Consider the following two stats:
86% of web app attacks in 2022 were due to stolen credentials according to the Verizon DBIR.
60% of US-based users said they gave up accessing an app in the last month because they forgot their password according to the FIDO Online Barometer Report.
This shows the delicate balance organizations need to strike between security and user experience when considering customer authentication and identity management. Too much friction and users drop off, not enough security and cybercriminals profit.
Apart from building auth in-house, organizations usually consider investing in a Customer Identity and Access Management (CIAM) platform purpose-built for the task at hand.
In this article, we will explain the basics of CIAM, how it differs from IAM, its benefits, and tips to choose your CIAM provider.
CIAM solutions are responsible for handling authentication, identity management, and access control for an organization’s external identities. These identities may include customers, free end users, contractors, suppliers, partners, and any other stakeholders not under the ambit of standard workforce identity management.
CIAM tools seek to help organizations provide secure, seamless authentication and user journeys to their customers, while also saving time for their engineering and IT teams.
End users will interact with CIAM through the familiar signup / registration process and validating their identity during logins. For organizations and developers, however, CIAM involves a variety of user identity-related tasks, including:
Collecting pertinent information, such as names, phone numbers, emails and any relevant documentation
Storing this data in a secure repository
Governing login procedures for users, such as enforcing Multi-Factor Authentication (MFA) or One-Time Password (OTP) verification
Analyzing login attempts and checking them against stored credentials
Deciding which features of a service different users have access to
Delegating certain aspects of identity management to end users
The capabilities of different CIAM platforms vary, but they’re often at least partly the solution for an app’s security, user management, and authentication needs. While some CIAM solutions provide on-premise support, most are Identity-as-a-Service (IDaaS) platforms hosted on the cloud.
Much like CIAM, Identity and Access Management (IAM) is a set of tools that verifies identities and controls access to digital platforms. These two solutions perform similar functions, including:
Safeguarding who has access to sensitive information
Verifying identities against stored credentials
Granting permission to different aspects of a platform based on the user’s authorization level
Despite these similar functions, however, a few crucial distinctions exist between CIAM and IAM. Put simply, IAM solutions are generally used for employees and internal stakeholders, while CIAM is used for customers and external stakeholders.
CIAM |
IAM |
|
---|---|---|
Users |
CIAM is generally used to manage an organization’s customer base and other external stakeholders. |
IAM solutions control access permissions for employees, contractors, and other internal stakeholders. |
Priorities |
CIAM solutions balance security with UX to appeal to a larger audience that can choose which systems they use. |
IAM solutions generally aren’t public-facing; they prioritize security over functionality, intuitiveness and user experience (UX). |
Use Cases |
Popular CIAM use cases include customer authentication, customer SSO, and adaptive MFA. |
Popular IAM use cases include employee SSO and user provisioning in HR systems. |
Robust CIAM solutions are adaptable to an app's specific needs and its developers' preferences. They may provide a wide range of security, identity verification and authentication tools, such as:
Customer registration and profile creation
Support for a wide range of customer authentication protocols and methods
Self-service account management
Access management / fine-grained authorization
Data access governance
Directory services
Federated authentication and single sign-on
Preference and consent management
The specific CIAM capabilities an app employs will depend on its purpose and design. Take, for example, ridesharing platforms, which may use CIAM to:
Facilitate the registration process for users and drivers by analyzing their identification or sending a code to their cell number.
Store sensitive user information in a secure database powered by a trusted Identity Provider (IdP).
Enforce security controls like risk-based MFA, trusted device checks, and session timeouts.
Control the features specific users can access, allowing for the seamless implementation of tiered subscription services.
Analyze customer behavior and tweak onboarding and login UX to suit their preferences.
Allow users to alter their accounts, such as changing their phone number or password.
While the functions of CIAM solutions are varied and adaptable, they all work to facilitate three central capabilities:
Authentication validates users’ login attempts by checking their credentials against those stored in the CIAM solution’s database.
Authorization allows users the proper level of platform access based on the permissions granted to their accounts.
Identity management refers to a diverse set of capabilities such as user provisioning (SCIM), tenant management, token and session management, and delegated administration.
Companies are rapidly adopting CIAM solutions to power their external authentication systems. In fact, the CIAM market is projected to expand by 15.3% by 2026. Gartner estimates that organizations adopting passwordless CIAM will reduce customer churn by more than half.
CIAM’s rising popularity can be attributed to the many benefits it provides businesses, including:
Improved user adoption and conversion. CIAM tools provide capabilities such as progressive profiling, consent and preference management, self-service admin, and passwordless login – all in service to organizations providing a frictionless and personalized experience to their end users.
Enhanced protection against identity attacks. CIAM solutions provide capabilities like risk-based MFA, secure session management, bot protection, and device fingerprinting to prevent account takeover and other forms of broken authentication.
Increased engineering productivity and focus. Handing over identity management to a trusted CIAM provider reduces developer effort spent on session management, credential storage, password reset resolution, and MFA implementation.
B2B enterprise readiness. CIAM platforms provide vital capabilities such as SAML and OIDC SSO, federated authentication, tenant management, and user provisioning – enabling B2B companies to move upmarket and sell to enterprise customers.
If you’re considering implementing a CIAM solution for your app, here are some criteria you can use to evaluate your chosen shortlist of providers.
An organization may have differing identity needs at different stages of its growth. CIAM providers that support a wide range of authentication methods and implementation approaches are best placed to adapt to the changing identity landscape.
Organizations should look for capabilities like:
Support for popular authentication methods like passkeys, magic links, OTPs, social login, authenticator apps, and passwords.
Support for standard, interoperable protocols like SAML, OpenID Connect, WebAuthn, and FedCM.
Support for different authorization models (RBAC, ReBAC, ABAC).
The ability to integrate with a variety of apps (custom, off-the-shelf, etc.).
Customer authentication is never a one-size-fits-all approach – each app and organization has its nuances and unique implementations. A preferred CIAM provider will enable organizations to easily modify their user journeys and auth flows.
Organizations should seek capabilities like:
Customizable user journeys, preferably in an intuitive and low-code visual interface.
Flexible user models with custom attributes and granular access control.
The ability to A / B test and measure login approaches and user journeys.
The ability to easily customize user-facing screens and implement progressive profiling.
Customer identity touches every part of an organization. A preferred CIAM solution will provide a robust and scalable system of integrations with third-party services to keep customer identity in sync with every other business tool and team.
Organizations should check for capabilities like:
Integrations with existing tools in the fraud prevention, identity verification, CRM, and CDP space.
Flexible integration framework that allows for easily adding more integrations.
The ability to add custom and in-house integrations (HTTP, SMTP, audit).
Low-effort integration implementation (setup, testing, switching out one tool for another).
Problems with customer signup or login directly result in lost business. Security breaches involving customer identity have dire consequences. Organizations must evaluate the architecture, availability, and team background of the CIAM vendor they select.
Organizations should ask questions about:
Historical availability, SLA performance, and response times.
Session and token management best practices (rotation, reuse detection).
The largest customer the CIAM solution serves, which is a strong proxy for scalability.
Implementation flexibility for developers with multiple abstraction layers (UI, SDK, API).
Key certifications like SOC 2 Type 2 and ISO 27001.
Active and passive support offerings as well as migration support.
Customer reviews on public platforms like G2 Crowd.
CIAM solutions are a powerful way to manage identities, authenticate users and protect apps against data breaches. They offer a wide variety of features, from customer authentication to self-service onboarding, to provide a frictionless and secure user experience.
If you are evaluating CIAM solutions for your organization, Descope can help. Our drag-and-drop CIAM platform helps hundreds of organizations improve user onboarding, protect accounts against account takeover, and unify identities across customer-facing apps – all without writing code.
Sign up for a Free Forever Descope account to get started! If you have questions, book a demo with our auth experts.
*** This is a Security Bloggers Network syndicated blog from Descope Learning Center authored by Descope Learning Center. Read the original post at: https://www.descope.com/learn/post/ciam