1 Introduction
Consumer Identity and Access Management (CIAM) is an outgrowth from enterprise Identity and Access Management (IAM) that has become a substantial market of its own. CIAM solutions are designed to meet evolving technical requirements for businesses and other organizations that deal directly with consumers and citizens. Many businesses and public sector organizations are finding that they must provide better digital experiences for and gather more information about the consumers who are using their services. Enterprises want to collect, store, and analyze data on consumers in order to create additional sales opportunities and increase brand loyalty.
Consumer IAM systems are designed to provision, authenticate, authorize, collect and store information about consumers from across many domains. Unlike workforce IAM systems though, information about these consumers often arrives from many unauthoritative sources. Information collected about consumers can be used for many different purposes, such as authorization to resources, or for analysis to support marketing campaigns, or Anti-Money Laundering (AML) initiatives. Moreover, CIAM systems must be able to manage many millions of identities, and process potentially billions of logins and other transactions per day. SaaS delivery of CIAM services is trending upwards and will likely remain the default choice for most organizations.
The top features CIAM services provide are
- Social logins: Allow users to login via Facebook, LinkedIn, Twitter, Google, Amazon, etc.
- Multi-factor authentication: Email/phone/SMS OTP, mobile biometrics, behavioral biometrics, mobile push apps, FIDO, risk-adaptive and continuous authentication, etc.
- Risk adaptive authentication: Evaluation of runtime environmental parameters, user behavioral analytics, and fraud/threat/compromised credential intelligence to match the appropriate authentication mechanism to the level of business risk or as required by regulations.
- Account recovery mechanisms: When consumers forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include Knowledge-Based Authentication (KBA; but it is recommended to avoid this method as it is usually even less secure than password authentication), email/phone/SMS OTP, mobile push notifications, and account linking.
- Inclusion of 3rd-party fraud and compromised credential intelligence: Runtime evaluation of internal or external cyber threat or fraud information, such as known bad IP addresses/domains, compromised credentials, accounts suspected of fraud, fraud patterns, botnet behavior, etc., for the purpose of reducing the risk of fraud at the transaction level.
- Identity analytics: Dashboards and reports on common identity attribute activities including failed logins, consumer profile changes, credential changes, registration tracking, etc.
- Business intelligence for marketing: Transformation of data about user activities into information for marketers.
- Privacy and consent management: Explicit user consent must be received for the use of their information. Consumer account dashboards are common mechanisms for providing users with consent monitoring, granting, and withdrawal options. Compliance with EU GDPR, Canada’s PIPEDA, and California’s CCPA are notable drivers.
- IoT device identity association: As IoT devices increase in popularity, consumers and business customer users will have greater need to associate their IoT devices with their digital identities. These identity associations between consumer and IoT objects will allow for more secure and private use of smart home, wearables, medical, and even industrial devices.
IT departments should welcome CIAM initiatives, as they provide an opportunity for IT, usually considered a “cost center”, to closely team with Marketing, a revenue producing center.