researchHQ’s Key Takeaways:
- Customer identity and access management (CIAM) is how companies grant end-users access to their digital properties and collect, store and use those user’s data.
- Typical CIAM features include a single sign-on (SSO), multi-factor authentication (MFA), centralized user management and the ability to scale to millions of users.
- Sophisticated CIAM helps companies secure customer data and comply with data protection laws while significantly boosting customer conversion and retention rates.
Customer Identity and Access Management (CIAM) is how companies give their end users access to their digital properties as well as how they govern, collect, analyze, and securely store data for those users.
CIAM sits at the intersection of security, customer experience, and analytics. Providing an easy, frictionless way for users to onboard and log in is critical for driving conversions and building customer loyalty. Protecting sensitive data from malicious intrusion and taking steps to prevent data breaches is central to a sound security policy and compliance with data privacy laws. And compiling user data into a single source of truth is essential to understanding your customers.
Given CIAM’s complexity and dynamism, many organizations choose to engage a third-party Identity-as-a-Service (IDaaS) provider rather than build a solution in-house.
Below, we’ll discuss the elements of a modern CIAM solution and how your company’s approach to customer identity can impact top-line revenue as well as mediate bottom-line security risk.
Essential Elements of CIAM
Organizations need Identity and Access Management (IAM) solutions for several classes of end-users: employees, enterprise customers, and customers. But each type of user requires a different balance of security and user experience (UX). That’s why CIAM solutions provide a unique set of features distinct from B2B or workforce identity solutions.
Here are four features that form the bedrock of modern CIAM solutions. No two CIAM solutions offer exactly the features in the same way, but if you’re purchasing a CIAM platform, it should include the following:
Unlike workforce identity solutions that support thousands of employees and vendors who require fairly static access to a pre-assigned list of applications, CIAM has to scale to millions and even billions of users — often in response to short-term events like peak holiday seasons or major sporting events.
Although not traditionally described as a software “feature,” scalability is a unique element of CIAM that requires third-party, cloud-scale stability.
Single Sign-On (SSO) allows users to log in to one application and automatically be logged into a set of other applications. The most widely known SSO example is Google G Suite, where logging into your Gmail means you’re automatically logged into YouTube, Google Drive, and other Google platforms.
SSO is a basic element of federated identity, and there are SSO options for B2B and workforce IAM solutions. The type of SSO that’s specifically designed for end-users is social login, which allows users to verify their identity with their credentials from a separate provider, like Facebook, Google, or Apple.
Social logins greatly simplify the registration process for users, which can lead to increased conversions and fewer customers abandoning their shopping carts because they got tired of filling out a form. (More on the advantages of SSO later.)
Multi-Factor Authentication (MFA) is a more secure means of authenticating user identity than the traditional username/password combination. Passwords are distressingly easy for hackers to steal or guess, so MFA demands an extra credential for users to prove their identity. This could take the form of a one-time PIN sent to the user’s mobile device, an email, or a biometric credential like a fingerprint or face recognition. Auth0 is even releasing a feature in which users can receive a phone call with a voice message of their one-time PIN.
MFA is increasingly regarded as a basic requirement for security, and data privacy laws are beginning to explicitly demand it. However, it’s critical to implement MFA for end-users in a way that doesn’t introduce unnecessary friction. MFA should only be triggered based on the assessed risk, such as when a customer signs in with a new device or makes a suspicious transaction. That’s another reason why it’s critical to have the deep insight into your customers that CIAM provides. So you can assess in context when a transaction requires a higher level of authentication.
Centralized user management
Your insights into your users can be a major competitive advantage, but only if your data is organized, accessible, and accurate. A CIAM solution helps achieve the goal of centralized, data-rich customer profiles that function as a single source of truth about users. That’s because a CIAM solution is essentially an API that mediates between different applications and components, compiling heterogeneous data in one place.
Centralized user management eliminates data silos and duplicate data. Everything you know about a user is together in one place from which admins can quickly grant and revoke permissions. This single view of customers is an obvious advantage for analytics, but it also helps companies meet the reporting requirements of data privacy laws because all profile data is accessible and portable. Knowledge about the user is also critical for building more personalized experiences, which drives higher retention rates.
How CIAM Impacts Business
Now that we’ve gone over the fundamental elements of CIAM, let’s talk about how those elements impact your company’s day-to-day operations and your all-important bottom line.
CIAM Is Central to Data Security
Customer data can be your company’s greatest asset — unless it falls into the wrong hands. A robust CIAM solution has security features to protect against fraud, hacks, and misused data on multiple fronts.
In recent years, the login box has become the front line for fending off intruders. Hackers use broken authentication attacks to steal or guess user credentials and impersonate legitimate users at the login box. One of the most damaging forms of broken authentication attacks is credential stuffing, in which hackers use passwords stolen in one breach to break into other sites.