Good morning, good afternoon. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and today's webinar is titled How to Do CIAM in 2025 and Beyond. And today I'm joined by Rishi Bhargava from Descope. Hi Rishi.
Hi John, nice to be here. Well before we begin, just a little bit of logistics info. Everybody's muted centrally, so there's no need to mute or unmute yourself. I'm going to do a couple of poll questions, one near the beginning and then one kind of in the middle, and then we'll take a look at the results at the end before we do Q&A. And there is a control panel within Livestorm here. You can enter questions and we will take those at the end. And then lastly, this is being recorded, so both the recording and the slides should be available in a few days.
So I'm going to start off and talk about an overview of CIAM, you know, what the trends, challenges, what's new. Then I'll turn it over to Rishi, and like I said, we'll do the poll results and the Q&A. So I always like to start off by thinking about what does the C and CIAM stand for?
You know, in the olden days, I used to mostly consider consumer identity and access management. You know, and use cases there would be things like e-commerce or managing your media subscriptions or banking or general retail. But you know, it's got a broader definition these days. Most of us say customer IAM. And you know, this is dealing with extended supply chains, logistics management. But you know, there's also another side to it.
Many government agencies use CIAM solutions for when their citizens need to apply for some kind of a license, or maybe they need to register and pay taxes or get a tax refund. So the C and CIAM can really stand for any one of these three. So what are the goals that people have when they set out to implement a new CIAM solution? Maybe they've got an older one. Maybe it was based on, you know, workforce or a traditional IAM system, probably deployed on premises.
You know, it may not be as scalable. But maybe you need to offer self-registration because it's really hard to, you know, register thousands or even millions of accounts in some cases. You want to be able to host the consumer profiles, that's information about the customer. You want to convert those unknown or anonymous or guest users into known customers. There are many privacy regulations around the world and, you know, older CIAM solutions, especially if they're based on, you know, the workforce model, they really didn't have any way to account for collecting consent.
So it made it really difficult to try to do regulatory compliance. And then ultimately, you know, you want to collect information with consent where appropriate to do better marketing. You have personalized campaigns and ultimately increase your revenue. Security is always a concern and, you know, old CIAM solutions were probably 99% based on username password, which as we all know, don't have to belabor the point, but is very insecure and is also a real pain for customers to have to use. And then identity analytics for security.
Collecting this information can, you know, lead to a lot better outcomes. You can do risk-based authentication and there's a lot of good things that can come from collecting and properly using identity analytics. So just kind of selecting a subset here. What of these motivations might be driving your organization to think about either putting in place a new CIAM or upgrading to something new and more capable? Would it be, you know, improving the customer or consumer experience? Improving security? Enhancing that marketing and increasing revenue?
Or do you need to do identity resolution across multiple repositories? And we see this with a lot of, you know, big brands that have, you know, maybe multiple sites or multiple business units. And you've got multiple identity repositories and you need to be able to sort of centralize that, have a single unique key, whereby you can, you know, make for a much better customer experience too. So feel free to go ahead and answer that.
So some of the obstacles that we have seen, you know, in deploying early-gen CIAM solutions, well, they were difficult to deploy, especially if they were on-prem, you know, you had to provision your own equipment, do the installation, maintain the operating system, maintain the application. You know, that can be difficult to scale because you have to buy new hardware. Most of them, you know, really didn't expose APIs, which made it hard to integrate with your existing applications, particularly legacy applications. And CIAM was a silo.
So all the information about customers or consumers was contained within the CIAM solution. And it was hard to get the information out of it. So if you wanted to do identity or marketing analytics, you had to come to the CIAM admin console and do it there. I mentioned the password problem.
You know, many of them really just had very basic, if you had anything beyond password, it was probably one-time passwords. So, you know, many organizations found that early-gen CIAMs were just insufficient for security reasons as well. And I mentioned the privacy regulatory compliance.
You know, they weren't really built for that. You know, GDPR has been in effect for like seven years now. So a lot of solutions are geared toward providing GDPR compliance, but of course we have CCPA. And many other states in the U.S. have regulations that are not exactly like CCPA either. So having something that can help you do business and comply with privacy regulations in all the jurisdictions that you operate can be very important. And then lastly, licensing and subscription costs.
It can be difficult with particularly an on-prem solution where you may have to pay by the server or pay by, you know, many different kinds of licensing schemes. Most of the SAS-delivered solutions we see today have much easier to comprehend and predictable licensing modes. Another big motivation is preventing fraud.
You know, we have ATO fraud, account takeover fraud. That's exactly what it sounds like. Then we have AO fraud, account opening fraud.
That's, you know, using information about another user to create a fraudulent account. And while there are many other types of fraud, these two are, you know, two of the main kinds that we have to deal with in both consumer and customer use cases.
ATO fraud, you know, they get the information from breached password databases. They find on the dark web. They might use that for credential stuffing, you know, where they take a username, password combo, and then blast that up against a whole lot of other sites to see if users have used the same password, which might allow them to get access to it. There's session hijacking. I just heard yesterday in another presentation that somewhere near 2 billion session tokens or cookies were hijacked last year.
And this is where, you know, the malicious actor will, you know, do a man-in-the-middle kind of attack maybe and grab valid session tokens and then try to replay those. You know, that's a really good argument for keeping your time to live on your session tokens pretty short. But really, all these things are used for value transfers. It's not just finance. It's not just banking, but loyalty programs, you know, travel and hospitality, insurance, all sorts of accounts are being taken over.
Account opening fraud, they will use things like your PII, which they might get from your school or your work or your health records. And these can be used for major financial fraud. Just think about if somebody has access to your personal information, social security number or something like that, they might be able to go out and get a line of credit or even a mortgage or something. And then they also use this for mule accounts, which is, you know, moving large amounts of money around from the dark world, trying to get that crypto into real currency that can be used.
The main mitigations that we always recommend here, you know, for ATO fraud is using multi-factor authentication or risk-based authentication. Now, it's true there are attacks that, you know, can render MFA ineffective, but still it's much better to use MFA and risk-based authentication than not. And to prevent account opening fraud, identity vetting, identity proofing, you know, making sure the user is who they say they are when they sign up for the account. That's why we see a real emphasis on identity verification in CIM use cases these days.
So, yeah, there is a need for identity verification for a lot of reasons. It's to be able to comply with like anti-money laundering and know your customer initiatives as well as account opening fraud prevention.
You know, consumer identity and access management solutions often have some elements of fraud prevention built in, but, you know, you really need to be able to integrate them with full-fledged fraud reduction intelligence platforms. I mentioned the privacy regulatory compliance, the need for passwordless authentication.
You know, multi-factor is great, but there are lots of really good passwordless authentication mechanisms out there today. Integration for other kinds of applications, I'll get into that here in just a minute. IoT and other non-human identity types are really, really proliferating, and they need to be linked to consumer or customer accounts in order to be managed. And then B2B, that's a whole section I'll talk about in just a minute, but there are very, very complex use cases that have arisen around B2B.
So one of the first kinds of third-party solutions that we see CIM solutions needing to integrate with are customer data platforms. They take data about your customers from lots of different sources, you know, from your CIM, from your CRM, email, social media, and they try to pull all this together. Why? To be able to do that identity resolution, again, from different sources that they need to do data normalization, really.
And then segment that information by demographics, maybe preferences, you know, categories of user behavior, all for the purpose of doing personalization and making recommendations. Again, this is about increasing revenue. Manage that data, and then potentially integrate with consent and privacy management solutions, which is the next slide. But all this is about, you know, being able to engage with the customer or the consumer to activate them in a way where this can be done either over the web, mobile, maybe using these IoT devices, social media, and ad-libbed forms.
Consent and privacy management, I've been talking about consent quite a bit already, but, you know, most CIM solutions have at least some basic capabilities around consent management. Maybe they're sort of tailored to GDPR or CCPA, but there are third-party platforms that really take this to the next level.
You know, they will add additional features like enabling privacy policy in terms of service management. You know, they will provide data subject access request portals. Some of the CIM solutions that do, you know, basic consent collection don't offer DSAR portals, and that can be really helpful for complying with GDPR.
Of course, there's preference management. You know, how do you want to interact with a given site or a given brand? They can also help you with mapping the data flows and knowing where all the PII about your users are. And then cookie management, you know, we've all seen cookie pop-ups, and there are ways, some ways are better of doing it than others, and I think the best ways of managing it are generally facilitated through consent and privacy management solutions.
And then since they do help you understand, you know, the flows and the location of all your user data, it can certainly help with audits too. So, it's good when your CIM solution either has a pre-built integration for a CPM solution or at least, you know, API, customer configurable customizability to CPMs. Chatbot and payment service integrations, there are just a couple of CIM solutions that have either built-in chatbots or connectors for chatbots, and, you know, your mileage may vary on that.
You know, some customers find them helpful, many find them annoying. So, you know, really think about how you want to implement this and why you want to implement the chatbot, but if this is something you're interested in, there are a few that do this. Payment services, you know, directly integrating with payment services, I think, is very advantageous for those CIM solutions that really are focused on consumers, particularly things like retail, e-commerce, or media subscriptions, and there are a few of the CIM service providers that have these integrations directly today.
B2B CIM, you know, this is so big now, this really deserves its own category. There's a need to do identity proofing.
I mean, kind of take for an example here, you're a large company, you're a prime contractor, and maybe you have 100 different companies in your supply chain, but you need to let them have access to some of your intellectual property. Maybe they're going to build widgets for you, but, you know, not each contractor needs the same access, but you also need to make sure that you know exactly who they are.
So, you may need things like the ability to do HR background checks, sanction screening, politically exposed person screening. You'll want to know from your down-level contractors if their IDs have been used fraudulently or if, you know, they've had multiple failed login attempts. You may need to do communications channels per contractor.
So, you know, again, 100 suppliers in your supply chain, you need to send messages to just, you know, particular suppliers. You probably have multiple applications that you're exposing to this broader community, but you need the terms of service per application or maybe per audience.
So, you know, right there is just a ton of complexity. You know, you might, you probably need hierarchical delegated administration because if you have 100 different contractors, it's probably better to let managers in those organizations decide which of their employees need access to what. Time-limited accounts, you know, that's also important.
You know, orphaned accounts can be difficult to clean up and they're also a big security risk. So, you know, having accounts that are limited to, you know, whatever the appropriate amount of time is, whether it's one, three, or six months, and then, you know, doing identity governance on that. And that would be where a self-service portal comes in.
You know, having the ability for, you know, a remote user or contractor being able to make requests and then go to, you know, the prime contractor's centralized administration and then settling that as needed. You'll need fine-grained authorization because, you know, a user in one group and one contractor may need access to, you know, the schematics for widget A but not widget B. Then you might need granular authentication policies that could be actually driven by regulatory compliance.
There can be things like export control regulations that say you need specific kinds of authentication before you can get access. And then to sum all that up, you probably need per-entity reports.
Again, if you've got, you know, dozens of contractors, you'll want to get reports that talk about the activity from each one of those so that you can see is it legitimate, are there security concerns, and then address those with the responsible parties in those organizations. You know, I mentioned IoT devices. I won't read through this list, but you can kind of see there are lots of different kinds of devices that need, that have a notion of device identity today.
I mean, whether that's certificate-based or whatnot. And these all need to be managed generally in accordance with a user or even groups of users. So you can see that there are, you know, lots of different kinds of devices, how they implement device identity can be radically different from one another. Fortunately, there is a starting point, you know, the OAuth2 device flow is a good way to kind of kick off, you know, integrating these kinds of identities.
But, you know, there's lots of tailoring that needs to be done. And, you know, there are many proprietary APIs that may be, you know, you might need to integrate with in order to manage all these different kinds of devices. But this is a huge up and coming area. And I think we're all going to hear a lot more about non-human identities and how to manage them with CIM or in conjunction with CIM going forward. Agentic AI, again, you know, for let's say B2B use cases, you know, here's a kind of a long list of different categories of applications or AI agents that we're starting to see.
And I think we're only going to see more of these too, you know, and, you know, I've checked out quite a few of these things where what's the difference between, you know, an app and an AI agent? Well, all these things are code running on devices. In many cases, they're running sort of on behalf of a real user. So these are some of the kinds of use cases that we see agentic AI for B2B today. And then we see some similar ones on the consumer side, but they're also different.
And, you know, again, you can automatically see here where the concerns for security come into play, because if you've got an AI agent operating on your behalf, you want it to, you know, operate within limits, especially if you're going to be using things like shopping apps or investment apps or travel booking, you know, you want to make sure that it's not doing anything that you yourself wouldn't want to do. But there's definitely many different use cases, and I think these will continue to proliferate over the next few months.
So agentic AI and identity, you know, these are, again, it's software that's going to be operating sort of on the behalf of users. So, yes, they'll be powered by LLMs and APIs. They need to operate like the user, but not as the user. So you don't want to necessarily give them your real human user credentials. They need to be aware of the context in which they're operating.
You know, this probably means having a different role, or even better, having different attributes that can be evaluated. Least privilege, just-in-time access, just-enough access, these are definitely principles that need to be taken into account when designing agentic AI identity schemes.
And, you know, they probably need strong authentication, and, you know, they probably need strong authentication, but not MFA. You know, it's not really practical. You wouldn't want it to do that. This is really a perfect use case for ephemeral credentials. This will require a different kind of identity governance model. It's certainly not like, you know, the B2B case where you've got, you know, maybe hundreds of employees or contractors that occasionally, you know, a real manager somewhere has to go through and say, is this legitimate access or not?
This has to point to the right human user and educate that user, whether or not the permissions that the agent has really represents what the human wants it to do. So I think there's a lot of work that needs to go into identity governance for agentic AI. And in the interest of time here, I'll just, I kind of wanted to point out some of the different uses of other kinds of AI in CIM. And just to make it kind of quick and easy, the things that are in black are mostly machine learning powered. Machine learning has been around for a long time.
It's really good at things like detecting anomalies and, you know, helping with risk-based authentication. You know, the places that we're seeing LLMs and generative AI is still quite few in CIM, you know, natural language processing and the AI powered chat bots that I mentioned earlier.
So trends, you know, we've talked about MFA, but unfortunately, it's not as widely used as it should be. That means people are still using passwords, which are inconvenient and insecure.
You know, 502 is out. It's been out for a long time. WebAuthn works. Pass keys are much nicer to work with, you know, speaking as a consumer. We do see more identity verification. We see the use of identity remote onboarding apps, the IoT device management, the NHIs, that's definitely up and coming.
And in general, you know, like I said, B2B CIM use cases are on the rise, but I don't think most customer organizations are really getting the maximum utility out of the CIM solutions that they have, which is unfortunate because that's going to lead to, you know, lost revenue, lost customers eventually. So last poll question, what's your biggest obstacle in deploying or upgrading CIM? Is it budget, which is understandable, or do you find business versus IT alignment is not really there on what you want to do with CIM?
Is it integrating with legacy applications, or do you find it difficult to manage or scale your existing solution, which might make you question upgrading to another? Or lastly, is it lack of customizability? So feel free to go ahead and answer that. And now I would like to turn it over to Rishi from Dscope. Thank you very much, John. So as John laid on the agenda, I'm going to share some of our learnings from actual deployments. My name is Rishi. I'm co-founder of Dscope. Dscope has been around for a little over three years with hundreds of customer deployments.
We have seen some very, very fast growth in the CIM space. First to start with, as we interact with our customers, one of the things that we notice is very similar to what John was pointing out. CIM means different things to different organizations. One thing we see with B2C companies is that the biggest challenges they are looking at is user friction, bots, static user journeys. So how do you customize, how do you onboard customers fast without compromising security? So conversion is a big factor for the B2C companies, like can they log in more and more users with least friction?
When it comes to B2B companies, completely different challenges. The ATO or the MFA problem much bigger.
SSO, how do you establish single sign-on with your partner organizations and how easy is it to do that? FGA or granular access, like how can we provide the least privilege to the user to do their job, but at the same time to maintain high security? Another part that we are seeing is partners, vendors, anything non-customer. In those areas, there are a ton of challenges customers are facing. Identity silos, which means each application has its own logins and user database.
That creates a lot of problems because these multiple user pools means you cannot do analytics across, means you do not know a user behavior across apps. And this results in tons of IT overhead, password reset, tickets, and many, many other problems in that space. And the last one, I think John called this AI agents or machine-to-machine, different names floating around. The bottom line here is a large part of authentication and authorization challenges are happening when one application is connecting to another application.
And the world is becoming only more complex in this particular space because there were system accounts, very simple connections, but now you need to do way more. And protocols like OAuth are evolving to address these pieces. So these are a few different set of challenges that we are hearing. When we look at CIAM or customer identity challenges, the challenges change as the company grows. We work with many startups and many large enterprises and the different set of challenges at different stages. Onboarding users launch when you're launching a new app.
And now that could be true for even an enterprise bringing a new application. We are working with a very large European company, bringing a new app into the market. And they want to say, how can we launch the app? How is it made easy?
SSO, enterprise readiness to be able to add MFA, bot protection, all of those capabilities as they start to sell up market. When companies are going into new markets, like they start in a particular country, expanding to other countries, the auth requirements for new markets are different. Some people may not use SMS, may use WhatsApp, may use other communication methods. How do you adopt your authentication to that?
And then as the company grows, fragmentation just becomes more and more common, more applications, more types of users, partners, suppliers, and the complexity just continues to grow. So I think the bottom line here is that we have seen organizations at different stages, and the complexity continues to grow as they progress. So putting together a cohesive customer identity strategy becomes critical. One of the other things that I see as we talk to customers is these two different axes, right? User experience and security. And how do we make sure we balance on these axes?
How do we make sure that we are able to do the right thing on these axes, choose the right auth methods? If you look at password-based methods, security questions, all of those bad user experience, bad security. On the other hand, Passkey's amazing user experience, amazing security. Now this user experience may depend on the device, may depend on the geo, may depend on a few things. But in general, when they work, they work beautifully. A lot of independent data here from different organizations. And these are other authentication methods somewhere in the spectrum.
For example, OTP is still fishable, MagicLink is way more phishing resistant, so better on security, similar experience. So something to consider as you're designing your user journeys on how to design this right. So here are some actual tips from our deployments that we have done that I want to go through in the next 10 to 15 minutes. One big thing is adopting Passkeys.
Now, if your organization is thinking about Passkeys, now's the time. I think we are seeing some large organization deploying Passkeys.
Of course, one of the biggest thing is they are unfishable. They're tied to a user's device and works only on the site they're created on. So on both sides, the Passkey is presented from the device to the site it was created on, and this is a very tight binding. So if somebody is trying to fish by starting a new site or somebody is trying to log into the legitimate site from another device, they cannot even call you to ask for anything.
It's literally, I mean, another way to think about it, this is a device authentication, but the device locks with your identity, unlocks with your identity, and it's very, very secure. Very frictionless. This is like you've seen pop up your phone, whether it's Android, iOS, launching is seamless, works beautifully. The user has the best experience, either fingerprint or face ID or Apple Watch or your Android devices. And this is an interesting piece. We heard some of the organizations worried that, hey, I don't want to collect users' biometric data or the user doesn't want.
The reality is the biometric data never leaves the device. The FIDO protocol, which implements Passkeys, is a key exchange protocol. Very secure, privacy sensitive, and frictionless. So here are some metrics on how the Passkeys adoption got. This was a Google blog that they have published some good learnings, and we have seen some amazing adoption in our customer base. This is Passkey as a success rate. When a user wants to log in, 14% success rate, the first time authentication. 4X here with Passkeys. On the other hand, Passkeys are twice as fast, right?
The experience to fill the password, enter the password, even if it is correct, way, way faster to enter it. Here is some data from one of our customer deployments branch and insurance company. Their problem was they have insurance agents which may not be very tech native. They may not have the latest devices. And they were seeing a ton of password reset tickets. So they deployed Passkeys, very, very solid adoption without even enforcing. Login failure rates held steady.
No, nothing getting worse. But what is very powerful is 50% reduction in support tickets. Immediately they saw that 50% of the support tickets related to authentication dropped. And this is only when that 25% of the users adopted it. So the impact of that 25% adoption, this is like early stages of adoption. They have not started to push it. More doing testing was huge on actual ROI. If you're thinking of a Passkey project, one important thing is have very clear defined goals, right? What are you shooting for?
Is this reduction of support ticket, as I mentioned, is this better user experience, better security, and start to measure that. Always start in a pilot setting, right?
I mean, I always say with any new technologies, you need to make sure that you're deploying it right, you have the right controls, the right user set. So run it as an A-B test almost, as an experiment, start a pilot, measure results, and then iterate from there. And even though I feel Passkeys is a very strong method, always have a fallback MFA. What if the user changed their device, bought a new phone? How do you set up? So have a fallback, have a pop. And that is a very, very critical thing to keep in mind. Another thing, I mean, I consider social logins as a passwordless method as well.
This has been an amazing, amazing growth in our customer base. We are starting to see majority of our customers, both B2C and B2B, even in the B2B world, log in with Google and log in with Microsoft, very prominent, because most of the organizations are using one of those two. And you can tie it to the organization email and domain, you don't need to have it generally open. But these methods are becoming very popular. Couple of interesting things, we have seen in our customer base, social login growth, when they deployed social login on top of username and password.
So there's an actual customer case study where that username and password deployed social logins, social login adoption grew within two weeks, 190%. What is more interesting is the password users job. So users who are using passwords, they moved over to social login, the experience got better.
Now, in this scenario, also, the password reset problems went away. Also, the experience improved.
Amazing, amazing data to see this is almost like half of the more than half of the users moved over to the social login. So some very strong growth in terms of social login experiences, and drives amazing experience drives better security. Another recommendation for any of the ecommerce or online websites consumer focused is continue with one tap. So you must have seen these experiences, which is one tap login experiences. This is a different form of social, it is social, but it's like proactively detecting your login experience.
If you are a Google customer, and prompting you very high conversion rate, very secure login experiences, privacy first does not use any of the cookie or other technologies to make this work. So this was another method that we saw very, very high adoption in our customer base. That particular thing, some data about the one tap. So we have seen with one tap Pinterest, 47% increase in the overall signups, 127% increase in Android signups, the experience on Android devices, amazing with one tap. Some other pieces 90% increase in new desktop signups, 100% increase in mobile web signup.
So this one tap experience or social login experiences actually works on one tap, or actually works on mobile and the desktop web, both very well. And the News Minute had signups per day increased by 9x. So both the one tap and social logins along with FastKeys becoming a very strong driver from a conversion and security perspective. Let's talk a little bit about the B2B MFA scenario. I think one of the big things that we looked at that experience and security matrix, I mentioned that these need every SMS or every MFA method needs to be evaluated or every auth method needs to be evaluated.
This was an actual attack that we saw with one of our prospect where a spoof site was brought up, threat actor was there, and they would post to the user says login, user would log in, they would steal the credential, enter the credential on real site. The OTP was set up, they had an MFA in place, OTP was sent to the user, user enters the OTP on the spoof site, and then threat actor got the login access to the real site. How do you get away with this?
Every form of OTP, whether it's TOTP, authenticator based, whether it's SMS OTP, whether it's email OTP, all of those could be spoofed using phishing. Now the only way is to control either these phishing sites, or use an MFA which is phishing resistant, such as MagicLink, such as FastKeys as we talked. So that's one important threat vector to think about from an MFA perspective. Another thing when you do MFA, one of the biggest complaint is like we don't want to degrade the user experience.
So this is what many sites do, which is every time, second time, third time, 10th time, 100th time you go to the website, they ask for the MFA. Not a good experience. Here is a better experience. The user comes in from the same device using device identification technologies, IP address, geolocation, many different factors available. Don't do the MFA. But if it's a new device, if the IP address change, if the geolocation change, then throw an MFA. If the user traveled large amount of distance in a short time, impossible traveler, other risk metrics, then do the MFA.
So implement adaptive MFA to balance security and friction. In this case, by the way, you're not compromising security if implemented right, if the right metrics are used. Quick things on the MFA project. Use the customer's device or the originating app to make an MFA decision. So get signals from the device. Use risk levels using either security technologies that you may have internally, already purchased. Think of and see when they can integrate with your technologies or not. And avoid fishable SMS OTP like methods that can be bypassed very, very easily and can be spooked.
Quickly about Dscope. I think those were some of the tips. Last few slides. Dscope is a drag and drop CIM. One of the biggest things that we believe we have done very well is reduce the time to value for our customers. You can design your entire journey, including user-facing screens, authentication flows, MFA and step-up controls, role-based access control, relationship-based access control, all kinds of access control, design A-B testing journeys, and connect third-party products, as I mentioned, right within Dscope.
The way to think about it is we are saying CIM needs to think about the entire user journey. B2B, B2C, agent, machine-to-machine, these are all user journeys. They can be modeled. And this saves immense amount of time. You don't need to integrate at a code level. You are able to integrate in the journey level and deploy the similar application. We have seen easily 70% to 80% reduction in the implementation time compared to our competitors. We deployed some very large customers in four to four and a half months, 190 million users, compared to our competitors, which would take 14 to 16 months.
So some fast time to value. That's all I had. I wanted to save some time for questions at the end. So we'll open up the floor for questions. John.
Yeah, feel free to go ahead and enter a question if you have it. Let's take a look at our poll results first. So the first question, which are the main motivations for implementing or upgrading CIM? If you look at the polls tab, you can see 59% say improving the consumer or customer experience. And then 32% say improving security. So those two are by far the most popular reasons. Is this congruent with your experience?
Yeah, no, I think that's very similar to what we are seeing, John. I think those two drive majority of the decisions.
Of course, it depends on the industry and the vertical, how they're prioritized among them. But absolutely, I think that is exactly what we are seeing as the two big drivers for sure. And the next one is, what's the biggest obstacle you face? A little bit more of a split here. Legacy app integration was the highest vote getter, 39%. And then scalability or deployment concerns at 22%. Budget is only 17%. I kind of would have expected maybe that might have been a real driver, but how does this look in your opinion? That's actually a little bit slightly surprising to me as well.
But I think I'm mostly in line. I think one of the interesting things I have seen in the recent times is especially the scalability reason and complexity reasons. I'm meeting more and more large organizations where this, I mean, in some senses, every large organization is a snowflake. They believe, hey, we have a different scaling challenge. Some actually say we have high transaction. Some actually say we have high users, low transaction. Seasonality, complexity, integration with my internal environments. So I am seeing more and more conversation about complexity and scaling challenges.
But at the same time, I believe the recommendation I have for those organizations is go with an open mind, build versus buy. I mean, complexity is one of those areas where you know how to deal with your environment. The right CIM tools will be very, very developer friendly. They will embed in your environment. They will work with your APIs and your environments to do that. But I'm seeing that.
I mean, budget actually is not a problem, John. I'm actually seeing majority of the people realize the importance of CIM and typically able to justify as an ROI for sure. Good.
You know, the last two there, business versus IT alignment, it's good that that's not a huge concern for the majority. That means business and IT are on the same page about why you need CIM.
And then, you know, the lack of customizability, that doesn't surprise me because, you know, you probably know more about it than I've seen. But many CIM solutions today are very, very flexible, especially with API exposure and even helping customers integrate apps, including legacy apps, you know, and having all sorts of different, you know, token exchange kinds of services available. So I think that really speaks to the maturity of the CIM products that are out there. Yeah. I think one of the things that has happened, John, is CIM is a very old industry.
And again, we are a new entrant. But what I'm seeing is a lot of the tools built seven, 10 years ago did not think about scalability and customizability at all. They were going and saying, we are a username and password solution. And that's it. As your first slide showed, the world is very complex. Machine to machine, AI agents, user identity, B2C, B2B, federation. So now there is a realization that you need to really address all of these different use cases to be a viable solution. Okay. Let's take a look at our questions. We've got several already.
So first one here, syncable pass keys aren't device bound. How can you do transaction signing when you can't prove where the private key is held or who controls it? Go ahead.
Yeah, that's a good one. Thanks, Rob, for that question. I think the way I think about this is, yes, syncable pass keys aren't device bound. So if I look at B2C world, not being device bound does not mean they're insecure, right?
I mean, this is, you're saying my Google or my Apple or my Microsoft passwords or my account is compromised. And that compromise means the user's identity is compromised beyond everything else. And there's nothing more secure at that point of time, because if your Apple or Microsoft account is compromised, which is how somebody else will get your pass keys, that means your email is not secure. Your phone number is not secure because that probably is tied to your identity.
So while a good point debated heavily that syncable pass keys are less secure, I am on the side where, yes, they are on more than one device, but all those devices are still owned by the user. So they are a fair representation of user's ownership of the device. I see another question from Rob. Contact centers are under attack by deepfakes committed ATO. Will it get worse? Yes. This I think is a full webinar itself. The deepfakes, the contact center attacks, huge.
I don't know, John, what your thoughts are, but I feel this is another area where you need to do more unfishable MFA even when somebody calls in and does some actions there. Big area to go focus on and think about.
Yeah, you know, maybe I should have mentioned that in the part about AI usage and CIM. Yeah, AI is being used to create deepfakes, and I think it's true. They are increasingly under attack because of this. Could IDV be applied to prevent ATO fraud?
Yeah, I think it would help, but, you know, you've also got to figure out what's the line on which you want to balance with, you know, forcing a, let's just say consumer, not necessarily a B2B customer, but how much work do you want a consumer to do to be able to buy a product? You know, the friction that we always talk about. I think that people are more accepting of some degree of identity verification in the sign-up process now than they were, say, three to five years ago. And I think people actually can understand the benefit to themselves for, let's call it, some light IDV.
And yeah, I mean, we have seen a trend over the last few years of not just banks, not just, you know, other financial institutions or insurance companies requiring some degree of identity verification, but other kinds of industries are too. You know, another one that we commonly talk about is travel and hospitality or short-term rentals.
You know, they will require, you know, some degree of identity verification, you know, probably showing a driver's license or a passport or something and doing the picture on the document, the selfie match, plus getting other, you know, more concrete information about the user to, you know, help prevent account opening fraud at the beginning, and that also can help prevent account takeover later.
You know, there are some CIM solutions that will help you set up, you know, periodic, you know, KYC checks, and you can sort of get this information refreshed, say, every six months or a year, depending on what your business needs are. So yeah, I think some level of identity verification is what we're increasingly seeing that in industries outside of just finance. Cool. There's another good question here. Should I use my existing workforce IAM tool for CIM use cases? Any reasons not to do so?
Yeah, I guess my default answer there is, yeah, please don't just try to use workforce IAM for CIM use cases, because really, they've grown so different that, you know, the base feature sets, in many cases, aren't really applicable. I mean, you don't get the privacy and consent management, you know, it's workforce IAM, it's stored in LDAP, you know, you're going to be constrained about the data types that you can put in there. You're constrained about the kinds of tools that you can use to mine that data and try to get something useful out of it.
Yeah, it's really not designed for, let's say, privacy audits. There's a lot of reasons why I think going for a pure CIM solution is much better than trying to rely on an older workforce IAM solution. Your thoughts?
Yeah, no, I think, John, it's kind of self-serving to say that you should use the CIM for a CIM solution from our perspective. But I go back to one of your poll questions to answer this complexity. Think about a workforce solution. Workforce solution, you own the user's identity, you enforce the user on what they do. Even if the friction is high, the user cannot go anywhere, they are your employee. Just the parameters are different.
Of course, features are different, but how you think about these user models is different from my perspective. If I am an owner of a product, I need to put my requirements before the product, and the requirements are just very different for these worlds.
So, absolutely, I think if I go back in time 10 plus years ago, there were very simple requirements in CIM and you could use the same tool. It's become very different now. Looks like Rob has an ad on here, account recovery and ATO prevention are two sides of the same coin. It's an IDV problem.
Yeah, IDV is very useful for account recovery too. Yeah, I think Rob, absolutely correct, which is both ATO recovery problems, IDV is very, very critical.
Though, one of the things to think about as you solve this is what is really the identity? I was talking to somebody and people were saying, hey, as we go into the new world, Rishi being Rishi and Rishi calling in is going to become harder and harder.
So, I think the question is, what form factor of IDV work? Will the current methods of showing your license still going to work with the deepfake world? Are we going to fight deepfake with AI or are there going to be other solutions? But irrespective, I absolutely agree with you, which is account recovery is an IDV problem and you need to figure out multiple different ways, multiple different signals to solve that. We have another one here about passkeys. How do I overcome user privacy concerns on the deployment of passkeys?
So, this one, I think, hopefully, this is the work that Microsoft, Apple, Google continues to do with FIDO. This is a very good one, which is people believe that passkeys mean Microsoft, Apple, Google, and FIDO.
So, I think this is a very good one, which is people believe that passkeys mean my biometric goes to the website. If I sign in my biometric, it goes to the website.
Not true, not the case. So, now, if that is the biggest misconception, then how do you overcome it?
One, by education. But I actually see this is already going away slowly over time, because wherever you look around, the passkey adoption is very huge. Face ID and Touch ID is being accepted.
Android, most, not most, actually, all Android devices shipped over the last four years have had some form of biometric authentication. So, I think this is probably another year's challenge from a concern or perspective going away. I think we just need to, as a community here on the security side and implementers of these solutions, need to spread the awareness and education.
Okay, got one question. Another one just came in. Can we use CIM for machine-to-machine identity management? And somebody's already provided an answer.
Yes, absolutely. Most CIM tools should provide that.
You know, I'll say maybe they should, but I don't think this is not very well developed yet, at least not in the research that I've done. I think there's a long way to go for true non-human identity management within a consumer or B2B customer kind of context. What do you see?
Yeah, I think it's very, it just goes back, right? You had an amazing slide, what is CIM, right?
Customers, external partners, machines. That's the world we live in.
So, there's more and more of this. Okay, let's see. There's another comment up here.
Well, I agree that workforce IAM should not be used for most CIM use cases. When an enterprise opens legacy apps up to external partners and B2B use cases, there's a blurring between the two. Federation between businesses blurs this too.
Yeah, that's very true. I mean, we've been talking about, I don't even like to use the word anymore, de-perimeterization, but that's kind of what has been driving this. You're absolutely right. We see lots of applications that formerly were internal only have been opened up for contractors, partners, and it gets very complicated very quickly. Federation is not exactly new technology. I think it's been around 23 years or so, and it certainly can help.
It opens up its own risks, and that's why I think the notion of identity governance in these federated business relationships becomes more and more important. Let's see. I think that's all the questions we've got.
So, everyone, well, thanks for engaging webinar and a good topic. Thanks for your contribution, Rishi. Absolutely.
Thank you, John. Thanks, everyone, for joining. Let us know if we can help in any way, but I will close with the big thanks to Copenhagen Core team and John for putting together the material and sharing with the audience. Thank you.
Thanks, everyone. If you have any questions later on, feel free to reach out, and we'll see you at the next webinar. Have a good rest of your day.
