1 Introduction
Consumer Identity and Access Management (CIAM) is an established specialty within Identity and Access Management (IAM) that has emerged in the last few years to meet evolving business requirements specific to consumer use cases. Many businesses and public-sector organizations are finding that they must provide better digital experiences for and gather more information about the consumers who are using their services. Enterprises want to collect, store, and analyze data on consumers to create additional sales opportunities and increase brand loyalty.
Consumer IAM systems are designed to provision, authenticate, authorize, collect, and store information about consumers from across many domains. CIAM solutions also work for many government-to-citizen use cases. Unlike workforce IAM systems though, information about these consumers often arrives from many unauthoritative sources. Information collected about consumers can be used for many different purposes, such as authorization to resources, or for analysis to support marketing campaigns, or Anti-Money Laundering (AML) initiatives. Moreover, CIAM systems must be able to manage many millions of identities, and process potentially billions of logins and other transactions per day. SaaS delivery of CIAM services is trending upwards and will likely remain the default choice for most organizations.
CIAM systems can aid in other types of regulatory compliance. Since GDPR took effect in the EU in May of 2018, collecting clear and unambiguous consent from consumers for the use of their data has become mandatory. Many CIAM solutions provide this capability, plus offer consumers dashboards to manage their information sharing choices. Moreover, CIAM systems can help corporate customers implement consistent privacy policies and provide the means to notify users when terms change and then collect acknowledgement.
The top features CIAM services provide are
- Authentication options: Email/phone/SMS OTP, mobile biometrics, behavioral biometrics, mobile push apps, FIDO, risk-adaptive and continuous authentication, and social logins (allowing users to login via Facebook, LinkedIn, Twitter, Google, Amazon, etc.). Consumer authentication components should permit risk-adaptive evaluation of runtime environmental parameters, user behavioral analytics, and fraud/threat/compromised credential intelligence to match the appropriate authentication mechanism to the level of business risk or as required by regulations.
- Privacy and consent management: Explicit user consent must be received for the use of their information. Consumer account dashboards are common mechanisms for providing users with consent monitoring, granting, and withdrawal options. Compliance with EU GDPR, Canada’s PIPEDA, and California’s CCPA are notable drivers.
- IoT device identity association: As IoT devices increase in popularity, consumers and business customer users will have greater need to associate their IoT devices with their digital identities. These identity associations between consumer and IoT objects will allow for more secure and private use of smart home, wearables, and connected cars.
- Identity analytics: Dashboards and reports on common identity attribute activities including failed logins, consumer profile changes, credential changes, registration tracking, etc.
- APIs: Allow access by 3rd-party applications to perform marketing analytics, CRM integration, security integration, provisioning/de-provisioning, consent auditing, and more. Many CIAM solutions support REST APIs, Webhooks, Websockets, and WebAuthn methods; JSON and XML formats; and LDAP and SCIM for provisioning.
- Account recovery mechanisms: When consumers forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include Knowledge-Based Authentication (KBA; but it is recommended to avoid this method as it is usually even less secure than password authentication), email/phone/SMS OTP, mobile push notifications, and account linking.
- Account TakeOver (ATO) protection: The inclusion of external and/or 3rd-party fraud and compromised credential intelligence for runtime evaluation of internal or external cyber threat or fraud information, such as known bad IP addresses/domains, compromised credentials, accounts suspected of fraud, fraud patterns, botnet behavior, etc., for the purpose of reducing the risk of fraud at the transaction level, especially ATO fraud.
Many CIAM vendors are taking an “API-first” approach to CIAM. API-driven CIAM architectures may be considered Identity API platforms and are best when instantiated as micro-services. Deploying CIAM functionality using Identity APIs aligns with the notion of Identity Fabrics.
IT departments should welcome CIAM initiatives, as they provide an opportunity for IT, usually considered a cost center to closely team with Marketing, a revenue producing center.