Major Use Cases and Capabilities
Use Cases
Targeted Marketing for Increased Revenue
Consumers interacting with digital sites generate lots of data that can be used for targeted marketing to increase revenue. Examples include creating special offers, linking with customer reward programs, promoting add-on sales and services, running advanced analytics across product and service lines to better understand customer preferences and identify trends, etc.
Authentication Options
Options Passwords are insecure and users do not want to create and reset more passwords. Organizations across the globe are beginning to understand that they must offer more authentication options to improve usability and provide risk appropriate authentication and identity assurance. Registration and logins via social networks are quite common but offer low identity assurance levels. The use of the smartphone app as a separate channel, mobile biometrics, and FIDO is on the rise and can offer better identity and authentication assurance.
Regulatory Compliance
Governments have enacted various regulatory regimes mandating privacy, security of health and financial records, “Know Your Customer”, and payment processing security. Examples include EU General Data Protection Regulation (GDPR), EU Revised Payment Service Directive (PSD2), California Consumer Privacy Act, US PCI-DSS, and US HIPAA.
Better User Experience
In addition to more user-friendly authentication choices, consumers prefer sites and apps that allow for persistent personalization and consistent branding. Depending on the application, being able to store rich, unstructured data along with consumer profiles can improve the digital journey. Users also benefit from fortified solution security and privacy enhancements. Solutions which have better internal security and support higher assurance authentication while protecting privacy rate higher for user experience metrics.
De-Anonymizing Users
Some users resist registering with sites due to friction such as having to create new usernames and passwords or being asked to repeatedly enter the same information. Anonymous users don’t generate data that can be used for product development, innovation, personalization, and marketing. Consumer-friendly identity management solutions allow users to easily register, login, and collect consent and user attributes.
Capabilities
Deployment options
SaaS-hosted; IaaS, PaaS, hybrid, or on-premises installation Social logins: Allow users to register and login using OIDC credentials from social network operators such as Facebook, Apple, Twitter, Google, Amazon, etc.
Seamless branding
White-labeled solutions allow customers to have a brand-consistent look and feel.
Progressive profiling
The collection of consumer or customer information on an as-needed basis, rather than requesting it all up front.
Identity proofing service integration
The ability to increase identity assurance at the time of account registration and/or subsequent interactions is required in financial use cases, and increasingly for other businesses as well. Many identity verification services exist across the globe, and some CIAM vendors provide either out-of-the-box connectors or the ability to integrate with such service providers over APIs.
Multi-factor authentication
Mobile biometrics, behavioral biometrics, mobile apps and SDKs, FIDO2 & WebAuthn, etc. Email/phone/SMS OTP are prevalent as MFA methods but are not recommended. Best used as part of an overall risk-adaptive authentication approach.
Account recovery mechanisms
When consumers forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include email/phone/SMS OTP, “magic links”, mobile push notifications and applications, and account linking. Knowledge-Based Authentication (KBA), the use of “security questions”, is to be avoided since this method is even less secure than password authentication.
Ability to include and process 3rd-party fraud intelligence
Runtime evaluation of internal or external cyber threat or fraud information, such as known bad IP addresses/domains, compromised credentials, accounts suspected of fraud, fraud patterns, botnet behavior, etc., for the purpose of reducing the risk of fraud at the login and transaction level. Many specialist FRIP services are present in the market; CIAM platforms should allow customers to plumb these FRIP services into their authentication policies and risk analysis processes.
Identity analytics
Dashboards and reports on common identity attribute activities including failed logins, consumer profile changes, credential changes, registration tracking, etc.
Secure and well-documented APIs and support for communications standards
CIAM vendors have trended away from packaging comprehensive identity and marketing analytics functions within their platforms. Support for REST APIs, Webhooks, syslog, etc. allows customers to process identity event information outside of the CIAM platform in other tools that are specialized for such data analysis and actions; specifically, Business Intelligence (BI), Customer Relationship Management (CRM), and marketing analytics and automation systems.
Privacy and consent management
Explicit user consent must be received for the use of their information. Consumer account dashboards are common mechanisms for providing users with consent monitoring, granting, and withdrawal options. Family management, or the ability to set up specialized delegated account administration for heads of households, parents, guardians, children, and other relationship types is increasingly needed in the CIAM landscape.
IoT device identity association
As IoT devices increase in popularity, consumers and business customer users will have greater need to associate their IoT devices with their digital identities. These identity associations between subject and IoT object will allow for more secure use of Smart Home, wearables, fitness, medical, and digital media devices. Basic functions for IoT device identity association require support for OAuth2 Device Flow and the ability for consumers to add/remove/validate devices in the self-service interfaces provided by the vendors.