Skip to content
DeploymentmigrationLast updated 2026-06-09

Migrating millions of users without losing them.

Who feels it

engineeringsecurity

What triggers the evaluation

replacing a homegrown system · an acquisition · a platform switch

Moving millions of accounts is the workstream teams fear most, and for good reason. Password hashes arrive in incompatible or unknown formats, and the two migration strategies each carry a real cost. Bulk import with a forced reset reliably kills 10 to 30 percent of dormant accounts, because dormant users never complete the reset. Lazy migration avoids the reset by validating against the old system on first login and rehashing into the new one, but it means running two auth systems in parallel for months and building a bridge between them.

The gating question is hash portability. If the destination can import your exact hash scheme, a seamless bulk migration is possible; if it cannot, you are on the lazy path plus a forced reset for the inactive tail. Acquisitions add a recurring version of the same problem: every acquired company arrives with its own store and its own hash format, and reconciling duplicate identities has to happen during the migration, not after.

Platforms that assume greenfield make this phase miserable. The ones that win enterprise deals are the ones that handle the messy middle: broad hash-import support, first-class lazy migration, and comfortable long parallel-running. See the migration framework for the full playbook and the portability matrix.

How teams recognize it

  • Password hashes are in an incompatible or undocumented format
  • Bulk import forces resets that silently lose 10-30 percent of dormant users
  • Lazy migration means running two auth systems in parallel for months
  • Duplicate identities from acquisitions have to be reconciled mid-migration

How to evaluate vendors for this

The exact questions to put to vendors. Match each answer against the capabilities in the comparison below.

  1. 01Which password-hash formats can you import directly, without a reset?
  2. 02Do you support lazy / just-in-time migration against our legacy system on first login?
  3. 03How do you handle the inactive tail that never logs in to migrate?
  4. 04Can we run you in parallel with legacy auth for 12-18 months, with session bridging?

Capabilities that solve this

The vendors that cover the capabilities this pain maps to, scored on just those axes. See the full matrix on each vendor profile.

CapabilityAkamai Identity Cloud100% coveredAuth0100% coveredBeyond Identity100% coveredCurity100% coveredCyberArk Identity100% coveredFirebase Authentication100% coveredForgeRock100% coveredIBM Verify100% covered
Password-hash import✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Lazy / just-in-time migration✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes
Bulk user import✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes✓ Yes

See every vendor ranked for this pain

Related pain points

Keep going