By Malithi Edirisinghe, Director, Architect – IAM at WSO2
In today’s interconnected digital landscape, effective management of customer identities is not just a technical requirement but a strategic asset. Customer identity and access management (CIAM) systems are at the heart of this, ensuring secure and seamless user experiences across numerous digital interfaces. Whether for individual consumers or business clients, CIAM facilitates personalised interactions while safeguarding sensitive data, complying with global regulations, and improving business enablement and operational efficiency.
For those less familiar, CIAM is a specialised application of identity management focused on managing and securing customer identities. At its core, CIAM is designed to facilitate seamless, secure customer interactions across various digital platforms (web apps, mobile apps, kiosks, etc.) while enhancing user experience and maintaining compliance with privacy regulations. Think of CIAM as the gatekeeper and guide within a digital amusement park. It not only ensures that customers can enter through the gates by authenticating through methods such as username/password and two-factor authentication, but it also directs them to the appropriate rides (services) based on their access privileges and preferences. This ensures a smooth and enjoyable visit that’s both secure and personalised.
A robust CIAM strategy is built upon five key pillars, each representing a critical competency for effective customer identity and access management. Let’s examine each of these pillars more closely:
User Onboarding and Registration
The first step in a CIAM process is user registration, which converts anonymous, casual website visitors into known, active, registered users. In consumer-facing applications, user onboarding can be streamlined with Bring Your Own Identity (BYOID) using social identifiers or email, mobile, and username identifiers for basic identity verification. This approach is particularly common in scenarios like online shopping carts, food delivery services, streaming services, and e-commerce platforms. However, for more sensitive applications such as banking, financial services, airline systems, and government services, the verification process can include validating legal documents like passports, national IDs, and driving licences. These processes may even incorporate Know Your Customer (KYC) protocols and integrate with device fingerprint services and biometric verification to prevent fraud.
For B2B companies, registration often involves the onboarding of entire organisations. This can be initiated through a sales-led approach, where an account manager facilitates interactions and negotiations, eventually triggering the provisioning of the organisation once the service agreement is finalised. This often includes invitation-based registration flows. The registration process must be user-friendly and straightforward while also ensuring security. When collecting valuable customer identity data, the onboarding process must be designed to avoid identity fraud, such as registration with synthetic or stolen identities. These factors must be carefully balanced, ensuring that the registration process aligns with security requirements and user experience expectations.
Authentication
Authentication is the second pillar of CIAM, ensuring that users possess the required credentials to access customer-facing applications. Strong authentication prevents account takeovers, password snooping, and password stuffing, keeping unauthorised users out through robust authentication policies. In consumer-facing applications, providing single sign-on (SSO) and passwordless login options such as email links, and mobile OTPs enhance the authentication experience.
Adaptive authentication, which steps up security based on situational risk factors such as attempting access from a new device, logging in from an unusual geographical location, or after a prolonged period of inactivity, balances user experience with security needs. For high-value services like financial applications or government services, additional layers like biometric verification and liveness checks provide higher levels of assurance and meet regulatory demands for more stringent measures.
Authorisation and Access Management
Authorisation and access management define the available rights and entitlements for any authenticated user, application, or device. Traditionally, authorisation has relied on role-based access control (RBAC). To address more fine-grained authorisation requirements, attribute-based access control (ABAC) models were developed. With modern requirements demanding even more fine-grained approaches, relationship-based access control (ReBAC) emerged, evaluating access based on the relationships between entities, with Google Docs being a prime example.
Regardless of the underlying model, authorisation in CIAM involves evaluating access rights and granting appropriate permissions to users, applications, and devices. In consumer-facing applications, access rights often vary based on the user’s loyalty level. In B2B SaaS applications, they depend on roles and service subscription tiers. Additionally, access may be dynamically adjusted based on the user’s assurance level when accessing data or performing actions. For instance, an online banking application might prompt for 2FA again during a transaction to ensure security.
Self-Service
Self-service capabilities are crucial for enhancing user experience and reducing operational costs. The efficiency with which users can recover lost or forgotten credentials is significantly influenced by the ease of access provided by self-service options. These options empower users to undertake actions faster or outside regular business hours. Operationally, these options automate common customer service and support tasks, saving businesses substantial contact centre and chat-based labour costs. Essential self-service features include simple password resets, recovery of forgotten user IDs, and the ability to manage MFA options like authenticator apps, passkeys, and security keys.
Additionally, users need to have access to their activity logs, which show when and from which devices they accessed their accounts. This transparency allows users to audit their activity and take necessary actions based on this information. Compliance with privacy regulations, such as GDPR, requires facilitating self-service features that allow users to view accepted terms and conditions, download their data, and opt out of services.
Integration with Systems of Record and Business Insight Tools
This competency involves embedding identity into the organisation’s business processes and tools, facilitating seamless interactions across various applications and workflows. Businesses often evolve to have multiple siloed identity repositories serving different lines of business (LOBs) and their respective applications. To achieve a centralised CIAM system, unifying identity management across all business properties, including various external-facing websites, is essential. This unification may require migrating siloed user data repositories or their bidirectional integration to synchronise user profiles.
Similarly, integrating CIAM with other customer data repositories, such as Customer Relationship Management (CRM) systems, is vital to achieving a more unified customer experience by improving data consistency and enhancing customer insights and operational efficiency. Integrating CIAM with business insight tools such as cyber/web fraud management systems, incorporating risk-based authentication and behavioural biometrics, and transaction monitoring systems help identify and mitigate fraud effectively.
Striking the right balance across these five pillars is crucial. Together, they enable frictionless, personalised customer experiences, ensure robust security and compliance, and enhance operational efficiency. This means organisations can drive higher adoption rates and foster business growth, ensuring they remain competitive in today’s dynamic digital landscape.