Why the ‘solved problem’ of customer identity access management continues to be unsolved
You see something you want on the internet, provided you have the funds, you click, and you buy. From the business side, you receive the data from the click and provide the goods or the service.
Whether you understand the underlying technology or are not, this can seem like a problem that’s been solved for a long time, especially when you’ve had years of Amazon packages reaching your doorstep.
(Gentle spoiler: Part of the reason we created Auth0 was that we didn’t see this as a “solved problem;” We saw a lot of potential for the experience to be improved, and we also saw a world becoming more complex and subject to threats.)
From ‘Nobody’ to ‘Target’
In the beginning, I think consumers tended to see the process of registering for a website or logging in as an annoyance rather than something that was front and center. “Of course, I need to log in, but who cares? I’m going to use my very original password.’ And who’s going to check that I’m using the same password for ordering tasty sandwiches, for ordering off eBay, and for my bank account. After all, nobody knows me.” Most people in the world are not famous, and so they believed that anonymity would keep them safe because who would target an unknown person?
This clearly changed over time. Consumers suddenly started having problems remembering passwords, having their accounts hacked, dealing with getting locked out of an account, having multiple accounts for a website, or experiencing problems logging in. As our lives transition to all things being digital, and consequently, with more online accounts than ever, the problem got worse.
I believe we have proved that old problems have a nasty tendency to appear again. History will repeat itself, and in some cases, with new force.
So Customer Identity Access Management (CIAM) was a solved problem that got unsolved again as our context evolved.
In fact, it was becoming worse every day because, in the process of creating strong customer experiences, organizations had been gathering and keeping a lot of data… and bad actors had realized that you didn’t have to target a famous person to see a return on nefarious deeds — average people could be lucrative targets, too.
And as a lot of people — famous and average — turned to the internet for business, and for all things in life: education, healthcare, food, and entertainment, more value was out there to be stolen. This year has only accelerated this process.
Mix in Complexity
Another aspect of today’s reality is that an average middle-class house is also becoming more complex with crisscrossed and interconnected systems.
Just pause and think about all the devices and software you likely interact with on a daily basis.
You wake up. Your watch might have been monitoring your body all night. If you’re like me, you head out for a run. Your watch or other wearables keep track of your running stats, or if you were going to the gym, your phone knows you are going there, so it shows the fastest route. Then take a shower and jump on the scale, which is WiFi enabled and sends your weight to your phone. Then you likely check your email or Slack; or have an early Zoom with colleagues. Then maybe you log into your bank. Then your kids’ school assignments. Maybe it’s getting chilly, so you alter the temperature in your home from your phone and send some music to get your day going through your home speakers.
There’s a whole myriad of systems that are part of my daily routine, and they are all different. They are also all built, designed, and marketed by different companies. According to Think with Google, the average person has 35 apps on their phone, plus apps that may be on other devices.
And while they’re all supplied by different vendors, they all have one thing in common:
They need to know who I am.
And who my family is. And what is the relationship between all the members? What is each person allowed to do (and not do, like rearrange my favorite playlist)? As well as those outside people and organizations that we deal with.
It’s pretty sensitive.
The cameras in my home are watching my family, and my bank has my financial information. My health records, even my gym schedule — everything is pretty sensitive information.
The problem space has exploded in complexity. The old ways of solving these problems don’t work anymore.
Even if you go with a password that is more complex than “password,” we’re dealing with literally tens or dozens or hundreds in some cases of applications that we need to interact with all the time. Now people are conscious that everybody is a target. That awareness of the situation is actually influencing the nature of the problem to be solved.
The Case of the Flawed Candy Surprise
Thankfully, the mindset of consumers is changing. It’s a funny story and a good example of how consumer behavior and expectations are changing (for good). This is what happened recently when I tried to surprise my mother.
My mom lives in Argentina. With travel restricted, I haven’t been able to see her for a while, so I ordered a box of chocolates online and had them shipped to her home.
Remember, this is meant to be a surprise. A good one, but instead, it turned into a somewhat scary moment for her. When a random guy appears on her doorstep at 7 p.m. at night saying, “Ma’am, I have your chocolates.”, she simply says, “No, I didn’t order any chocolates. I’m not going to fall for that.” Here we have someone involved in a relatively minor transaction rejecting it as suspicious. She knows she didn’t order anything, it’s kind of late, and I’ve never done that before. The context of all this raises some alarms.
Now it’s pervasive. We are all on the watch. My mom rejected my chocolates and called me very proud, saying, “You know what happened to me? Somebody tried to trick me by pretending that I had ordered chocolates, and they wanted me to sign for them and show my identity card, so I rejected the package.”
So now I have to do “multi-factor authentication” to send my mother a gift, “No, Mom,” I say. “That was me. I was trying to send you a surprise. I’m going to send you another gift, and it will arrive on this day, and you can accept it.”
I ended up sending another present. This particular use case also presents some interesting challenges from a user experience perspective, but that would probably require its own blog post.
The bottom line is, like, it’s very complex. It’s not solved from a technical point-of-view or from a consumer end-user point-of-view.