diff --git a/identity/manager.go b/identity/manager.go
index 167c623b6470..1c0f5ff44d2c 100644
--- a/identity/manager.go
+++ b/identity/manager.go
@@ -24,6 +24,7 @@ type (
 		PoolProvider
 		courier.Provider
 		ValidationProvider
+		ActiveCredentialsCounterStrategyProvider
 	}
 	ManagementProvider interface {
 		IdentityManager() *Manager
@@ -165,3 +166,15 @@ func (m *Manager) validate(ctx context.Context, i *Identity, o *managerOptions)
 
 	return nil
 }
+
+func (m *Manager) CountActiveFirstFactorCredentials(ctx context.Context, i *Identity) (count int, err error) {
+	for _, strategy := range m.r.ActiveCredentialsCounterStrategies(ctx) {
+		current, err := strategy.CountActiveFirstFactorCredentials(i.Credentials)
+		if err != nil {
+			return 0, err
+		}
+
+		count += current
+	}
+	return count, nil
+}
diff --git a/identity/manager_test.go b/identity/manager_test.go
index 8f73bf574a4a..63f4e12f6611 100644
--- a/identity/manager_test.go
+++ b/identity/manager_test.go
@@ -153,6 +153,23 @@ func TestManager(t *testing.T) {
 		})
 	})
 
+	t.Run("method=CountActiveFirstFactorCredentials", func(t *testing.T) {
+		id := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
+		count, err := reg.IdentityManager().CountActiveFirstFactorCredentials(ctx, id)
+		require.NoError(t, err)
+		assert.Equal(t, 0, count)
+
+		id.Credentials[identity.CredentialsTypePassword] = identity.Credentials{
+			Type:        identity.CredentialsTypePassword,
+			Identifiers: []string{"foo"},
+			Config:      []byte(`{"hashed_password":"$argon2id$v=19$m=32,t=2,p=4$cm94YnRVOW5jZzFzcVE4bQ$MNzk5BtR2vUhrp6qQEjRNw"}`),
+		}
+
+		count, err = reg.IdentityManager().CountActiveFirstFactorCredentials(ctx, id)
+		require.NoError(t, err)
+		assert.Equal(t, 1, count)
+	})
+
 	t.Run("method=UpdateTraits", func(t *testing.T) {
 		t.Run("case=should update protected traits with option", func(t *testing.T) {
 			original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)