Identity security, by the numbers
A working reference for researchers and practitioners. Every figure is attributed to a primary source and dated. Use them in decks, threat models, and budget cases.
Figures reflect the most recent reports we have reviewed. Always check the linked source for methodology and the latest revision.
Breaches & root cause
Errors, social engineering, phishing, and misuse remained the dominant factor in confirmed breaches across 139 countries.
Verizon DBIR 2025 ↗Credential abuse was the single most common initial access vector in the 2025 DBIR, ahead of phishing and vulnerability exploitation.
Verizon DBIR 2025 ↗Within basic web application breaches, the overwhelming majority were carried out with stolen credentials rather than exploits.
Verizon DBIR 2025 ↗Third-party involvement in confirmed breaches doubled year over year from 15% to 30%, underscoring supply-chain risk.
Verizon DBIR 2025 ↗Authentication & phishing
Phishing remained a leading initial-access technique, and researchers found click rates were largely unaffected by awareness training.
Verizon DBIR 2025 ↗More than 97% of identity attacks observed by Microsoft target passwords; identity-based attacks surged 32% in the first half of 2025.
Microsoft Digital Defense Report 2025 ↗MFA effectiveness
Microsoft reports phishing-resistant MFA stops over 99% of identity attacks, even when the adversary already holds valid credentials.
Microsoft Digital Defense Report 2025 ↗Passkeys & FIDO
Over 15 billion user accounts are equipped to sign in with a passkey, roughly doubling availability year over year.
FIDO Alliance 2025 ↗FIDO consumer research shows three-quarters of consumers recognize passkeys, with roughly 69% having enabled at least one.
FIDO Alliance Passkey Index 2025 ↗FIDO's Passkey Index found passkeys deliver a roughly 30% conversion lift and a 93% sign-in success rate.
FIDO Alliance Passkey Index 2025 ↗Threat landscape
Ransomware was present in 44% of breaches, up sharply from 32% the prior year, often entering via stolen credentials.
Verizon DBIR 2025 ↗Industry analysis attributes roughly 1.8 billion stolen credentials in early 2025 to infostealer malware, a steep surge.
Recorded Future 2025 Identity Threat Landscape ↗Roughly a third of malware-sourced credentials included active session cookies, letting attackers hijack sessions and bypass MFA.
Recorded Future 2025 Identity Threat Landscape ↗Secrets sprawl
GitGuardian detected 23.8 million new hardcoded secrets in public GitHub commits in 2024, a 25% year-over-year increase.
GitGuardian State of Secrets Sprawl 2025 ↗GitGuardian found 70% of secrets leaked in 2022 remained active, dramatically extending the exposure window for attackers.
GitGuardian State of Secrets Sprawl 2025 ↗Machine & non-human identity
CyberArk reports machine (non-human) identities now outnumber humans by more than 80 to 1, driven by cloud and AI adoption.
CyberArk 2025 Identity Security Landscape ↗AI & agentic identity
CyberArk found 68% of organizations have no identity security controls for AI, even as AI creates the most new privileged identities.
CyberArk 2025 Identity Security Landscape ↗Cost & response time
IBM's global average breach cost fell about 9% to $4.44M, driven mainly by faster identification and containment.
IBM Cost of a Data Breach 2025 ↗Organizations averaged 158 days to identify and 83 days to contain a breach, the lowest combined figure in nine years.
IBM Cost of a Data Breach 2025 ↗Standards tracker
The protocols that hold identity together, and where each one stands. Status reflects spec maturity at our last review.
| Standard | Status | Body | What it is for |
|---|---|---|---|
| OAuth 2.0 ↗ IETF RFC 6749 (+ RFC 6750) RFC 6749 (2012); hardened by the OAuth 2.0 Security BCP (RFC 9700, 2025) | stable | IETF | Delegated authorization: granting apps scoped access to resources. |
| OAuth 2.1 ↗ draft-ietf-oauth-v2-1 draft-15 (2026); consolidates OAuth 2.0 plus security best practices | draft | IETF | Security-hardened revision of OAuth 2.0 (PKCE by default, no implicit/password grants). |
| OpenID Connect ↗ OpenID Connect Core 1.0 Final, errata set 2; published as ITU-T Rec. X.1285 (2025) | stable | OpenID Foundation | Authentication layer on top of OAuth 2.0 for federated single sign-on. |
| WebAuthn / FIDO2 ↗ W3C Web Authentication Level 3 Level 2 Recommendation (2021); Level 3 Candidate Recommendation in progress | draft | W3C | Browser/platform API for public-key, phishing-resistant authentication. |
| Passkeys ↗ FIDO multi-device credentials (WebAuthn + CTAP) Mainstream deployment 2024-2025; 15B+ accounts enabled | stable | FIDO Alliance | Synced or device-bound passwordless credentials for phishing-resistant sign-in. |
| SCIM 2.0 ↗ IETF RFC 7643 & RFC 7644 RFCs finalized 2015; widely implemented | stable | IETF | Automated provisioning and deprovisioning of users and groups across domains. |
| SAML 2.0 ↗ OASIS SAML v2.0 OASIS Standard (2005); still widely deployed | stable | OASIS | XML-based exchange of authentication and authorization assertions for web SSO. |
| SD-JWT VC ↗ draft-ietf-oauth-sd-jwt-vc draft-16 (2026) | draft | IETF | Selective-disclosure JWT format for verifiable digital credentials (eIDAS 2.0). |
| Verifiable Credentials Data Model ↗ W3C VC Data Model 2.0 W3C Recommendation, May 2025 | recommendation | W3C | Data model for cryptographically verifiable, tamper-evident digital credentials. |
| OpenID for Verifiable Credentials ↗ OID4VCI / OID4VP + HAIP 1.0 High Assurance Interoperability Profile 1.0 Final (Dec 2025) | stable | OpenID Foundation | Protocols for issuing and presenting verifiable credentials over OpenID/OAuth. |
Independent analysis. No vendor sponsorship. Every link goes to the official specification.