Leadership Compass

CIAM Platforms

This report provides an overview of the market for Consumer Identity and Access Management and provides you with a compass to help you to find the Consumer Identity and Access Management product that best meets your needs. We examine the market segment, vendor product and service functionality, relative market share, and innovative approaches to providing CIAM solutions.

John Tolbert

jt@kuppingercole.com

1 Introduction

Consumer Identity and Access Management (CIAM) is a parallel to traditional Identity and Access Management (IAM) that has become a substantial market of its own. CIAM solutions are designed to meet evolving technical requirements for businesses and other organizations that deal directly with consumers and citizens. Many businesses and public sector organizations are finding that they must provide better digital experiences for and gather more information about the consumers who are using their services. Enterprises want to collect, store, and analyze data on consumers in order to create additional sales opportunities and increase brand loyalty. Know Your Customer (KYC) initiatives, particularly in the financial sector, are another example of the business driver motivating exploration and adoption of CIAM.

CIAM has diverged from traditional IAM in supporting some baseline features for analyzing customer behavior, as well as collecting consent for user data usage, and integration into CRM, connected devices, and marketing automation systems.

CIAM at first glance seems very much like Customer Relationship Management (CRM) software. However, it differs from CRM in that, with CRM systems, sales and marketing professionals are counted upon to enter the data about the contacts, prospects, and track the sales cycle. The focus of CRM is managing all processes around the customer relationship, while CIAM focuses on the connectivity with the customer when accessing all customer-facing systems, from registration and throughout the relationship. With CIAM, similar kinds of information as in CRM systems can be collected, but the consumers themselves provide and maintain this information. In this sense, CIAM solutions are self-managed CRM systems for consumer-facing organizations, particularly in the retail, media, finance, and health care industries. CIAM solutions are also being used by governments for government-to-consumer (G2C) use cases.

Traditional IAM systems are designed to provision, authenticate, authorize, and store information about employee users. User accounts are defined; users are assigned to groups; users receive role or attribute information from an authoritative source. They are generally deployed in an inward-facing way to serve a single enterprise. Over the last decade, many enterprises have found it necessary to also store information about business partners, suppliers, and customers in their own enterprise IAM systems, as collaborative development and e-commerce needs have dictated. Many organizations have built extensive identity federations to allow users from other domains to get authenticated and authorized to external resources. Traditional IAM scales well in environments of hundreds of thousands of users.

Consumer IAM systems are designed to provision, authenticate, authorize, collect and store information about consumers from across many domains. Unlike regular IAM systems though, information about these consumers often arrives from many unauthoritative sources. Some solutions in this space provide connections to various identity proofing services to strengthen the veracity of the consumer attributes. CIAM systems generally feature weak password-based authentication, but also support social logins and other stronger authentication methods. Information collected about consumers can be used for many different purposes, such as authorization to resources, or for analysis to support marketing campaigns, or Anti-Money Laundering (AML) initiatives. Moreover, CIAM systems must be able to manage many millions of identities, and process potentially billions of logins and other transactions per day.

In order to reduce money laundering, cyber-crime, terrorist financing, and fraud, regulators are requiring banks and financial service providers to put into place mechanisms for “Knowing Your Customer”. Government regulators expect banks to utilize analytics to develop baseline patterns for all their customers, and to be able to spot deviations from individuals’ normal parameters. Suspicious transactions must be flagged for investigation, specifically to prevent the aforementioned criminal activities. CIAM solutions have become a standard architectural component to help with financial KYC.

Support for self-registration and social network logins is ubiquitous among vendors; and the key differentiators have become the use of new technologies to:

  • comply with privacy regulations
  • step up the user’s authentication assurance level
  • collect and analyze information for fraud prevention
  • collect and analyze information for marketing purposes
  • connect consumer identities to IoT device identities, e.g. Smart Home devices and apps

The entire market segment is still evolving and growing. We expect to see more entrants within the next few years. This year we are reviewing a number of new product and service entries in this report.

IT departments should welcome CIAM initiatives, as they provide an opportunity for IT, usually considered a “cost center”, to closely team with Marketing, a revenue producing center.

This KuppingerCole Leadership Compass provides an overview of the leading vendors in the CIAM market segment. Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a customer and his requirements. However, this Leadership Compass will help identify those vendors that customers should look at more closely.

1.1 Market Segment

The CIAM market is still growing, with many vendors offering mature solutions providing standard and deluxe features to support millions of users across every industrial sector. As will be reflected in this report, the solutions in this space are quite diverse. Some vendors have about every feature one could want in a CIAM product, while others are more specialized, and thus have different kinds of technical capabilities. For example, some smaller vendors are targeting the government-to-citizen (G2C) market as well as business-to-business-to-consumer (B2B2C). We often see support for national e-IDs, x.509 certificates, and higher assurance authentication mechanisms in these vendors’ products compared to the rest.

Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often has a direct effect on the type of features available in their CIAM solutions. CIAM vendors that are primarily pursuing retail and media companies as clients tend to not have the customer-driven pressure to support high assurance authentication and complex attribute-based access controls.

Additionally, CIAM solutions can be somewhat regionalized, in that, some vendor products/services are specialized in meeting the particular requirements and capabilities of a country or small group of countries. For example, there are a few vendors that rely upon the national IDs or bank IDs of the Nordic region of Europe, and provide interoperability with service providers in that area, and help customers adhere to GDPR. Likewise, we find vendors that have solutions tailored to Latin American countries or APAC countries, with regionalized language support and excellent interoperability with service providers in those areas. These features are competitive advantages for these vendors and may be especially attractive solutions to customers in these areas.

The number of vendors in the CIAM market has grown, in response to the increasing market size. Many of them are built from the ground up as purely consumer-oriented identity solutions. Other vendors have modified their traditional LDAP-based, Web Access Management (WAM) components to accommodate consumers. All the major players in the CIAM segment are covered within this KuppingerCole Leadership Compass, as well as the specialized regional players. This Leadership Compass will examine solutions that are available for both on-premise and cloud-based deployment.

Several noteworthy trends have appeared in the CIAM market, outlined below:

  • Many vendors are taking an “API-first” approach to CIAM, which allows organizations with in-house expertise to extend their existing IAM infrastructure to accommodate consumer use cases better. The API-first approach also permits in-house developers to easily “bolt-on” CIAM features to existing or legacy Line of Business applications, without necessarily investing in a full-size CIAM solution. Identity API platforms are not always completely assembled products and services. Rather, these platforms are collections of tools, code, and templates. Identity API platforms may contain many open source elements, and generally leverage well-known standards. In some regards, these granular identity services allow customers to “build (or rent) their own IDaaS”. Deploying CIAM functionality using Identity APIs aligns with the notion of Identity Fabrics. KuppingerCole also has a Leadership Compass that focuses on Identity API platforms and an upcoming Leadership Compass on Identity Fabrics.
  • Some startup CIAM vendors are now combining basic CIAM functionality with identity proofing to increase identity assurance and reduce the risk of fraud. Other larger or more established CIAM vendors are partnering with specialty identity proofing services for the same reason.
  • Some of the larger vendors, particularly those with cloud-only delivery models, offer a wide range of services covering basic to advanced authentication methods, consent management, and integrated identity and marketing analytics/automation. They aim to provide their customers with most all the features needed not only for CIAM but also for CRM and managing marketing operations.

1.2 Delivery models

In the CIAM market, solutions are offered as SaaS, PaaS, and for on-premise deployment. Pure-play SaaS solutions are often multi-tenant by design. On the other side, Managed Service offerings are run independently per tenant. For SaaS offerings, the licensing model is often priced per user, either active users in a given time period or by the number of registered users. For managed services or PaaS, the licensing costs can be per instance, or per managed identity. The cloud delivered variants sometimes charge per-session or per-transaction fees. For on-premise deployments, licensing costs can be measured in a couple of different ways, such as per-user, per-server.

1.3 Required and Optional Capabilities

Various technologies support all the different requirements customers are facing today. The requirements are

  • Deployment options: On-premise, cloud, or hybrid options.
  • Social logins: Allow users to login via Facebook, LinkedIn, Twitter, Google, Amazon, etc.
  • Multi-factor authentication: Email/phone/SMS OTP, mobile biometrics, behavioral biometrics, mobile push apps, FIDO, risk-adaptive and continuous authentication, etc.
  • Risk adaptive authentication: Evaluation of runtime environmental parameters, user behavioral analytics, and fraud/threat/compromised credential intelligence to match the appropriate authentication mechanism to the level of business risk or as required by regulations.
  • Account recovery mechanisms: When consumers forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include Knowledge-Based Authentication (KBA; but it is recommended to avoid this method as it is usually even less secure than password authentication), email/phone/SMS OTP, mobile push notifications, and account linking.
  • Inclusion of 3rd-party fraud and compromised credential intelligence: Runtime evaluation of internal or external cyber threat or fraud information, such as known bad IP addresses/domains, compromised credentials, accounts suspected of fraud, fraud patterns, botnet behavior, etc., for the purpose of reducing the risk of fraud at the transaction level.
  • Identity analytics: Dashboards and reports on common identity attribute activities including failed logins, consumer profile changes, credential changes, registration tracking, etc.
  • Business intelligence for marketing: Transformation of data about user activities into information for marketers.
  • Privacy and consent management: Explicit user consent must be received for the use of their information. Consumer account dashboards are common mechanisms for providing users with consent monitoring, granting, and withdrawal options. Compliance with EU GDPR, Canada’s PIPEDA, and California’s CCPA are notable drivers.
  • Enhanced user experience: White-labeled CIAM solutions allow seamless branding, and self-registration and social registration/logins increase successful consumer interaction with websites.
  • IoT device identity information: As IoT devices increase in popularity, consumers and business customer users will have greater need to associate their IoT devices with their digital identities. These identity associations between subject and IoT object will allow for more secure and private use of smart home, wearables, medical, and even industrial devices.

The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.

When evaluating the services, besides looking at our standard criteria of

  • overall functionality and usability
  • internal product/service security
  • size of the company
  • number of tenants/customers and end-user consumers
  • number of developers
  • partner ecosystem
  • licensing models

We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market. Features that are considered innovative are listed below.

  • Support for standards such as Kantara Initiative Consent Receipt, FIDO Alliance, and Global Platform Secure Element and Trusted Execution Environment standards.
  • Advanced cloud provisioning capabilities, such as Graph API and SCIM standard support.
  • A comprehensive, secure, and well-documented set of REST-based APIs, Webhooks, and/or WebAuthn to allow access to data by 3rd-party identity, marketing, and security analytic tools.
  • Advanced support for authentication mechanisms, especially FIDO, mobile, and behavioral biometrics and mobile SDKs.
  • Interoperability with Fraud Reduction Intelligence Platforms (FRIP) and identity proofing services.
  • Ability to utilize national e-IDs, bank IDs, and passports.
  • Advanced support for IoT, SmartHome, connected cars, and wearables use cases.

Please note that we only listed a sample of features, and we consider other capabilities per solution as well when evaluating and rating the various CIAM platforms.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.