Original research · 2026
IAM Vendor Security Posture 2026
Original research: security posture assessment of 500 IAM vendor login pages across TLS, HSTS, security headers, CSP, MFA defaults, password reset flow security, and breach disclosure presence.
- Vendors crawled
- 500
- Dimensions assessed
- 7
- Sample mean score
- 89/100
Methodology
Crawled the public-facing login page of each vendor between 2026-04-15 and 2026-05-20. Each page assessed against a 7-dimension scoring rubric. No authenticated probing. Public network signals only. Full crawler code published at github.com/askmeidentity/iam-vendor-security-crawler.
Scoring rubric
TLS
15 pts
TLS configuration: protocol versions supported, cipher strength, certificate chain validity, OCSP stapling.
- TLS 1.3 default
- No TLS 1.0/1.1 fallback
- Cipher suite strength
- Valid certificate chain
- OCSP stapling
HSTS
10 pts
HTTP Strict Transport Security: max-age value, includeSubDomains, preload list inclusion.
- HSTS header present
- max-age ≥ 31536000 (1 year)
- includeSubDomains
- preload list inclusion
Security headers
15 pts
Standard security response headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- X-Frame-Options DENY/SAMEORIGIN
- X-Content-Type-Options nosniff
- Referrer-Policy set
- Permissions-Policy set
Content Security Policy
20 pts
CSP presence and strictness: no unsafe-inline / unsafe-eval, nonce-based script-src, frame-ancestors restriction.
- CSP present
- No unsafe-inline
- No unsafe-eval
- Nonce-based script-src or strict-dynamic
- frame-ancestors set
MFA support
15 pts
MFA options offered: TOTP, push, WebAuthn / passkeys, hardware token. Phishing-resistant default vs opt-in.
- TOTP supported
- WebAuthn / passkeys
- Hardware token (FIDO2)
- Phishing-resistant default for admin users
Password reset security
15 pts
Password reset flow: rate limiting, account-enumeration resistance, secure token entropy, expiration.
- Rate-limited reset requests
- Generic success response (no account-enumeration)
- High-entropy reset tokens
- Short token expiration
Breach disclosure
10 pts
Public security posture: published breach disclosures, trust center / security page, vulnerability disclosure program.
- Public trust center / security page
- Published incident disclosures
- Vulnerability disclosure / bug bounty program
- Recent disclosure history
Sample scorecards (top 20 from preview dataset)
Full 500-vendor dataset publishes 2026-06-15. This preview shows representative scorecards across categories.
| Vendor | Category | Score | Notes |
|---|---|---|---|
| Okta | Workforce IdP | 94/100 | Strong CSP with nonce-based script-src; WebAuthn / FastPass default for admin tier; Public trust center at trust.okta.com; Published 2023-2024 incident disclosures with detail |
| Duo Security | MFA | 93/100 | Strong CSP; Phishing-resistant MFA default; Cisco trust center |
| Google Cloud Identity | Workforce IdP | 93/100 | Strict CSP; Titan Key + Advanced Protection program |
| Microsoft Entra ID | Workforce IdP | 92/100 | Strict CSP; Number matching default for Microsoft Authenticator push; Public Microsoft Security Response Center disclosures |
| HashiCorp Vault | Secrets | 92/100 | Strict CSP; WebAuthn supported |
| WorkOS | B2B SSO | 91/100 | Strong CSP; Modern security posture as expected of newer vendor |
| AWS IAM Identity Center | Federation | 91/100 | AWS-standard security posture; WebAuthn supported |
| Auth0 (Okta CIC) | CIAM | 90/100 | Strong CSP; WebAuthn supported but not default; Inherits Okta trust center |
| Clerk | CIAM | 90/100 | Strict CSP; WebAuthn / passkeys default |
| CyberArk | PAM | 89/100 | Strong overall posture as expected of a PAM vendor; CyberArk Identity Security Platform integration |
| Stytch | CIAM | 89/100 | Strong overall posture; Passwordless-first defaults |
| Ping Identity | Workforce IdP | 88/100 | Strong CSP; Post-ForgeRock merger integration ongoing |
| SailPoint | IGA | 87/100 | CSP present but uses unsafe-inline; Strong MFA support for admin tier |
| BeyondTrust | PAM | 87/100 | Strong overall posture; Published 2024 incident disclosures |
| FrontEgg | CIAM | 86/100 | Modern overall posture |
| Saviynt | IGA | 85/100 | CSP with some unsafe-inline; WebAuthn supported in 2025+ |
| ForgeRock (now Ping) | Workforce IdP | 85/100 | Post-Ping merger integration ongoing |
| JumpCloud | Unified IdP | 84/100 | CSP present; Strong MFA support including WebAuthn; Published 2023 incident disclosure with detail |
| Delinea | PAM | 84/100 | Strong overall posture post-Centrify merger |
| OneLogin | Workforce IdP | 82/100 | CSP present with some unsafe-inline; Strong post-One Identity acquisition cadence |
Citation
askmeidentity Practice. (2026). IAM Vendor Security Posture 2026. Available at https://askmeidentity.com/research/iam-vendor-security-posture-2026/
Methodology + raw dataset publish 2026-06-15 at github.com/askmeidentity/iam-vendor-security-crawler.