Modern identity systems are often designed with strong authentication technologies - fulti-factor authentication (MFA), biometrics, and passwordless methods in the digital space and possession based in the physical (site and building) domain.

Yet despite these advances, many organisations still suffer from weak identity assurance. The reason is not a lack of technology, but a failure in how identity is experienced across the user journey, that merges the physical and digital realms.

The Problem: Fragmented Access & Authentication

Most organisations treat identity as a series of disconnected events:

• Enrolment (initial setup of credentials)

• Authentication (logging in)

• Recovery (password resets, account unlocks)

In practice, these stages are often handled by different systems, policies, and processes. This leads to:

• inconsistent user experiences

• duplicated credentials

• gaps in assurance between steps

If we then multiple this fragmentation across different systems and different scenarios across the physical and digital realms, we have a cascade of issues.

Why This Matters: Assurance Breaks at the Weakest Point

Identity assurance is only as strong as its weakest link. Even if authentication is robust, weaknesses in enrolment or recovery can undermine the entire system.

For example:

• Weak identity proofing during enrolment allows false identities

• Poor recovery processes enable account takeover

• Inconsistent policies create exploitable gaps

In a recent analyst comment article written for HID I emphasise that recovery and reset processes are often the least secure parts of the journey. If this in turn is amplified by isolated physical and digital integration this problem becomes one of high risk and poor user experience.

What Can Be Done: Shift From Authentication to Journeys

The key insight from the article is that identity should not be treated as isolated controls, but as a continuous, end-to-end journey.

This requires a move toward:

1. Converged identity

• A unified system across digital and physical access

• Single identity spanning enrolment, authentication, and recovery

2. Continuous assurance

• Identity confidence maintained over time, not just at login

• Contextual signals (device, behaviour, location) informing access

3. Seamless user experience

• Reduced friction through passwordless or adaptive authentication

• Consistent processes across all identity interactions

Read More

About The Author

Simon Moffatt has over 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut — a specialist research and advisory firm based out of the UK. He is author of Consumer Identity & Access Management: Design Fundamentals and “IAM at 2035: A Future Guide to Identity Security”. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.