A New Identity: In defense of the end user

It was in the grocery checkout line that I knew the identity industry had lost the plot.

It wasn’t a zero-day exploit or a breach disclosure. It was me, holding up a line of grumpy shoppers, trying to save 75 cents on hummus. The store’s coupon app locked me out for suspicious activity. Apparently logging in from aisle six with a new IP address was a red flag. I had to reset my password, verify my identity, confirm via email, then re-verify via text, all while holding a tub of Sabra and praying my frozen peas didn’t melt.

It was at that moment I asked myself: If this is what modern identity management feels like for coupons, how are we surviving anything bigger?

[Never Miss SC Media's A New Identity column: Subscribe to the SC Identity Newsletter Now]

Despite what every identity executive on the Gartner keynote circuit tells us about the IAM renaissance we are in the midst of, we still do not live in a federated identity world that has united our digital selves into a single sign-on utopia.

Instead, we got reset links, SMS codes, token mismatches, session expirations, and help desk purgatory.

Let me tell you something that CISO’s won’t say on a keynote stage: Most people hate logging in. Hate it. It’s the daily CAPTCHA for your digital life. And yet, the IAM industry keeps acting like we’re one press release away from identity Shangri-La.

IAM was supposed to be a future of frictionless flows including biometric logins, unified identities, risk-aware access and zero trust wrapped in zero stress.

Reality bytes

In 2015, password resets cost an estimated $40–$50 a pop, often eating up nearly an hour of IT and user time. Today, that same reset averages $70 to $87 — but thanks to self-service portals, tickets are down 70% to 85%, saving $136 per user annually. Yet users still waste about 11 hours a year locked out.

According to a 2024 NordPass survey, the typical user juggles 168 personal passwords and 87 business passwords — totaling over 255 credentials to keep track of. But most reuse the same 30 or so passwords. So, while you may think your credentials are safe, hackers are basically doing credential bingo.

While progress has been made, the identity burden hasn’t gone away.

Good intentions gone awry

Behind the velvet ropes of the IAM elite, they’ll tell you, “Users are the weakest link.” They’re not trying to help a parent reset a Medicare password or juggle five work logins across two browsers and a VPN. They live in a FIDO-enabled paradise, where credentials are synced, devices are pristine, and no one ever loses a phone in an Uber.

Here’s where the contradictions become comedy:

These examples show that identity frustration isn’t just a user annoyance. They illustrate how IAM firms also needs to step up and do better to address social‑engineering weaknesses, support‑tool vulnerabilities (IAM provider breaches), feature‑turned‑vector (self-service password reset) exploits and lifecycle mismanagement (orphaned credentials) issues.

So, let’s not pretend this is just a workplace or end-user challenge.

An IAM platform by any other name…

To be fair: The IAM world isn’t failing for lack of innovation. In 2015, “passwordless” was a punchline. In 2025, it’s at least plausible. Self-service tools are finally working. Risk scoring is catching bad actors faster. And lifecycle management (upcoming SC Media webinar plug) is no longer just an identity wonk’s hobby.

But the IAM elite still design platforms for engineers, compliance officers, boardrooms and VCs. Not for the exhausted, overloaded, over-authenticated human beings on the other side of the screen.

Users forget passwords. Devices die. Cookies expire. Help desks get phished. IAM is hard not because the math is hard, but because people are messy and systems don’t adapt fast enough. When vendors design for threat models instead of use cases, they end up locking out the people they’re meant to protect.

Credential stuffing still works because password reuse is still common. Shadow IT persists because the sanctioned tools are too locked down. And self-service account recovery only works if you still have access to the email address you signed up with in 2017.

A journey of a thousand miles

IAM has come a long way. But it still has miles to go.

So here’s my ask: Stop building IAM tools that work best for people who already know what OIDC and SAML mean. Start building for gig workers with 10 email addresses trying to login on a cracked iPad. Consider the economy-class employee trapped on a 10-hour transatlantic flight trying to authenticate on a phone with no service to access Google Workspace.

The real risk isn’t just cyber criminals, end users or even well-meaning IAM providers. It's a mix of authentication fog, the tangle of competing solutions and the identity potholes not yet fixed. The bottom line: We’re not here yet.

You want a win? Get to solving for enterprise users but also the frustrated electrician calling their bank on a weekend only to be told the third-party support rep “can’t unlock your debit card account.”

Security isn’t just about keeping bad actors out. It’s about not locking good people out while you’re at it. And when that happens, that’s when we win. Not because identity became invisible. But because it finally became intelligible and less performative.

When I can save 75 cents on hummus without feeling like I’m cracking into NORAD, that’s when I’ll know we finally figured out identity.

[Never Miss SC Media's A New Identity column: Subscribe to the SC Identity Newsletter Now]