Authentication & passkeys
Authentication is where most account takeovers are won or lost — and where customer friction does the most damage to revenue. The category is moving in one direction: away from shared secrets (passwords, SMS codes that fall to SIM swap) toward phishing-resistant passkeys bound to the device and the domain.
The hard part in CIAM isn’t the cryptography, it’s applying it to customers who never asked for friction. That’s what adaptive, risk-based MFA solves: challenge only when signals (new device, impossible travel, a breached password) cross a threshold, and reserve step-up for sensitive actions rather than every login.
These guides rank the methods by real-world strength and walk through rolling MFA and passwordless out without bleeding sign-ups — including the recovery and fallback paths a vendor demo usually skips.
Guides in this topic
- Passwordless and passkeys in CIAM What passkeys are, how they differ from older passwordless methods, and what to ask a CIAM vendor.
- Multi-factor authentication (MFA) for customer apps MFA methods ranked by security, and how to roll it out to customers without killing conversion.
Comparisons
Ready to shortlist? Run the vendor matcher →