Key findings from our 2023 State of Secure Identity Report

Sign-up fraud, credential stuffing, and MFA bypass are everyday threats targeting Customer Identity. 
Identity has become a primary security entry point for all consumer applications. 

From buying flowers online to conducting financial transactions, millions of authentications occur daily to verify the digital identities of customers. But legitimate users aren’t the only ones interested in what’s behind the login box. Over the past few years, the volume and complexity of attacks on Customer Identity and Access Management (CIAM) systems have increased, so mitigating, detecting, and protecting against them is more important than ever.

The challenge is that customer-facing applications must deliver a user-friendly and secure experience. 

In our third annual State of Secure Identity Report, we aim to increase the awareness of threats to Customer Identity systems and the defensive measures that should be taken to build and maintain trust with consumers. We share anonymised platform data from the Okta Customer Identity Cloud to present trends, examples, and observations to help drive informed conversations around securing your login box. 

Sign-up flows are plagued by fraud 

Bad actors will abuse the sign-up flows of B2C companies to take advantage of account creation incentives or deter the user experience of legitimate customers. For the business being targeted, fake sign-ups create problems that lead to unnecessary expenses when performed at scale. 

In the first half of 2023, 13.9% of sign-up volume was flagged as fraudulent on our platform,  down 23% from last year. This positive trend is a function of improvements to the Customer Identity Cloud’s product suite, both before and at the login box, designed to keep bad actors at bay. 

Across industries, financial services had the highest proportion of fraudulent sign-up attempts (28.8%), closely followed by media (28.4%) and manufacturing (25.1%). 

Credential stuffing is still a favourite 

As long as passwords exist, bad actors will leverage credential stuffing for account takeover. In our analysis, it remains the most common Identity attack observed on the platform. In aggregate, 24.3% of sign-in attempts on the Customer Identity Cloud met the criteria of credential stuffing. Once again, this number is down from last year due to improvements in our Bot Detection capabilities. 

Interestingly, retail/e-commerce companies account for more than half (51.3%) of all credential-stuffing events, likely due to the value associated with accounts in that industry. For example, cybercriminals can liquidate the balance of a victim's loyalty program for personal gain or resale. Geographically, the Americas region has the highest rate of credential-stuffing attacks at 28%, which aligns with previous findings as some of the largest retail and media companies are based in the United States. 

Attackers target MFA 

While the merits of MFA have been well established in preventing account takeovers, it faces unique challenges in the context of Customer Identity. Unfortunately, the friction associated with traditional MFA techniques has resulted in low consumer adoption; plus, many older MFA techniques are now under threat, with attackers finding scalable and economical ways to bypass this critical barrier.

We found that 12.7% of MFA attempts on the Customer Identity Cloud were attributed to MFA bypass attacks. This is particularly evident in weaker factors such as one-time SMS codes, which are susceptible to social engineering and SIM swap attacks. Since knowledge-based factors are the target of MFA bypass attacks, organisations should consider adopting possession-based or biometric factors to reduce the likelihood of account takeover. As an added bonus, these types of factors, such as passkeys, also reduce login friction. 

A layered approach to security with CIAM 

Workforce Identity management can accommodate comparatively higher friction with the added benefit of relying on a user base that regularly undergoes security awareness training. This is not a luxury afforded by CIAM. Instead, Customer Identity must rely on subtle security techniques to achieve and maintain a strong security posture while driving conversions. 

Solutions like Okta Customer Identity Cloud arm businesses with a layered defence approach to security. A variety of risk signals are used to automatically increase or decrease friction before, at, and after the login box.

Capabilities like Bot Detection, Credential Guard, and passkeys aim to let legitimate customers in while keeping attackers out. 

For more insights into the threats on Customer Identity systems and the defensive measures you should take to protect your login box, check out our full report here

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at