How quantum computing will redefine cloud identity security - and what to do today

In the identity and security world, cryptography is a foundational building block. It’s what keeps our data private, our systems secure, and our identities verified. But with advancements in quantum computing, some of the cryptographic methods we rely on today—particularly those using asymmetric encryption—are at risk of becoming obsolete. While Cryptographically Relevant Quantum Computers (CRQCs) don’t exist yet, the consensus among researchers is clear: it’s not a question of if, but when. (I touched on this topic way back at the end of 2019; I was asked to deliver a keynote on “The Future of Digital Identity: 2020 - 2030” to the OpenID Foundation Japan Summit. This talk means a lot to me not only because I treasure my opportunities to speak with colleagues in Japan but also that it was the last time I saw my good friend Kim Cameron in person.)

With predictions that CRQCs could emerge within the next 5 to 10 years, organizations must begin preparing now to safeguard their systems and protocols against a post-quantum reality.

How quantum computing threatens encryption

At the heart of the issue is the ability of quantum computers to solve certain mathematical problems exponentially faster than classical computers. This poses a direct threat to asymmetric encryption methods like RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman, which rely on the difficulty of factoring large numbers or solving discrete logarithms. These methods are foundational to many protocols used in identity management and cloud security.

For example (in order of impact, for your stack ranking pleasure):

• Secure Key Exchange: Asymmetric methods like RSA and Diffie-Hellman are critical for securely exchanging session keys in protocols like TLS (Transport Layer Security). During a TLS handshake, asymmetric encryption is used to establish a shared session key that protects subsequent communication with symmetric encryption. Quantum attacks could compromise this handshake, exposing the session key and rendering all communications vulnerable to decryption.
• Digital Signatures: Used to verify the authenticity and integrity of data, digital signatures rely on asymmetric cryptography to ensure communications and identities are trusted. In protocols like SAML, an Identity Provider (IdP) signs assertions with its private key, and Service Providers (SPs) verify the signature with the corresponding public key. Similarly, JSON Web Tokens (JWTs) use asymmetric cryptography for signing and verification. In a post-quantum world, quantum computers could forge digital signatures, enabling attackers to impersonate users, forge tokens, or tamper with data.
• Secure Key Exchange for Authorization Systems: In authorization workflows, components such as Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) often use TLS to secure their communications. The asymmetric encryption underpinning the TLS handshake ensures that access policies and enforcement decisions remain confidential and untampered. If an attacker breaks this encryption, they could intercept sensitive communications or manipulate policy enforcement.

For the identity space, these vulnerabilities place significant pressure on protocols like SAML. Despite its age and the fact that it’s no longer actively maintained, SAML remains deeply embedded in enterprise environments. Its heavy reliance on RSA-based digital signatures and key exchanges makes it particularly vulnerable to quantum-based attacks. Moving away from SAML—or making it quantum-safe—represents a daunting challenge given the level of technical debt many organizations face.

Why preparation starts now

While Cryptographically Relevant Quantum Computers (CRQCs) don’t yet exist, the timeline for preparation is tight. Researchers estimate that quantum computers capable of breaking today’s cryptography could become a reality within a decade. However, the threat isn’t just theoretical—well-funded threat actors, such as foreign governments, are already employing a strategy known as “record now, analyze later.” These threat actors are recording encrypted conversations and storing them with the hope of decrypting the data once CRQCs become available. Sensitive information compromised in this way could have far-reaching consequences, even years after the initial communication.

Given the extensive use of asymmetric encryption across cloud identity systems, replacing vulnerable components will require significant planning, resources, and coordination.

A thorough inventory of cryptographic usage is a critical first step. Organizations need to answer questions such as:

• Which identity protocols are in use, and do they rely on at-risk cryptographic methods?
• What key material is stored and used across systems, and how will it be replaced?
• Are vendor and partner systems also prepared for a quantum-safe transition?

By understanding the scope of the problem today, organizations can make informed decisions about when and how to begin transitioning to post-quantum cryptography (PQC). The urgency lies not only in preparing for future risks but also in mitigating the immediate threat of recorded communications being decrypted once CRQCs emerge.

Future-proofing cloud identity security

Quantum-safe cryptographic algorithms, currently being standardized by organizations like NIST, offer a pathway forward. Efforts such as the NIST 1800-38 initial public draft, "Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography", provide critical guidance for organizations planning their transition. This resource outlines steps for assessing cryptographic dependencies, evaluating readiness, and navigating the technical complexities of moving to PQC.

Additionally, FIPS 140-3, "Security Requirements for Cryptographic Modules", establishes updated standards for cryptographic modules used to protect sensitive data. FIPS 140-3 is critical because it ensures that cryptographic solutions meet stringent security requirements and are adaptable to emerging quantum-safe algorithms. For organizations in regulated industries, compliance with FIPS 140-3 will be a key component of quantum readiness.

Recommendations for preparing cloud identity systems

When preparing for quantum-safe cryptography, organizations should take advantage of existing standards and resources like FIPS 140-3 and NIST 1800-38 to guide their planning. Practical steps include:

1. Conduct a cryptographic inventory: Use NIST’s guidance to identify cryptographic dependencies in your environment, particularly in identity protocols, key exchanges, and digital signatures.
2. Evaluate dependencies on legacy protocols: Assess the use of older protocols like SAML and determine whether they can be phased out or adapted to post-quantum standards.
3. Align with industry best practices: Engage with NIST’s evolving frameworks, including future updates to NIST 1800-38, to stay ahead of emerging quantum computing threats.
4. Engage vendors and partners: Ensure that third-party systems and services you rely on are also preparing for a quantum-safe transition.
5. Establish a long-term transition plan: Transitioning to quantum-safe cryptography will require coordination across teams, systems, and partners. A phased approach with clear milestones will help manage the complexity.

The road ahead: why awareness matters

The emergence of quantum computing represents a paradigm shift for identity and security professionals. While the risks may seem distant, the sheer scale of cryptographic reliance across cloud identity systems makes preparation a necessity. Waiting until CRQCs arrive is not an option—organizations that start planning today will be better equipped to navigate the transition and avoid disruptions.

Identity security has always been about staying ahead of the next threat. Preparing for quantum computing is no different. By raising awareness and encouraging proactive steps, we can ensure that the systems we rely on today remain secure in the face of tomorrow’s challenges.

What steps is your organization taking to prepare for a post-quantum world? Let us know in the comments, or reach out to SGNL to learn how we can help you future-proof your identity systems.