Organizations Struggle with Customer Identity Solutions Amid Risks

Customer identity management has emerged as a critical vulnerability within enterprise security frameworks. Recent research conducted by Descope reveals a significant disconnect between the security measures organizations claim to prioritize and the actual tools they implement. Despite an overwhelming consensus on the importance of effective authentication, a staggering 87% of organizations still rely on traditional passwords and other methods that not only frustrate users but also expose them to increased risks.

The findings indicate that while many companies acknowledge the importance of robust authentication methods, they continue to use outdated systems. A large portion of respondents believes that stronger authentication enhances customer experience, yet only a small fraction feels that current methods are effective for both user experience and security. Many organizations face ongoing issues, including fraud, repeated account recovery cycles, and the escalating costs related to maintaining obsolete systems.

Limited resources and competing priorities often push identity management initiatives to the back burner, even though organizations are aware that reliance on passwords undermines both security and the customer experience. Transitioning away from these high-friction methods is perceived as costly and disruptive, resulting in a paradox where over two-thirds of respondents still use passwords as a primary method, despite recognizing their drawbacks.

A significant number of organizations report utilizing Multi-Factor Authentication (MFA) to some extent; however, few apply it consistently across all customer-facing applications. This inconsistency leaves gaps that attackers can exploit. As teams struggle to find the time and budget to advance MFA implementation, only over 70% of organizations plan to adopt passkeys or have initiated steps toward this goal. Yet, many express concerns about the capacity of their existing systems to support these innovations without substantial restructuring.

Internal alignment issues complicate matters further, as product, engineering, marketing, and security teams often disagree on the prioritization of customer identity upgrades. This results in a hybrid approach where passkeys may be supported in select instances, while passwords remain the default method. The reliance on developers who lack specialization in authentication exacerbates the situation, as these teams juggle identity work alongside core product responsibilities.

Decision-makers often underestimate the time developers spend on authentication tasks, allowing identity management efforts to slip down the priority list until a breach or outage necessitates immediate attention. The frequent context switching between authentication, compliance, and product enhancements can lead to mistakes and delays in delivery.

According to Rishi Bhargava, co-founder of Descope, “Engineering and identity teams are trying to fit square pegs into round holes when it comes to customer identity.” He emphasizes that maintaining homegrown solutions with overstretched development teams can hinder progress as user needs evolve and new products are introduced.

Authentication challenges not only compromise security but also negatively impact revenue. Organizations report that outdated authentication flows lead to user drop-off during login, delays in engineering delivery, and abandoned transactions. These issues accumulate over time, manifesting as higher operating costs and lost revenue, yet they rarely appear as distinct budget line items. Companies with more than 20,000 employees, in particular, face heightened rates of breaches and increased strain on customer support due to authentication-related issues.

The complexity of managing customer identity increases as organizations scale. Fragmented systems and inconsistent policies burden security and engineering teams, making it difficult to strike a balance between security and user experience. While security teams prioritize risk reduction, product teams focus on conversion and retention, leading to a patchwork of approaches that often fail to satisfy all stakeholders. Some organizations implement controls that slow down legitimate users, while others reduce friction in ways that expose them to potential threats.

The emergence of agentic AI is set to complicate customer identity management further. Automated activities will proliferate, from legitimate user actions to large-scale attacks targeting login and account creation processes. Security teams will face increased traffic to evaluate and will have less certainty regarding what constitutes genuine user intent. Attackers will leverage AI to launch high volumes of account takeover attempts and create synthetic identities that mimic normal behavior.

To navigate this evolving landscape, organizations must develop identity systems capable of adapting to changing patterns, promptly flagging suspicious behavior while still providing a seamless experience for trustworthy users. Addressing these challenges will be essential for maintaining both security and customer satisfaction in an increasingly complex digital environment.