leaves for the source:
- Progressive onboarding and account-opening patterns for reducing sign-up abandonment
- Adaptive MFA, passwordless authentication, and trusted-device handling for retail journeys
- Recovery and loyalty protection controls for high-value customer accounts
- Consent and orchestration details for AI agents acting on behalf of shoppers
👉 Read Strivacity's analysis of retail customer identity, conversion, and AI shopping →
Retail customer identity friction: what IAM teams need to fix?
Explore further
06/06/2026 3:03 am
Retail identity is now a revenue control, not a support function. The article shows that sign-up, sign-in, password reset, and rewards access are the points where growth is gained or lost. That means customer identity has become a commercial control surface, not just an authentication workflow. Teams that treat these journeys as low-value plumbing will keep paying for abandonment, fraud, and support load. The practitioner conclusion is to govern customer identity as part of conversion engineering, not as an isolated IAM task.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why lifecycle control remains a live governance problem.
A question worth separating out:
Q: How can organisations govern AI agents acting on behalf of customers?
A: They should treat those interactions as delegated identity events with explicit consent, bounded action scope, and auditable approval. The system needs to know which customer authorised the agent, what it may do, and when that authority ends. Without that structure, the retailer cannot distinguish legitimate delegation from unauthorised automation.
👉 Read our full editorial: Retail customer identity is where conversion and trust now collide
