1 Introduction
Digital identity is a primary vector of attack in nearly all the headline-grabbing data breaches of the last few years. Bad actors, such as fraudsters, state agents, and even malicious insiders or contractors, start by getting access to user accounts, then searching for administrative or service accounts to take over in order to exploit the elevated privileges that they possess. Whether the attackers’ goal is stealing credit card information, health records, or intellectual property, their Techniques, Tactics, and Procedures (TTPs) almost always include compromising passwords and using privileged accounts.
Eliminating passwords is an important goal in many organizations today. Strong, multi-factor authentication (MFA) is a requirement and important step to take in helping secure access to sensitive resources. MFA methods run the gamut from SMS OTP to hardware tokens to mobile biometric applications on smartphones. While MFA is necessary, it is not a panacea, and often risk adaptive authentication is needed as well. Adaptive authentication solutions evaluate various user, device, and environmental attributes against pre-defined policies to determine which MFA methods are appropriate for accessing sensitive data in consideration of the real-time risk levels. MFA, in concert with adaptive authentication, are often used to protect critical assets in governments and the finance, healthcare, pharmaceutical, aerospace, and defense industries.
Consumer Identity and Access Management is a sub-genre of traditional Identity and Access Management (IAM) that has emerged in the last few years to meet evolving business requirements. Many businesses and public-sector organizations are finding that they must provide better digital experiences for and gather more information about the consumers who are using their services. Enterprises want to collect, store, and analyze data on consumers in order to create additional sales opportunities and increase brand loyalty. Know Your Customer (KYC) initiatives, particularly in the financial sector, are another example of the business drivers motivating exploration and adoption of CIAM.
Consumer IAM systems are designed to provision, authenticate, authorize, collect and store information about consumers from across many domains. Unlike regular IAM systems though, information about these consumers often arrives from many unauthoritative sources. CIAM systems generally feature weak password-based authentication, but also support social logins and other authentication methods. Information collected about consumers can be used for many different purposes, such as authorization to resources, or for analysis to support marketing campaigns, or Anti-Money Laundering (AML) initiatives. Moreover, CIAM systems must be able to manage many millions of identities, and process potentially billions of logins and transactions per day.
Auth0 is a VC-funded identity platform provider based in Bellevue, WA. CIAM features can be augmented by licensing integrated components, such as breached password detection and MFA modules. Auth0’s flagship product can also provide identity management in B2E scenarios, B2B SSO, and serve as a bridge between existing IAM systems. Auth0 is distinguished by the fact that, rather than being a plug-and-play all-inclusive solution, the Customer Identity Management offering is also a set of components that their customers can choose from to build the identity infrastructure that best fits their requirements. The solution is available as either on-premise virtual appliance, customer cloud, or fully multi-tenant Auth0 SaaS, with hosted customer profiles.