Deepak Gupta

security

Post-Quantum Cryptography for Authentication: What CIAM Teams Should Do in 2026

Updated 2026-05-07 · 10 min read · By @guptadeepak

Key takeaways

PQC for auth is mostly a TLS / signature concern in 2026, large-scale quantum computers capable of breaking RSA and ECC are not here yet, but 'harvest-now, decrypt-later' attacks make migration urgency real for long-lived secrets.
NIST standardized ML-KEM (Kyber, FIPS 203), ML-DSA (Dilithium, FIPS 204), and SLH-DSA (SPHINCS+, FIPS 205) in 2024.
Browsers and CDNs (Cloudflare, Google) ship hybrid X25519+ML-KEM key exchange; CIAM TLS termination at major CDNs is largely covered.
WebAuthn signatures (ES256, RS256) are PQ-vulnerable in theory but the credential is per-RP, no harvest-and-decrypt risk; passkey signatures are not the urgent migration.
CIAM teams in 2026 should track vendor PQC roadmaps for TLS, signed assertions (SAML, JWT), and long-lived audit log signing, not panic-migrate.

The 2026 reality check

The headlines have outpaced the threat model. Practical CIAM teams should be informed and tracking vendor roadmaps, not rebuilding their auth stack in 2026.

What PQC actually protects against

Two attack categories matter:

Quantum break of stored ciphertext. An adversary captures TLS traffic today, stores it, and decrypts when a quantum computer becomes available. Affects long-lived sensitive data: government communications, financial records, health data, source code. CIAM session traffic is mostly short-lived and not high-value-archived, but signed assertions (SAML metadata, JWT tokens with PII) may persist in logs.

Quantum forgery of signatures going forward. Once quantum computers exist, an adversary can forge ECDSA/RSA signatures. Affects future-validity claims: code signing, long-lived audit attestations, archived signed documents. Short-lived JWTs are largely immune, by the time forgery is possible, the token has expired.

For most authentication, the harvest-now-decrypt-later threat is the load-bearing concern, not signature forgery.

NIST's 2024 standards

In August 2024, NIST published the first round of post-quantum cryptography standards:

FIPS 203, ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism), derived from Kyber. The key-exchange replacement for ECDHE.
FIPS 204, ML-DSA (Module-Lattice-Based Digital Signature Algorithm), derived from Dilithium. The general-purpose signature algorithm.
FIPS 205, SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), derived from SPHINCS+. A conservative hash-based signature for cases where lattice security is undesirable.

A fourth signature algorithm, FN-DSA (derived from Falcon), is in late-stage standardization. NIST has also called for additional signature schemes via an ongoing competition.

Where PQC is already deployed

The 2025–2029 path is hybrid (X25519 + ML-KEM in TLS 1.3); PQ-only signatures and KEMs become the default after 2030. CIAM teams inherit most of this through TLS, browsers, and HSMs.

The quiet good news: meaningful deployment is already in production.

Cloudflare rolled out hybrid X25519+ML-KEM key exchange to its edge in 2024; a significant percentage of Cloudflare-fronted sites already negotiate post-quantum-protected TLS for capable browsers. Most managed CIAM behind Cloudflare get this for free.

Google Chrome (since version 124) and Mozilla Firefox support hybrid X25519+ML-KEM in TLS 1.3. Modern browsers connecting to PQ-capable origins negotiate the hybrid key agreement automatically.

Apple iMessage ships post-quantum protection (PQ3 protocol). Signal has its PQXDH key agreement.

For CIAM specifically, the easy wins (TLS to the browser, TLS to upstream services) are largely covered when the vendor sits behind a major CDN. The harder wins (application-layer signatures, long-lived signed artifacts) lag.

Where CIAM should focus migration attention

Three application-layer surfaces matter for CIAM:

SAML and JWT signing. SAML assertions and JWTs are signed with RSA or ECDSA. Short-lived tokens are not the urgent migration; long-lived signed artifacts (configuration, federation metadata, audit attestations that may be re-validated years later) are. Track vendor support for ML-DSA in JWS / SAML signing.

WebAuthn / passkey signatures. Current authenticators use ES256 (P-256 ECDSA) or RS256. The signature is verified at sign-in, not stored for later re-verification, so the harvest-and-decrypt risk doesn't apply. PQ WebAuthn extensions are in early standardization (PQC-WebAuthn drafts at FIDO / W3C); existing passkeys are not the urgent retrofit.

Audit log signing. Some CIAM offer signed/sealed audit logs for tamper-evidence. If those signatures need to remain valid for years (compliance retention often runs 7+ years), the algorithm choice is consequential. This is a real but narrow PQ migration concern.

The 2026 CIAM team checklist

A practical posture for most teams:

Verify TLS posture. Confirm your CIAM and its CDN front negotiate hybrid PQ key exchange for capable clients. Most major vendors are covered as of 2026.
Inventory long-lived signed artifacts. Audit logs, federation metadata, signed configuration, anything that needs to remain trustworthy for years. Note algorithms and rotation timelines.
Track vendor PQC roadmaps. Auth0, Okta, Microsoft, AWS, Google all publish PQ roadmaps; review annually.
Don't panic-migrate JWTs. Short-lived tokens with reasonable expiry don't have a PQ urgency. Algorithm agility (the ability to rotate algorithms when needed) matters more than choosing PQ today.
For self-hosted CIAM (Keycloak, Ory, Zitadel), track underlying library support, JCA providers, Go crypto libraries, OpenSSL, and align upgrade cadence.

What 2030 might look like

Most informed projections expect a meaningful inflection between 2028 and 2032, large quantum systems with thousands of logical qubits, application-layer migration largely complete in regulated industries, gradual phaseout of pure ECC/RSA in new deployments. CIAM teams that have already migrated TLS and have inventory of long-lived signatures will be well-positioned; teams that haven't begun by 2028 are likely behind.

The takeaway for 2026: PQC for authentication is a real but unhurried migration. Inform the team, track vendors, fix the highest-risk surfaces first, and let the easy wins (TLS at the CDN edge) do their work.

Related vendors

FAQ

Should I migrate JWT signing to post-quantum algorithms now?: Not urgently for short-lived tokens. JWTs typically expire in minutes to hours; even a future quantum computer wouldn't retroactively break a token that no longer validates. The exception is long-lived signed artifacts (audit logs, compliance attestations, signed configuration) that may need archival validity beyond the quantum-capable horizon.
Are passkeys at risk from quantum computers?: In theory, ECDSA and RSA signatures used by current WebAuthn authenticators are quantum-vulnerable. In practice, the credential is per-Relying-Party and used at sign-in time only, there's no 'harvest the signature, decrypt later' attack the way there is with key exchange. PQ WebAuthn variants are in standardization; existing passkeys are not the urgent risk.
What did NIST standardize?: August 2024: FIPS 203 (ML-KEM, derived from Kyber) for key encapsulation, FIPS 204 (ML-DSA, derived from Dilithium) for digital signatures, FIPS 205 (SLH-DSA, derived from SPHINCS+) as a hash-based signature alternative. Falcon (FN-DSA) is expected to follow.
Is my CIAM vendor migrating?: Major CDNs (Cloudflare, Akamai, Fastly) and managed CIAM behind them are largely covered for TLS via hybrid X25519+ML-KEM. Application-layer signatures (SAML, JWT, JWKS) are slower to migrate; track your vendor's roadmap. Self-hosted CIAM (Keycloak, Ory) follow their underlying TLS / JCA library updates.

Sources

NIST FIPS 203/204/205 (August 2024)
Cloudflare Post-Quantum to origin (2024 deployment data)
Google Chrome PQ TLS rollout
IETF draft: Hybrid key exchange in TLS 1.3