Identity research & data
A working reference for researchers, analysts, and practitioners. Sourced statistics, country-by-country directories, and a live standards tracker. Every figure is attributed to a primary source and dated, so you can cite it in decks, threat models, and budget cases.
23 data points · last reviewed 2026-06-30. Always check the linked source for methodology and the latest revision.
Data-protection and identity laws mapped to how each impacts authentication, consent, governance, and data residency.
How each country proves identity, the standards used, and the vendors that verify it.
Standards, NIST and OWASP guidance, academic research, and the industry reports behind the numbers below.
Our annual synthesis, built entirely from the sourced data points on this page.
OAuth, OIDC, SAML, WebAuthn, SCIM, and more, explained for implementers.
Identity security, by the numbers
Breaches & root cause
Errors, social engineering, phishing, and misuse remained the dominant factor in confirmed breaches across 139 countries.
Verizon DBIR 2025 ↗Credential abuse was the single most common initial access vector in the 2025 DBIR, ahead of phishing and vulnerability exploitation.
Verizon DBIR 2025 ↗Within basic web application breaches, the overwhelming majority were carried out with stolen credentials rather than exploits.
Verizon DBIR 2025 ↗Third-party involvement in confirmed breaches doubled year over year from 15% to 30%, underscoring supply-chain risk.
Verizon DBIR 2025 ↗Authentication & phishing
Phishing remained a leading initial-access technique, and researchers found click rates were largely unaffected by awareness training.
Verizon DBIR 2025 ↗More than 97% of identity attacks observed by Microsoft target passwords; identity-based attacks surged 32% in the first half of 2025.
Microsoft Digital Defense Report 2025 ↗MFA effectiveness
Microsoft reports phishing-resistant MFA stops over 99% of identity attacks, even when the adversary already holds valid credentials.
Microsoft Digital Defense Report 2025 ↗Passkeys & FIDO
Over 15 billion user accounts are equipped to sign in with a passkey, roughly doubling availability year over year.
FIDO Alliance 2025 ↗FIDO consumer research shows three-quarters of consumers recognize passkeys, with roughly 69% having enabled at least one.
FIDO Alliance Passkey Index 2025 ↗FIDO's Passkey Index found passkeys deliver a roughly 30% conversion lift and a 93% sign-in success rate.
FIDO Alliance Passkey Index 2025 ↗Announced on World Passkey Day 2026, a marker that passkeys have crossed into the mainstream.
FIDO Alliance 2026 ↗Up sharply from roughly 75% a year earlier, per FIDO's State of Passkeys 2026 research across ten countries.
FIDO Alliance State of Passkeys 2026 ↗Workforce passwordless is moving from pilot to rollout, though account recovery and legacy systems remain the hard part.
FIDO Alliance State of Passkeys 2026 ↗A single-retailer datapoint on consumer-scale adoption, with passkey sign-in reported about six times faster than passwords.
FIDO Alliance / Amazon 2026 ↗Threat landscape
Ransomware was present in 44% of breaches, up sharply from 32% the prior year, often entering via stolen credentials.
Verizon DBIR 2025 ↗Industry analysis attributes roughly 1.8 billion stolen credentials in early 2025 to infostealer malware, a steep surge.
Recorded Future 2025 Identity Threat Landscape ↗Roughly a third of malware-sourced credentials included active session cookies, letting attackers hijack sessions and bypass MFA.
Recorded Future 2025 Identity Threat Landscape ↗Secrets sprawl
GitGuardian detected 23.8 million new hardcoded secrets in public GitHub commits in 2024, a 25% year-over-year increase.
GitGuardian State of Secrets Sprawl 2025 ↗GitGuardian found 70% of secrets leaked in 2022 remained active, dramatically extending the exposure window for attackers.
GitGuardian State of Secrets Sprawl 2025 ↗Machine & non-human identity
CyberArk reports machine (non-human) identities now outnumber humans by more than 80 to 1, driven by cloud and AI adoption.
CyberArk 2025 Identity Security Landscape ↗AI & agentic identity
CyberArk found 68% of organizations have no identity security controls for AI, even as AI creates the most new privileged identities.
CyberArk 2025 Identity Security Landscape ↗Cost & response time
IBM's global average breach cost fell about 9% to $4.44M, driven mainly by faster identification and containment.
IBM Cost of a Data Breach 2025 ↗Organizations averaged 158 days to identify and 83 days to contain a breach, the lowest combined figure in nine years.
IBM Cost of a Data Breach 2025 ↗Standards tracker
The protocols that hold identity together, and where each one stands. Status reflects spec maturity at our last review. Named standards link to a full deep dive.
| Standard | Status | Body | What it is for |
|---|---|---|---|
| OAuth 2.0 IETF RFC 6749 (+ RFC 6750) RFC 6749 (2012); hardened by the OAuth 2.0 Security BCP (RFC 9700, 2025) | stable | IETF | Delegated authorization: granting apps scoped access to resources. |
| OAuth 2.1 draft-ietf-oauth-v2-1 draft-15 (2026); consolidates OAuth 2.0 plus security best practices | draft | IETF | Security-hardened revision of OAuth 2.0 (PKCE by default, no implicit/password grants). |
| OpenID Connect OpenID Connect Core 1.0 Final, errata set 2; published as ITU-T Rec. X.1285 (2025) | stable | OpenID Foundation | Authentication layer on top of OAuth 2.0 for federated single sign-on. |
| WebAuthn / FIDO2 W3C Web Authentication Level 3 Level 2 Recommendation (2021); Level 3 Candidate Recommendation in progress | draft | W3C | Browser/platform API for public-key, phishing-resistant authentication. |
| Passkeys ↗ FIDO multi-device credentials (WebAuthn + CTAP) Mainstream deployment 2024-2025; 15B+ accounts enabled | stable | FIDO Alliance | Synced or device-bound passwordless credentials for phishing-resistant sign-in. |
| SCIM 2.0 IETF RFC 7643 & RFC 7644 RFCs finalized 2015; widely implemented | stable | IETF | Automated provisioning and deprovisioning of users and groups across domains. |
| SAML 2.0 OASIS SAML v2.0 OASIS Standard (2005); still widely deployed | stable | OASIS | XML-based exchange of authentication and authorization assertions for web SSO. |
| SD-JWT VC draft-ietf-oauth-sd-jwt-vc draft-16 (2026) | draft | IETF | Selective-disclosure JWT format for verifiable digital credentials (eIDAS 2.0). |
| Verifiable Credentials Data Model W3C VC Data Model 2.0 W3C Recommendation, May 2025 | recommendation | W3C | Data model for cryptographically verifiable, tamper-evident digital credentials. |
| OpenID for Verifiable Credentials OID4VCI / OID4VP + HAIP 1.0 High Assurance Interoperability Profile 1.0 Final (Dec 2025) | stable | OpenID Foundation | Protocols for issuing and presenting verifiable credentials over OpenID/OAuth. |
| Decentralized Identifiers (DID) W3C DID Core 1.0 W3C Recommendation (July 2022); did:web widely deployed | recommendation | W3C | Identifiers a subject controls without a central registry, resolving to keys and endpoints. |
| Mobile Driver's License (mDL) ISO/IEC 18013-5:2021 (+ 18013-7) 18013-5 published 2021; 18013-7 online presentation published 2024 | stable | ISO/IEC | Government driver's license or ID issued to a phone wallet with selective disclosure. |
| eIDAS 2.0 / EUDI Wallet Regulation (EU) 2024/1183 + ARF In force May 2024; wallets offered to all EU citizens from 2026 | stable | European Commission | EU framework mandating a digital identity wallet built on OpenID4VC and verifiable credentials. |
Primary sources we track
The recurring industry and research reports behind the data above. We read each new edition and update the figures. Find them, with direct links, in the resource library.
Independent analysis. No vendor sponsorship. Every figure links to its primary source and carries a year; standards links go to the official specification.
How to cite: Start with Identity, “Identity research & data,” startwithidentity.com/research, accessed 2026-06-30. Please also cite the underlying primary source. Browse the full resource library.