CIAM. Challenges and Risks

Customer Identity Management is increasingly gaining more relevance. The complexity of identification and authentication protocols is rising due to different factors, with the most relevant being:

• Some standards are very new or still in a draft version. For instance, the OpenID logout protocol specification was approved only 16 months ago.
• Legacy protocols are hard to implement. In fact, the NSA has encouraged all organizations not to attempt to implement SAML by themselves, as a poor implementation can lead to multiple security vulnerabilities.
• Security vulnerabilities have a dramatic impact on organizations. In our case, a security bug in a CIAM authentication module can lead to high levels of fraud, putting the whole organization at risk.

On the other hand, despite having a secure environment being a must, it can be a barrier to enrolling new customers. The process to identify and harden user identification should be progressive: let the user access anonymously, identify them only when it is really needed. Later, suggest to the end user to enroll in a hard authentication token. The customer must have an easy-to-go path, but at the same time, they must feel comfortable and secure.

However, keep in mind that once the hard authentication token is granted, always asking for it can be annoying, and we don’t want to bother our customers. The solution is to have a smart engine able to assign a risk level to each transaction and ask for the second authentication factor when the risk level is above one threshold. For instance, if the user is connecting from the same origin country, using the same device, we probably will not ask for the second authentication factor, but if they are connecting from a new device from a foreign country, the second authentication factor is really needed.

For any SaaS provider, focusing on these aspects can be cumbersome and prone to errors. That’s the reason why CIAM platforms like Soffid IDaaS are gaining a lot of interest. Using these tools, organizations can focus on the relevant aspects:

• Defining the customer journey
• Defining the authentication levels required at each step
• Configuring the CIAM tool to manage all authentication problems
• Customizing the CIAM tool to look and feel like the organization’s customer platform.

In turn, the CIAM tool takes responsibility for some critical aspects:

• Registering end users
• Allowing the user to reset their passwords
• Enrolling a second authentication factor
• Asking for a second authentication factor when needed.

In conclusion, CIAM is a specialized version of traditional access management platforms, but its challenges and risks are unique. A CIAM project cannot be addressed as a traditional access management project. Additionally, based on our experience at Soffid, the team profile is also different. In access management projects, the main actor is the IT managers’ team, but in CIAM projects, we need to engage the IT team, business team, and also development teams.