KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Consumer identity is still a hot topic in IAM in general. CIAM has experienced a great deal of technological innovation in the last five years, and much of the innovation in CIAM has found its way into B2B and B2E IAM solutions through the "consumerization of IT". KuppingerCole is updating research on CIAM, and in this session we'll consider what we have learned thus far, including trends in authenticator availability and usage, consent and privacy management features, regulatory compliance developments, the integration of consumers' device identities, the challenges of account recovery and linking, and the rising need for identity proofing services.
Consumer identity is still a hot topic in IAM in general. CIAM has experienced a great deal of technological innovation in the last five years, and much of the innovation in CIAM has found its way into B2B and B2E IAM solutions through the "consumerization of IT". KuppingerCole is updating research on CIAM, and in this session we'll consider what we have learned thus far, including trends in authenticator availability and usage, consent and privacy management features, regulatory compliance developments, the integration of consumers' device identities, the challenges of account recovery and linking, and the rising need for identity proofing services.
With digital transformation continuing to change the way customers interact with businesses, organizations need to provide a personalized, seamless and friction free experience to their customers to increase engagement and retain subscribers. All of this amidst a rapidly increasing threat landscape and a growing awareness of data privacy and ownership. Join James Lapalme from Entrust, to learn about the evolution of CIAM to meet the customer expectations of today, while looking ahead as to what the future of Identity holds.
Success in digital business depends largely on meeting customers’ ever-increasing expectations of convenience and security at every touchpoint. Finding the best strategy to achieve the optimal balance between security and convenience without compromising on either is crucial, but can be challenging.
In the digital age, effective customer, partner, and employee identity and access management (IAM) is essential to enable secure online transactions, collaboration, and other interactions. But finding the right balance between security and usability has traditionally been challenging and required compromise. However, this is changing.
Consumer identity and access management solutions have emerged in the recent years to meet evolving business requirements. CIAM is bringing value to the organizations regarding higher numbers of successful registrations, customer profiling, authentication variety, identity analytics, and marketing insights. Companies and public-sector organizations with deployed CIAM solutions can provide better digital experiences for and gather more information about the consumers who are using their services. If you want to be a leader in the digitally transformed business world, you need to know your customer very well. The difficulty is not to embarrass the consumer with how much you know about him/her, and to leave him/her the option to withdraw consent. CIAM can be seen as a vital element of marketing automation and as such requires us to rethink the way interaction between business and individual takes place. More consumer driven, very agile and privacy-aware by design.
This webcast gives a preview of the topics that will be presented at KuppingerCole’s upcoming Consumer Identity World tour. The CIW tour begins in Seattle on September 12-13, will visit Paris on November 28-29, and Singapore on December 14 -15.
CIAM solutions often come packed with features that could be used to improve consumer experiences, which is key to success in the digital era. However, in most cases, organizations that deploy CIAM products or use cloud-hosted CIAM services are under-utilizing the capabilities, which leads to poor customer experiences. Join CIAM experts from KuppingerCole Analysts and WSO2 to discuss how best to integrate information securely from across the organization to achieve a unified view of a customer. They will explore the tools that can help to deliver a good omnichannel customer experience and deliver real-time customer analytics.
John Tolbert, Lead Analyst at KuppingerCole Analysts will look at the CIAM landscape and discuss ways in which organizations can effectively use CIAM to get more value from their investments and deliver optimal user experiences. Bob Bentley, Director of IAM Product Marketing at WSO2 will detail WSO2’s vision and current CIAM solutions aimed at helping to get organizations up and running easily and provide a clear path towards optimized CIAM as their project matures and scales up.
This session provides an overview of the CIAM solution market and provides you with a compass to help finding the solution that best meets your needs. In a recent Leadership Compass, KuppingerCole´s Senior Analyst John Tolbert examined the CIAM market segment, product/service functionality, relative market share, and innovative approaches to providing SOAR solutions.
It is all about providing your customer a great experience so that they return to you and not to your competitor, who has never before been that close to your business. Anticipating, maybe even in advance, your customer's needs has on the one hand become a must. On the other hand, GDPR is significantly limiting the way how to create such intelligence through collecting personally identifiable data.
Adaptive Authentication tailors to what the users want (convenience) and prefer to use (mobile) – all the while adapting appropriately to access risk (smart), by balancing authentication strength with risk information. Today, we find both stand-alone solutions for Adaptive Authentication and integrated solutions, e.g. as part of Web Access Management and Federation tools.
Business success in the digital era depends on delivering seamless and secure customer experiences. Failure to do so can easily result in abandoned shopping carts, fraudulent transactions, and regulatory fines. However, delivering exceptional experiences and keeping pace with the speed of business is challenging.
Thanks. And yeah. Welcome everyone. Glad to have you back on day three here, we're gonna cover things like identity proofing and know your customer, but I thought I'd start off with, I'm refreshing the research on consumer identity and access management platforms right now. So haven't published it. There's nothing really vendor specific in here, but I did ask a lot of survey questions of the vendors. So I thought it might make for, you know, a good talk, what we see going on here. So this is not gonna be too big of a surprise for anyone. We talked about this a little bit yesterday.
Multifactor authentication options are really not that widely used. There was a Microsoft survey a couple of months ago that said 22% of users in act Azure. And you know, some of the respondents on my survey, it's single digits, you know, for customers that are actually using it. And for those that are using strong authentication of one kind or another, it's really hard to say there's no clear winners in the, the strong authenticator types that they're using. There's a whole lot of different variety out there. And of course this means passwords are still widely used.
And we know that's not a good thing because of security and usability email address is how most people are registering. I mean, social IDs are still an option and are used in some places, but the vendors report that in industries like finance and healthcare, where people would like a little bit more privacy, people are not generally logging in with their social network ID for that. Then as you might expect, finance and banking are still the most likely to have, you know, relatively secure implementations of CIM.
Those are the ones that would be using, you know, secure mobile SDKs and, and better forms of authentication along with fraud reduction, intelligence, some other things I've seen right in line with our track on identity proofing. So there's more of a need for that. A good example, you know, outside of banking because, you know, banking requires it for anti money laundering laws and know your customer regulations, but like the hospitality sector, short term rentals business operators, there want to get an idea of who's gonna be renting.
So in order to create an account at these kinds of places, now we're seeing, you know, a moderate amount of identity proofing that these kinds of hosts want to, to use. And, you know, to do this identity proofing, we're seeing more and more use of remote onboarding apps. These are the apps that, you know, can do take a selfie, look at your authoritative ID and, you know, match that up to do some remote identity proofing T smart device management. This is still an increasing thing.
You know, everybody's got smart devices and those device identities need to be tied to a pH, a digital identity related to a person, you know, and then looking at consent management consent management, obviously we've needed that for, you know, going on five years for GDPR, then other privacy regulations around the world. But you know, the quality of it kind of varies from vendor to vendor. Some are of the will help you comply. We'll give you everything you need to, to comply and other vendors are well, we'll give you the tools. You figure out how to, to make this work on your own.
We still see, you know, an increased emphasis on API, you know, exposing all functions of the CA and platform through the API. This means also that the Cain vendors themselves are still increasingly marketing to developers. It's developers, you know, probably more than CMOs or CIOs that are the ways in, you know, to a customer organization. And then lastly, customer organizations that are using say CIN platforms and fraud reduction, intelligence platform capabilities.
It just doesn't seem like they're making the most out of what's available there, technically, which really leads to lost revenue and lost consumers. So, you know, we hear this term a lot friction.
I, you know, I think it's a good analogy, you know, friction in the physical world. We're totally familiar with that, with what that is, you know, the consumer processes, whether they be registering, doing identity proofing or authentication, you, you can't experience friction depending on how well those are implemented, how well they're orchestrated, you know, but our goal is not to totally eliminate friction. There are times when we expect that as consumers.
I mean, if I were to log into a mobile banking app and try to transfer 10,000 euros or something, I, I feel a little bit more safety when I get a, a question saying, do you really want to do that? You know, so friction is necessary and even expected by consumers in some situations. But I think what we have to do with Cain platforms is figure out how to implement just the right amount of friction.
So we, you know, enterprise Iams been around a lot longer consumer identity management as a field maybe 10 years or so, but, you know, I think in many ways, consumer I am is kind of driving innovation in enterprise I am. And why might that be?
Well, you know, employees are also consumers and in cases where companies get their cm authentication, right. And that kind of experience, right. Employees start to demand that, you know, from a workforce experience as well. And that can be things like using mobile apps or biometrics, you know, employees want that same kind of convenience in, you know, from a company perspective, security. And then the things that you can do with fraud reduction technologies can also be piped in and used for, you know, enterprise risk based authentication use cases as well.
And the remote onboarding that I was talking about for, let's say, you know, a hospitality industry, short term rental, you know, trying to make sure this is the real person. Well, that's been used a lot during the pandemic for onboarding employees to where, you know, a new employee might be in a totally different location, not able to go in to the HR office and get validated. So a remote onboarding app, you know, can essentially do that. And I think that as a trend will only continue. So we see also, you know, more and more services being added on to cm solutions.
We've heard a lot the last couple of days about mobile and passwordless authentication. That's definitely a trend that will continue to, to bloom my hope in the cm world, using risk adaptive authentication, and, and turning that into continuous authentication, you know, so that you don't have to be bothered by an explicit authentication event or step up authentication event.
Every time you wanna do something, you know, if the context hasn't changed that much, then don't bother the user, you know, look at all the other attributes in the environment and then decide if you need to raise the risk level, the identity proofing fraud reduction, device, identity integration, lots of opportunity for making a more enjoyable and secure user experience there. Seeing more consent and privacy management features being built in. But we also see API connectivity to third party consent and privacy management platforms as well.
So what are we talking about with authenticator options? Well, you know, mobile apps SDKs that allow customers to build their applications and, and leverage the, and authentication service provider biometrics, mostly fingerprint and, and facial recognition.
You know, we talked about that a little bit yesterday where where's voice recognition or Iris scanning. You know, I think they suffer from usability issues, they're they certainly can't have, you know, high accuracy if implemented correctly, but it doesn't seem like consumers are choosing those forms of biometrics. We do have behavioral biometrics. That's kind of looking at how you, you know, use a computer, use your phone, there's gyroscope in your phone. There's all kinds of sensors in there. Same thing with the computer, how you type, how you use a mouse.
Those actually make pretty unique patterns and can be used as a, you know, a factor to be evaluated in a risk based authentication system. And then in some cases we see USB and proximity to devices. Sometimes this is in like a shop floor or retail store context. And as you know, we've sure have a lot of SMS OTP, but there are lots of security problems involved with that.
And there, it's not really the most user friendly thing to do, but we do have Fido and Fidos come a long way in the last 10 years or so fi oh two has been on for a couple of years. I like to say it bridges the gap between mobile and web. You can use your phone in conjunction with your computer.
You know, you can register with it, you can authenticate with it. It can be used for step up authentication and authorization. It really enjoys pretty broad vendor support. At this point, Microsoft, Google, Samsung, all the major browsers I checked yesterday, there are almost 900 different authenticators and servers that have been certified against the U two F UAF and 2.0 standards. So I would say, you know, Fido has, is, is experiencing the uptake that we predicted a few years back.
Couple other specifications there that I like that I like to to call out is being really useful is they have built in security certifications and biometrics certifications. And the biometric one I think is really useful because without that, there's no like independent verification of the claims of a false acceptance rate or the false rejection rates on these particular authenticator types. So on the risk based consumer authentication, what do we mean by that?
Well, you know, this is looking at whole collection of attributes about the subject consumer, you know, and this can include identity assurance level, their email address, their physical address, you know, any linked accounts, then information about the device that they're using, whether it's a computer or phone, you know, the type, the device fingerprint, that's not the device. Fingerprint is like, what makes this device unique in the world?
The, the different kinds of peripherals or software, or, you know, patch level, what apps it may have installed behavioral biometrics could be, you know, a part of that as well. You know, looking at how you use the mouse or the keyboard there's network, you know, that can be IP, IP reputation. There's lots of IP reputation services out there. So that can be a, a big indicator as well.
You know, then the wifi or mobile network history, user behavioral analysis, UBA, that's about, you know, not only where have you been making transactions from, but, you know, failed logins, successful logins, different transaction types. Are you trying to add a new payee, you know, and a financial transaction and transfer some large amount of money to it.
If, if that doesn't fit sort of the pattern of past behavior. It's nice when that too raises a flag and allows the bank to say, now, wait a minute, let's just verify this. You know, I talked about cyber crime yesterday, account takeover, fraud, account opening fraud, just a quick reminder, how this plays into CEM account takeover, fraud.
Exactly what it sounds like, you know, using, you know, breached passwords that have been discovered out maybe on, out in the dark web, they could be used in credential stuffing attacks where let's say a fraudster finds a whole bunch of username, password combinations that, you know, worked on site a, but they know that, you know, people have dozens and dozens of accounts, maybe they've reused that username and password elsewhere. So they script it or get a bot to blast that out. That's a credential stuffing attack, brute force, password attacks, unfortunately, still work.
And these are used for value transfers. Anything you could do to a fraudster can do to transfer money or anything that can be converted into money. Then we have AO fraud, you know, account opening fraud. This happens when they get PII from a user or about a user, you know, this could come from their school, their work, their health records. This is used for major financial fraud.
You know, it's more than just running a couple of fraudulent credit card transactions or something. This is build a fake identity that you can then try to go get a line of credit or a mortgage or something massive out of it, or use it as a mule account to move money from different, you know, different kinds of fraudulent transactions. Maybe it's in crypto and you want to get a, the fraudster wants to get it out into the real world.
Two main, major mitigations here for ATO fraud that multifactor authentication and risk based authentication, and then identity proofing on account opening. So one of the concepts that we've been promoting the last couple of years is around the identity fabric. And I think this really applies well to cm too. So I've kind of adapted, you know, our standard. I am identity fabric to talk about how this relates specifically for consumers.
So, you know, over on the left, we've got the different types of accounts, the different types of entities, consumers, partners, administrators, devices, things, and even bots. You know, there are bots that can act on behalf of consumers now.
And, you know, there are different kinds of identities. You can be, bring your own identity, decentralized identity. A lot of this is predicated upon Federation and APIs, but then here in the middle, we've got, you know, the different capabilities that get bundled into services. So there's like identity life cycle, the identity proofing, the identity Federation. These get packaged into services like authentication service, authorization, service, various fraud reduction, intelligence services.
Then they're implemented in a microservices architecture, you know, using containers, using APIs and SDKs to get access to it from various applications. There's still plenty of legacy applications that require, you know, maybe a pre-built connector, but the goal is to attach, attach these users to the services that they need, whether that be SAS, you know, partners on premise applications that we may be running or even embedded.
So by connector, you know, we use this term a lot connectors or integrations, you know, it's really kind of a bundling or a prepackaging of code API calls that helps connect a cm instance. You know, if you've, if you're running a cm instance and you need to connect to, let's say other public IDPs or, you know, identity proofing services, fraud reduction, Intel platforms, or even, you know, your CRMs, your, your, or customer data platforms, analytics. This is what a connector is. And oftentimes either the C generally the CIM vendor will provide these in a supported fashion.
Sometimes there's communities that put these together that are a little less supported, but these are actually essential for getting cm business done. So to try to wrap up here, identity fabric for cm, why is this useful?
You know, it allows for modular upgrades, you know, instead of like having to rip and replace an entire cm solution, having, you know, discrete services that you can add or take away as needed, it can be more scalable. You know, cm solutions often have to deal with very high volume authentication events related to, you know, login in at school. Or there was one example I heard yesterday, you know, eight o'clock in the morning, every the experience, a massive influx of, of logins. And then after that, it goes quiet.
You know, sales, holiday sales, if you're running a retail site. So scalability is important and the identity fabric certainly helps with that. They're all built upon standards.
And, you know, there are quite a few different relevant standards in the identity space. You know, this it's distributed, it can help with cyber crime prevention by allowing you to, you know, download configured connectors to various fraud reduction intelligence services. This it's built on an agile platform normally, you know, so they're using DevOps sec dev method methodologies. And then lastly, you know, this allows for your cm deployment to be much more extensible than it otherwise would be if you're following standards and, and using connectors.
So wrapping up here, there's still a lot of innovation in the authentication space. Fraud reduction is necessary because of the increase in sophistication of fraud types that are out there. And we increasingly see, you know, more connectors for fraud reduction and more cm platforms that are building that in. But on the unfortunate side, there's lots of good features of these Cain platforms, but, you know, I think the vendors need to help their customer organizations more so that they deploy these in a way that helps give consumers a better experience and provides more security on their part.
And really this will be advantageous for those organizations because it generates more revenue. So with that, I will close.