From NHI to AI to Shared Signals, even in CIAM it comes back to standards versus reality.
Identity standards paint a perfect future: passwordless logins, verifiable credentials, and seamless trust. I love that picture; I want to frame it. Alas, legacy IAM, tight budgets, and a business case that still boils down to ‘but will customers complain?’ prevent us from getting there from here.
Nowhere is this tension more visible than in Consumer Identity and Access Management (CIAM). The security vs. usability tradeoff has always been a knife fight, and now we’re throwing in regulatory compliance, the rising costs of fraud, and the ever-present specter of “but our customers will complain.” So, let’s talk about what standards assume, where reality kicks in, and how organizations can actually make progress.
The Issue: Standards Define a Destination, But Legacy Systems Control the Journey
Standards bodies like NIST, ISO, and ETSI (under eIDAS2) have done their job: They’ve painted a picture of where we should be. The problem is that standards assume a level of infrastructure readiness that simply doesn’t exist in many organizations.
From a security perspective: Passwords are an outdated, high-risk authentication method. We should be moving toward passwordless logins, strong authentication, and identity federation. But if you’re running a legacy IAM system that predates modern best practices, you’re not just flipping a switch to make that happen.
From a business perspective: The cost of migration is non-trivial. Budgets are tight, and while security teams may want to modernize, getting executive buy-in requires proving a return on investment. “It’s more secure” is not a compelling business case, especially when ripping out legacy authentication systems means overhauling customer login experiences.
From a user perspective: Legacy authentication methods, for all their flaws, are familiar. Customers know how to enter a password (even if it’s “password123”). Introducing new login methods, such as passkeys, decentralized identity wallets, and multi-factor authentication, can introduce friction, and friction equals drop-off.
Standards define where we want to go—but legacy systems decide how fast we can get there. If your team is working through what’s actually feasible—or trying to stay ahead of standards while managing existing infrastructure—I can help you make sense of the trade-offs. 👉 See how I work or Let’s talk.
The Challenge in CIAM: Modernization Without Losing Customers
CIAM isn’t just a backend challenge, it’s a user experience challenge. Security teams might dream of a world where everyone uses phishing-resistant authentication, but if that world means adding too much friction, users will revolt.
Consider some of the “solutions” proposed:
- Passwordless authentication: Great in theory, but if customers aren’t ready for passkeys, you’re not solving a problem—you’re creating one.
- Decentralized identity: It might be the future, but consumers don’t want to manage DID documents or cryptographic keys.
- Verifiable credentials: Wonderful for privacy and security, but adoption is painfully slow outside of niche use cases.
Users hate complexity, and CIAM modernization efforts must balance security with the absolute necessity of seamless customer experience.
Standards vs. Reality: What Do They Assume?
| Standards Body | Focus Area | Regulatory Backing | What It Assumes | Reality Check |
|---|---|---|---|---|
| NIST (SP 800-63, etc.) | Digital identity guidelines, authentication assurance | U.S. federal agencies must follow; widely referenced globally | Organizations can implement strong authentication (MFA, passkeys, federation) | Many consumer apps still struggle with basic 2FA adoption |
| ISO/IEC (24760, 29115, etc.) | Identity management, authentication assurance frameworks | Treaty-based; adopted by national governments and industry | Standardized identity assurance will improve security across sectors | Adoption varies; private sector uptake is slow outside compliance-driven industries |
| ETSI (EN 319 411, etc.) | Trust services, digital identity regulations (especially in the EU) | Required for EU digital identity initiatives like eIDAS | Interoperability between EU countries will streamline identity verification | Each country implements differently, causing fragmentation and complexity |
| W3C (Verifiable Credentials, DID Core, etc.) | Decentralized identity, privacy-enhancing authentication | No regulatory backing; industry-driven | A privacy-first, user-controlled identity future is achievable | Adoption is niche and fragmented; industry buy-in is inconsistent |
| IETF (SD-JWT, OAuth, etc.) | Selective disclosure, token-based authentication | No regulatory requirement but widely adopted in industry | Privacy-preserving JWTs will improve data minimization without breaking compatibility | Adoption is early-stage; requires infrastructure most orgs don’t yet have |
How Do We Bridge the Gap? Migration Strategies for Legacy Systems
It’s easy to say “just modernize,” but for organizations dealing with decades of technical debt, it’s not so simple. Here’s what is more likely to work:
Instead of a risky rip-and-replace, introduce new authentication methods alongside legacy systems:
- Enable passkeys as an optional login method first, rather than forcing a switch overnight.
- Allow progressive adoption of MFA, requiring it only for high-risk activities before making it universal.
- Deploy verifiable credentials in controlled, low-risk scenarios, such as employee logins, before scaling to customers.
Hybrid IAM: Layer Modern Authentication on Top of Legacy Systems
Most organizations can’t replace their IAM stack overnight, so extend it instead:
- Use federation (OIDC, SAML) to bridge old and new identity providers, enabling secure single sign-on (SSO).
- Introduce adaptive authentication that steps up security dynamically, rather than disrupting all users at once.
- Leverage external identity providers (e.g., social login, IDPs) where appropriate to offload identity management.
Use Regulatory Compliance as a Modernization Lever
Regulations often force organizations to upgrade security; use them to drive investment:
- Prioritize upgrades that align with eIDAS2, NIST, or ISO mandates to future-proof your IAM.
- If budgets are tight, look for grants or incentives that support compliance-driven security improvements.
- Advocate for clearer timelines on deprecating outdated authentication methods so you can plan ahead.
Design for Customers, Not Just Security
Users resist change—modernization efforts need to be seamless, not disruptive:
- Reduce friction by keeping familiar login options (passwords) available while transitioning to stronger authentication.
- Offer clear, user-friendly messaging explaining why new login options improve security without making things harder.
- Give users control over delegation (e.g., letting caregivers access accounts securely rather than sharing passwords).
Final Thoughts: Standards Are Great for Tomorrow, But Reality Wins Today
Standards define the future. But businesses don’t live in the future—they live in budget cycles, tech debt, and customer expectations. Modernizing CIAM isn’t about ‘just implementing passwordless’—it’s about navigating the messy in-between. The real challenge? Making progress without breaking what still (sort of) works.
So, next time someone says, “just implement passwordless authentication,” remind them: standards define where we want to go, but legacy systems dictate how fast we can get there.
🔹 Want more posts like this? Subscribe and get new insights delivered straight to your inbox.