Start with Identity
Independent · Sourced · Free

Identity research & data

A working reference for researchers, analysts, and practitioners. Sourced statistics, country-by-country directories, and a live standards tracker. Every figure is attributed to a primary source and dated, so you can cite it in decks, threat models, and budget cases.

23 data points · last reviewed 2026-06-30. Always check the linked source for methodology and the latest revision.

Sourced data points

Identity security, by the numbers

Breaches & root cause

60%
2025
of breaches involve the human element

Errors, social engineering, phishing, and misuse remained the dominant factor in confirmed breaches across 139 countries.

Verizon DBIR 2025
22%
2025
of breaches start with stolen credentials

Credential abuse was the single most common initial access vector in the 2025 DBIR, ahead of phishing and vulnerability exploitation.

Verizon DBIR 2025
88%
2025
of web app attacks use stolen credentials

Within basic web application breaches, the overwhelming majority were carried out with stolen credentials rather than exploits.

Verizon DBIR 2025
30%
2025
of breaches involve a third party

Third-party involvement in confirmed breaches doubled year over year from 15% to 30%, underscoring supply-chain risk.

Verizon DBIR 2025

Authentication & phishing

16%
2025
of breaches begin with phishing

Phishing remained a leading initial-access technique, and researchers found click rates were largely unaffected by awareness training.

Verizon DBIR 2025
97%
2025
of identity attacks are password attacks

More than 97% of identity attacks observed by Microsoft target passwords; identity-based attacks surged 32% in the first half of 2025.

Microsoft Digital Defense Report 2025

MFA effectiveness

>99%
2025
of identity attacks blocked by phishing-resistant MFA

Microsoft reports phishing-resistant MFA stops over 99% of identity attacks, even when the adversary already holds valid credentials.

Microsoft Digital Defense Report 2025

Passkeys & FIDO

15B+
2025
online accounts can now use passkeys

Over 15 billion user accounts are equipped to sign in with a passkey, roughly doubling availability year over year.

FIDO Alliance 2025
75%
2025
of consumers are now aware of passkeys

FIDO consumer research shows three-quarters of consumers recognize passkeys, with roughly 69% having enabled at least one.

FIDO Alliance Passkey Index 2025
93%
2025
passkey sign-in success rate vs ~63% for passwords

FIDO's Passkey Index found passkeys deliver a roughly 30% conversion lift and a 93% sign-in success rate.

FIDO Alliance Passkey Index 2025
5B+
2026
passkeys are now in active use worldwide

Announced on World Passkey Day 2026, a marker that passkeys have crossed into the mainstream.

FIDO Alliance 2026
90%
2026
of people are now aware of passkeys

Up sharply from roughly 75% a year earlier, per FIDO's State of Passkeys 2026 research across ten countries.

FIDO Alliance State of Passkeys 2026
68%
2026
of organizations have deployed or are deploying passkeys for employees

Workforce passwordless is moving from pilot to rollout, though account recovery and legacy systems remain the hard part.

FIDO Alliance State of Passkeys 2026
465M
2026
Amazon customers now use passkeys

A single-retailer datapoint on consumer-scale adoption, with passkey sign-in reported about six times faster than passwords.

FIDO Alliance / Amazon 2026

Threat landscape

44%
2025
of breaches involve ransomware

Ransomware was present in 44% of breaches, up sharply from 32% the prior year, often entering via stolen credentials.

Verizon DBIR 2025
1.8B
2025
credentials stolen by infostealers in H1 2025

Industry analysis attributes roughly 1.8 billion stolen credentials in early 2025 to infostealer malware, a steep surge.

Recorded Future 2025 Identity Threat Landscape
~31%
2025
of stolen credentials carry live session cookies

Roughly a third of malware-sourced credentials included active session cookies, letting attackers hijack sessions and bypass MFA.

Recorded Future 2025 Identity Threat Landscape

Secrets sprawl

23.8M
2025
secrets leaked on public GitHub in 2024

GitGuardian detected 23.8 million new hardcoded secrets in public GitHub commits in 2024, a 25% year-over-year increase.

GitGuardian State of Secrets Sprawl 2025
70%
2025
of leaked secrets are still valid two years later

GitGuardian found 70% of secrets leaked in 2022 remained active, dramatically extending the exposure window for attackers.

GitGuardian State of Secrets Sprawl 2025

Machine & non-human identity

80 to 1
2025
machine identities outnumber humans

CyberArk reports machine (non-human) identities now outnumber humans by more than 80 to 1, driven by cloud and AI adoption.

CyberArk 2025 Identity Security Landscape

AI & agentic identity

68%
2025
of organizations lack identity security controls for AI

CyberArk found 68% of organizations have no identity security controls for AI, even as AI creates the most new privileged identities.

CyberArk 2025 Identity Security Landscape

Cost & response time

$4.44M
2025
global average cost of a data breach

IBM's global average breach cost fell about 9% to $4.44M, driven mainly by faster identification and containment.

IBM Cost of a Data Breach 2025
241 days
2025
mean time to identify and contain a breach

Organizations averaged 158 days to identify and 83 days to contain a breach, the lowest combined figure in nine years.

IBM Cost of a Data Breach 2025
Identity protocols at a glance

Standards tracker

The protocols that hold identity together, and where each one stands. Status reflects spec maturity at our last review. Named standards link to a full deep dive.

StandardStatusBodyWhat it is for
OAuth 2.0
IETF RFC 6749 (+ RFC 6750)
RFC 6749 (2012); hardened by the OAuth 2.0 Security BCP (RFC 9700, 2025)
stableIETFDelegated authorization: granting apps scoped access to resources.
OAuth 2.1
draft-ietf-oauth-v2-1
draft-15 (2026); consolidates OAuth 2.0 plus security best practices
draftIETFSecurity-hardened revision of OAuth 2.0 (PKCE by default, no implicit/password grants).
OpenID Connect
OpenID Connect Core 1.0
Final, errata set 2; published as ITU-T Rec. X.1285 (2025)
stableOpenID FoundationAuthentication layer on top of OAuth 2.0 for federated single sign-on.
WebAuthn / FIDO2
W3C Web Authentication Level 3
Level 2 Recommendation (2021); Level 3 Candidate Recommendation in progress
draftW3CBrowser/platform API for public-key, phishing-resistant authentication.
Passkeys
FIDO multi-device credentials (WebAuthn + CTAP)
Mainstream deployment 2024-2025; 15B+ accounts enabled
stableFIDO AllianceSynced or device-bound passwordless credentials for phishing-resistant sign-in.
SCIM 2.0
IETF RFC 7643 & RFC 7644
RFCs finalized 2015; widely implemented
stableIETFAutomated provisioning and deprovisioning of users and groups across domains.
SAML 2.0
OASIS SAML v2.0
OASIS Standard (2005); still widely deployed
stableOASISXML-based exchange of authentication and authorization assertions for web SSO.
SD-JWT VC
draft-ietf-oauth-sd-jwt-vc
draft-16 (2026)
draftIETFSelective-disclosure JWT format for verifiable digital credentials (eIDAS 2.0).
Verifiable Credentials Data Model
W3C VC Data Model 2.0
W3C Recommendation, May 2025
recommendationW3CData model for cryptographically verifiable, tamper-evident digital credentials.
OpenID for Verifiable Credentials
OID4VCI / OID4VP + HAIP 1.0
High Assurance Interoperability Profile 1.0 Final (Dec 2025)
stableOpenID FoundationProtocols for issuing and presenting verifiable credentials over OpenID/OAuth.
Decentralized Identifiers (DID)
W3C DID Core 1.0
W3C Recommendation (July 2022); did:web widely deployed
recommendationW3CIdentifiers a subject controls without a central registry, resolving to keys and endpoints.
Mobile Driver's License (mDL)
ISO/IEC 18013-5:2021 (+ 18013-7)
18013-5 published 2021; 18013-7 online presentation published 2024
stableISO/IECGovernment driver's license or ID issued to a phone wallet with selective disclosure.
eIDAS 2.0 / EUDI Wallet
Regulation (EU) 2024/1183 + ARF
In force May 2024; wallets offered to all EU citizens from 2026
stableEuropean CommissionEU framework mandating a digital identity wallet built on OpenID4VC and verifiable credentials.
Where the numbers come from

Primary sources we track

The recurring industry and research reports behind the data above. We read each new edition and update the figures. Find them, with direct links, in the resource library.

Verizon Data Breach Investigations Report (DBIR)Microsoft Digital Defense ReportIBM Cost of a Data BreachFIDO Alliance State of PasskeysGitGuardian State of Secrets SprawlCyberArk Identity Security LandscapeRecorded Future Identity Threat LandscapeMandiant M-Trends

Independent analysis. No vendor sponsorship. Every figure links to its primary source and carries a year; standards links go to the official specification.

How to cite: Start with Identity, “Identity research & data,” startwithidentity.com/research, accessed 2026-06-30. Please also cite the underlying primary source. Browse the full resource library.