Ten Things Companies Get Wrong About CIAM

Customer Identity and Access Management (CIAM) is a core component of creating your digital user experience. If you are unfamiliar with Customer Identity and Access Management, it is the process by which companies grant access to their digital assets (like websites, mobile apps, and even chatbots) to their customers, as well as controlling what those customers can access. The idea is to ensure the right person or process has access to the right applications and information at the right time while being risk and context aware.

In a previous role, I was responsible for a complete CIAM modernization at a large bank. More recently, I modernized an entire IAM system for the premier identity company. In both cases, my guiding principle was making the user experience easier while generating more data to create usable telemetry for risk engines and blue teamers (your internal cybersecurity defenders). Over the last seven years, I’ve learned a few things about how customer identity should be done.

In 2024, here are ten things that companies get wrong about customer identity and access management (workforce is a whole other basket of grasshoppers):

1. Relying on username/password for security. It’s 2024. Using usernames and passwords as your sole method to identify something coming in from the Internet is irresponsible and risky. It’s especially terrible if you are forcing a password policy with complexity requirements for your customers. It’s been seven years since Bill Burr (not the angry comic) apologized for creating password complexity rules. You will be spending too many resources fighting bots and credential stuffing attacks.
2. Using Email or SMS-based One Time Passwords (OTP). I had someone tell me once that “Well SMS or Email OTP is better than nothing.” No. No it is not, Billy. If you think that Sally Smith’s password hygiene is bad enough that you want to add in an OTP, do you think their email or phone security is somehow better? It’s not, and we saw lots of Account TakeOver (ATO) events happen specifically due to Email- or SMS-based OTP (some with multi-million dollar losses). SMS-based OTP is also punitive to people who are unable to receive one (for example, if they are traveling internationally or on an airplane). Don’t waste money investing here.
3. One Channel thinking. Chances are you will have multiple ways customers might interact with you (Multi/Omni-Channel). Your CIAM experience should be seamless across all methods of customer interaction. As a bonus, high adoption of your mobile app enables push notification for MFA—an excellent way to step your authentication game up.
4. Ignoring risk signals. Not all login attempts are equal, just like not all account actions are equal. Financial Services firms capabilities outpace nearly all other industries because they need to evaluate the risk related to the movement of money at scale. Your user experience will be better if you use a risk-based engine to streamline authentication. Remove friction on harmless actions if they fit within your risk profile. There is a certain hotel brand is driving me absolutely bananas right now as every time I log in I am required to have an Email or SMS OTP. Not only are those terrible authenticators, but the company is not consuming any risk signals on this activity. If I’m using the same browser, logging in from the same IP, and using the same machine, a basic login should happen without a step up. I can’t imagine how much this company is wasting on unnecessary SMS delivery right now.
5. Ignoring context. This is where authorization comes in and that’s a distinct difference from your authentication, but it is a part of the CIAM user experience. Viewing information is low risk and should not have the same level of attention or protection as moving money or redeeming stored account value.
6. Not using Passkeys. Passkeys are a fantastic option for MFA step up that fix the biggest weakness associated with Time-Based OTP (TOTP, a.k.a, Google Authenticator) and also give you a pathway to a passwordless experience.
7. Not having a passwordless path and strategy. Passkeys can be used for MFA, or they could be used as a 100% passwordless experience. No username, no password, just presenting the passkey (which is considered a strong authentication on its own). A passkey is far superior to a username and password combination as it is a stronger, phishing resistant factor (unlike a password).
8. Not providing risk-appropriate options for MFA. Not all people are mega authentication nerds like me and carry hardware keys around with them, and not all websites or actions should require that kind of MFA. But adding options for customers to use factors you have already performed risk evaluations on and deem acceptable is a must. At the Bank, my vision was to roll out “Bring Your Own Authenticator.”
9. Trying to roll your own authentication engine. Are there open source options to avoid paying third parties for CIAM services? Yes. Should you use them? Absolutely not. Unless you are a company providing CIAM services, you don’t make money by writing and maintaining CIAM solutions. Direct your precious development resources toward revenue-generating code.
10. Ignoring high-assurance account recovery. Your accounts are only as secure as their recovery methods. Using ID Verification technology is an option to consider for high-assurance account recovery that scales and can be done in real time with minimal human intervention (combined with other items to resist ATO).

Every CIAM strategy must at a minimum cover these ten points to be high functioning, low cost, and business enabling.

Possibly Related Posts:

• Protect Yourself and Freeze Your Credit
• Preventing Account Takeover, Enable MFA!
• Proofpoint Patches URL Sandbox Bypass Bug
• Pushing Vendors to Abandon SMS
• Ditch SMS for True Second Factor Authentication