Post-Quantum Cryptography and Its Impact on IAM: What Identity Teams Need to Know

The cryptographic algorithms that underpin modern identity and access management are living on borrowed time. RSA, elliptic curve cryptography (ECC), and Diffie-Hellman key exchange—the mathematical foundations of digital certificates, authentication protocols, and secure communications—are all vulnerable to attacks by sufficiently powerful quantum computers. While the timeline for cryptographically relevant quantum computers (CRQCs) remains debated, the consensus among cryptographers is clear: the question is when, not if.

For IAM teams, the implications are profound. Every digital certificate, every TLS handshake, every SAML assertion, every JWT token, and every key exchange in your identity infrastructure relies on algorithms that quantum computers will eventually break. The transition to post-quantum cryptography (PQC) represents the largest cryptographic migration in the history of computing—and IAM sits at the center of the blast radius.

NIST finalized its first set of post-quantum cryptographic standards in August 2024, marking the beginning of a migration that will take a decade or more to complete. IAM teams that begin planning now will have the advantage of time. Those that wait risk finding themselves in a scramble that makes Y2K look simple. This analysis examines the quantum threat to identity infrastructure, the current state of post-quantum algorithm readiness, and the concrete steps IAM teams should be taking today.

Key Findings

The Quantum Threat to IAM Infrastructure

Quantum computers leverage quantum mechanical phenomena—superposition and entanglement—to perform certain calculations exponentially faster than classical computers. For cryptography, the critical algorithm is Shor's algorithm, which can efficiently factor large integers and compute discrete logarithms—the mathematical problems on which RSA and ECC security depends.

What breaks and what doesn't. It's essential to understand the specific threat:

• RSA (all key sizes). Broken by Shor's algorithm. RSA-2048, RSA-3072, and RSA-4096 all fall to a sufficiently powerful quantum computer. Simply increasing key size does not help against quantum attacks.
• Elliptic Curve Cryptography. Broken by Shor's algorithm. ECDSA, ECDH, and Ed25519 signatures used throughout IAM are all vulnerable.
• Diffie-Hellman key exchange. Broken by Shor's algorithm. Both classical DH and ECDH are vulnerable.
• AES symmetric encryption. Weakened but not broken. Grover's algorithm provides a quadratic speedup for brute-force search, effectively halving key strength. AES-256 provides roughly 128 bits of security against quantum attack—still considered safe.
• SHA hash functions. Slightly weakened by Grover's algorithm but generally considered quantum-resistant at current key lengths. SHA-256 provides roughly 128 bits of security against quantum search.

IAM components at risk. The following IAM infrastructure elements rely on quantum-vulnerable cryptography:

• X.509 certificates. The entire PKI trust chain—root CA certificates, intermediate certificates, and end-entity certificates—uses RSA or ECC signatures.
• TLS/HTTPS. All web-based authentication (SSO portals, OIDC endpoints, SAML IdPs) relies on TLS, which uses RSA or ECC for key exchange and authentication.
• SAML assertions. XML signatures in SAML assertions typically use RSA-SHA256, making assertion integrity quantum-vulnerable.
• JWT/JWS tokens. JSON Web Tokens signed with RS256 (RSA) or ES256 (ECC) can be forged by quantum attackers.
• OAuth token endpoints. Token exchange and client authentication mechanisms rely on quantum-vulnerable algorithms.
• FIDO2/WebAuthn. Passkey implementations typically use ECC (P-256 curve), making current passkey cryptography quantum-vulnerable.
• Code signing. Software supply chain identity (code signing certificates) uses RSA or ECC.
• SSH keys. Machine-to-machine authentication via SSH uses RSA or ECC keys.

The "Harvest Now, Decrypt Later" Threat

The most immediate threat is not a future quantum computer breaking real-time authentication, but the "harvest now, decrypt later" (HNDL) attack. Adversaries—particularly nation-state actors—are already collecting encrypted data and communications with the intention of decrypting them once quantum computers become available.

For IAM, this means:

• Authentication traffic captured today could be analyzed later to extract long-lived credentials, session tokens, or protocol secrets.
• Signed assertions and tokens captured today could be studied to understand signing key patterns and organizational identity topology.
• Certificate private keys protected by current encryption could be compromised once quantum decryption is available.

Data with long confidentiality requirements (government, healthcare, financial, intellectual property) is most at risk. Organizations handling classified or highly sensitive data should treat HNDL as a current, not future, threat.

NIST Post-Quantum Standards: Where We Stand

NIST's Post-Quantum Cryptography Standardization Project, initiated in 2016, reached a major milestone in August 2024 with the publication of three final standards:

FIPS 203: ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism). Based on the CRYSTALS-Kyber algorithm. Designed for key encapsulation—the process of securely exchanging cryptographic keys. ML-KEM will replace RSA and ECDH key exchange in protocols like TLS. Three parameter sets offer security levels roughly equivalent to AES-128, AES-192, and AES-256.

FIPS 204: ML-DSA (Module-Lattice-Based Digital Signature Algorithm). Based on the CRYSTALS-Dilithium algorithm. Designed for digital signatures. ML-DSA will replace RSA and ECDSA signatures in certificates, tokens, and assertions. Three parameter sets at different security levels.

FIPS 205: SLH-DSA (Stateless Hash-Based Digital Signature Algorithm). Based on the SPHINCS+ algorithm. A hash-based signature scheme serving as a conservative backup to lattice-based schemes. Larger signatures but based on minimal cryptographic assumptions (hash function security only).

A fourth standard, FIPS 206: FN-DSA (based on FALCON), was finalized in early 2026. FN-DSA offers more compact signatures than ML-DSA, making it attractive for bandwidth-constrained applications.

Algorithm maturity assessment. The lattice-based algorithms (ML-KEM, ML-DSA) are considered the primary migration targets for most IAM infrastructure due to their relatively good performance characteristics and key/signature sizes. However, the cryptographic community continues to analyze these algorithms, and confidence will grow over time as they withstand scrutiny.

Migration Timeline: The Decade Ahead

The post-quantum migration will not happen overnight. Realistic timeline expectations:

2024-2026: Standards and early adoption. NIST standards finalized. Early adopters begin testing PQC algorithms. Cryptographic library support matures. Hybrid approaches (combining classical and post-quantum algorithms) emerge as the recommended transition strategy.

2026-2028: Protocol and product integration. Major identity platforms (Entra ID, Okta, Ping, ForgeRock) begin offering PQC options. TLS 1.3 with PQC key exchange becomes available. Certificate authorities begin issuing PQC certificates. Browser and OS support expands.

2028-2030: Enterprise migration begins. Organizations with regulatory pressure or high-sensitivity data begin active migration of production identity infrastructure. Hybrid mode (classical + PQC) becomes the norm.

2030-2033: Broad adoption. Majority of enterprise identity infrastructure transitions to PQC or hybrid cryptography. Legacy system migration becomes the primary challenge. Compliance frameworks mandate PQC adoption.

2033-2035+: Deprecation of classical algorithms. RSA and ECC begin formal deprecation in standards and regulations. Full PQC-only operation becomes the target state.

Market Data

Industry Readiness Assessment

Current data paints a concerning picture of organizational preparedness:

• 18% of organizations have conducted a cryptographic inventory of their identity infrastructure (Ponemon Institute, 2025).
• 12% have begun testing post-quantum algorithms in non-production identity environments.
• 7% have a formal PQC migration plan that includes IAM systems.
• 62% of IAM professionals surveyed say they are "somewhat" or "not at all" familiar with post-quantum cryptography implications for identity systems.
• $2.3 billion estimated global spending on PQC migration in 2025, projected to reach $12.7 billion by 2030.
• 85% of large enterprises expect to need 5-10 years for full PQC migration of identity infrastructure.

Key Size and Performance Implications

PQC algorithms involve significantly different key and signature sizes compared to classical algorithms, with direct implications for IAM:

| Algorithm | Public Key Size | Signature/Ciphertext Size | Speed vs. RSA-2048 | |-----------|----------------|--------------------------|---------------------| | ML-KEM-768 | 1,184 bytes | 1,088 bytes | ~10x faster key exchange | | ML-DSA-65 | 1,952 bytes | 3,293 bytes | ~2x faster signing | | SLH-DSA-128s | 32 bytes | 7,856 bytes | ~100x slower signing | | FN-DSA-512 | 897 bytes | 666 bytes | ~5x faster signing | | RSA-2048 (reference) | 256 bytes | 256 bytes | baseline | | ECDSA P-256 (reference) | 64 bytes | 64 bytes | ~10x faster than RSA |

The larger key and signature sizes of PQC algorithms have practical implications for JWT tokens (which embed in HTTP headers), SAML assertions (already verbose XML), certificate chains (cumulative size increase), and bandwidth-constrained environments.

Expert Perspectives

On urgency. "The 'harvest now, decrypt later' threat makes this an immediate concern, not a future one. Any identity data flowing over the wire today that will still be sensitive in 10-15 years needs post-quantum protection now. That includes authentication traffic in government, healthcare, financial services, and critical infrastructure." — Cryptography professor, major research university.

On the IAM-specific challenge. "The identity ecosystem is one of the most cryptography-dependent parts of enterprise IT. Certificates, tokens, assertions, key exchanges—it's cryptography all the way down. The PQC migration for IAM is not a simple algorithm swap. It touches every protocol, every trust relationship, and every integration point." — Principal architect, enterprise IAM platform vendor.

On hybrid approaches. "Nobody should be doing a hard cutover from classical to post-quantum cryptography. The hybrid approach—combining a classical algorithm with a PQC algorithm so you need to break both to compromise the system—is the only responsible migration strategy. It protects you against quantum attacks while maintaining security if a flaw is found in the new PQC algorithms." — Standards body contributor and applied cryptographer.

On organizational readiness. "Most IAM teams I work with have heard of post-quantum cryptography but haven't internalized what it means for their specific systems. The first step is always a cryptographic inventory—understanding where cryptography lives in your identity infrastructure. Most organizations are shocked at how extensive the footprint is." — Senior consultant, identity and cryptography practice at major advisory firm.

Impact Analysis

Protocol-by-Protocol Implications

TLS and HTTPS. The transition is already underway. Chrome and other browsers have implemented hybrid key exchange (X25519 + ML-KEM-768) in TLS 1.3. This protects the key exchange against quantum attacks while the handshake authentication (via server certificates) remains classically protected. Full PQC protection requires PQC certificates, which are in earlier stages of deployment.

SAML. SAML assertions signed with RSA-SHA256 will need to transition to ML-DSA or FN-DSA signatures. The larger signature sizes will increase assertion size, potentially impacting browser redirect flows that pass assertions via URL parameters. SAML's reliance on XML signature standards means the migration depends on updates to XML-DSig specifications.

OAuth 2.0 and OpenID Connect. JWT tokens signed with RS256 or ES256 will transition to ML-DSA-based signatures. The larger signature sizes will increase token size, which may impact HTTP header size limits for bearer tokens. Client authentication mechanisms (client certificates, private_key_jwt) also need migration.

FIDO2/WebAuthn. Current passkey implementations use ECC (typically P-256). The FIDO Alliance is actively working on PQC extensions for FIDO2, but migration will require updates to authenticators (hardware tokens, platform authenticators), relying party implementations, and attestation infrastructure.

X.509 PKI. Certificate chain migration is complex because it requires coordinating across certificate authorities, server operators, and client software. PQC certificates with larger key and signature sizes will increase chain sizes, impacting performance and storage. Hybrid certificates (containing both classical and PQC signatures) are being developed as a transition mechanism.

Interoperability Challenges

The migration will create a period of mixed cryptographic environments where some systems support PQC and others do not. For federated identity systems—which depend on interoperability across organizational boundaries—this creates significant challenges:

• Federation trust. Partners in a federation must agree on cryptographic algorithms. The transition period will require supporting both classical and PQC algorithms simultaneously.
• Token validation. Relying parties must be able to validate both classical and PQC-signed tokens during migration.
• Certificate validation. Certificate chains may contain a mix of classical and PQC-signed certificates, requiring updated validation logic.

What Organizations Should Do

Immediate Actions (Now)

1. Conduct a cryptographic inventory. Map every use of cryptography in your identity infrastructure: certificates, key exchanges, token signatures, stored credentials, protocol-level crypto. You cannot migrate what you haven't inventoried.
2. Assess data sensitivity timelines. Identify identity data and authentication traffic with long confidentiality requirements. Prioritize these for early PQC migration.
3. Educate IAM teams. Ensure your identity architects and engineers understand PQC basics, the NIST standards, and the implications for identity protocols.
4. Monitor vendor roadmaps. Engage your IAM platform vendors (IdP, IGA, PAM, CA) to understand their PQC roadmaps and timelines.

Near-Term Actions (6-18 Months)

5. Implement cryptographic agility. Design systems to support algorithm changes without major rearchitecture. Abstract cryptographic operations behind configurable interfaces. This is valuable regardless of PQC timeline.
6. Test PQC in non-production environments. Set up lab environments to test PQC algorithms with your identity infrastructure. Measure performance impacts, identify compatibility issues, and build operational familiarity.
7. Enable hybrid TLS. Where supported, enable hybrid (classical + PQC) TLS key exchange for identity endpoints. This addresses the HNDL threat for network traffic.
8. Engage in standards activities. Participate in industry working groups (IETF, FIDO Alliance, OASIS) developing PQC profiles for identity protocols.

Medium-Term Actions (18-36 Months)

9. Develop a PQC migration roadmap. Create a phased plan for migrating identity infrastructure to PQC, prioritized by risk and feasibility.
10. Migrate internal PKI. Begin transitioning internal certificate authorities to issue hybrid or PQC certificates for internal identity infrastructure.
11. Update token signing. Transition JWT and SAML signing to hybrid (classical + PQC) modes as platform support becomes available.
12. Plan for FIDO2 migration. Assess your passkey deployment for PQC readiness and plan for credential migration when PQC FIDO2 standards are available.

Looking Ahead

The post-quantum cryptographic migration is a generational challenge for identity and access management. Several developments will shape the journey:

Algorithm confidence will grow. As ML-KEM and ML-DSA undergo years of additional analysis, confidence in their security will increase. However, the cryptographic community will remain vigilant for potential weaknesses, which is why hybrid approaches and algorithm agility are essential.

Quantum computing timelines remain uncertain. Estimates for cryptographically relevant quantum computers range from 10 to 30+ years. This uncertainty argues for preparation rather than urgency in production migration, but immediate action on inventory, education, and cryptographic agility.

Regulatory pressure will accelerate. Governments are already mandating PQC migration for their own systems. The U.S. National Security Memorandum NSM-10 set deadlines for federal agency PQC migration, and similar mandates are emerging globally. Regulated industries can expect compliance requirements within 3-5 years.

Identity-specific PQC standards will mature. IETF, FIDO Alliance, W3C, and OASIS are all working on PQC profiles for identity protocols. These standards will provide the specific guidance IAM teams need for protocol-level migration.

New attack vectors may emerge. The transition period itself creates risks. Implementation errors, protocol downgrade attacks, and supply chain vulnerabilities in PQC libraries are all potential attack vectors during migration.

Conclusion

Post-quantum cryptography represents a fundamental challenge to the cryptographic foundations of identity and access management. Every certificate, every token, every key exchange, and every signature in modern IAM infrastructure depends on algorithms that quantum computers will eventually break.

The good news is that NIST has delivered standards, the migration path is becoming clearer, and organizations have time to prepare. The critical message for IAM teams is: start now. Conduct your cryptographic inventory, build cryptographic agility into your systems, educate your teams, and engage your vendors. The organizations that treat PQC migration as a strategic initiative starting today will navigate the transition far more successfully than those that wait for a crisis to force action.

The quantum threat to identity is real, but it is manageable—if you start preparing now.

Frequently Asked Questions

When will quantum computers be able to break current IAM cryptography?

Estimates vary widely, from 10 to 30+ years for a cryptographically relevant quantum computer (CRQC) capable of breaking RSA-2048 or ECC P-256. However, the "harvest now, decrypt later" threat means that data captured today could be decrypted in the future. Organizations with long-lived sensitive data should begin protecting network traffic now, even though real-time cryptographic attacks are years away.

What are the NIST post-quantum standards?

NIST has published four post-quantum cryptographic standards: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, SLH-DSA (FIPS 205) as a hash-based signature backup, and FN-DSA (FIPS 206) for compact digital signatures. These algorithms are designed to resist attacks from both classical and quantum computers.

Will passkeys need to be replaced?

Current FIDO2/WebAuthn implementations use ECC cryptography that is quantum-vulnerable. The FIDO Alliance is working on post-quantum extensions. When PQC FIDO2 standards are available, passkey implementations will need updates, and users may need to re-register credentials. However, passkeys remain the right authentication choice today—the quantum threat to real-time authentication is years away.

What is hybrid cryptography and why is it recommended?

Hybrid cryptography combines a classical algorithm (like RSA or ECC) with a post-quantum algorithm (like ML-KEM or ML-DSA) so that both must be broken to compromise the system. This approach is recommended during the transition because it protects against quantum attacks while maintaining security if an unforeseen weakness is discovered in the relatively new PQC algorithms.

How will PQC affect JWT token size?

ML-DSA signatures are significantly larger than RSA or ECDSA signatures. An ML-DSA-65 signature is approximately 3,293 bytes compared to 256 bytes for RSA-2048 or 64 bytes for ECDSA P-256. This will increase JWT token sizes, potentially impacting HTTP header limits. Organizations may need to adjust infrastructure (header size limits, caching, storage) and consider more compact alternatives like FN-DSA.

Should we stop deploying RSA and ECC now?

No. Current classical algorithms remain secure against classical computers and will continue to be for the foreseeable future. The recommended approach is to begin planning for migration, implement cryptographic agility, and adopt hybrid (classical + PQC) approaches where available. A premature switch to PQC-only would sacrifice the proven security of classical algorithms without clear near-term benefit.

What should IAM teams prioritize first?

Start with a cryptographic inventory of your identity infrastructure—understand where cryptography is used, which algorithms are in use, and which components are most critical or most exposed. Then focus on education, cryptographic agility (designing systems to support algorithm changes), and enabling hybrid TLS for identity endpoints. Production migration of certificates and tokens should follow as platform support matures and standards solidify.