Event Recording

Latest Developments in CIAM

Log in and watch the full video!

Consumer identity is still a hot topic in IAM in general. CIAM has experienced a great deal of technological innovation in the last five years, and much of the innovation in CIAM has found its way into B2B and B2E IAM solutions through the "consumerization of IT". KuppingerCole is updating research on CIAM, and in this session we'll consider what we have learned thus far, including trends in authenticator availability and usage, consent and privacy management features, regulatory compliance developments, the integration of consumers' device identities, the challenges of account recovery and linking, and the rising need for identity proofing services. 

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Thanks. And yeah. Welcome everyone. Glad to have you back on day three here, we're gonna cover things like identity proofing and know your customer, but I thought I'd start off with, I'm refreshing the research on consumer identity and access management platforms right now. So haven't published it. There's nothing really vendor specific in here, but I did ask a lot of survey questions of the vendors. So I thought it might make for, you know, a good talk, what we see going on here. So this is not gonna be too big of a surprise for anyone. We talked about this a little bit yesterday. Multifactor authentication options are really not that widely used. There was a Microsoft survey a couple of months ago that said 22% of users in act Azure. And you know, some of the respondents on my survey, it's single digits, you know, for customers that are actually using it.
And for those that are using strong authentication of one kind or another, it's really hard to say there's no clear winners in the, the strong authenticator types that they're using. There's a whole lot of different variety out there. And of course this means passwords are still widely used. And we know that's not a good thing because of security and usability email address is how most people are registering. I mean, social IDs are still an option and are used in some places, but the vendors report that in industries like finance and healthcare, where people would like a little bit more privacy, people are not generally logging in with their social network ID for that. Then as you might expect, finance and banking are still the most likely to have, you know, relatively secure implementations of CIM. Those are the ones that would be using, you know, secure mobile SDKs and, and better forms of authentication along with fraud reduction, intelligence, some other things I've seen right in line with our track on identity proofing. So there's more of a need for that. A good example, you know, outside of banking because, you know, banking requires it for anti money laundering laws and know your customer regulations, but like the hospitality sector, short term rentals business operators, there want to get an idea of who's gonna be renting. So in order to create an account at these kinds of places, now we're seeing, you know, a moderate amount of identity proofing that these kinds of hosts want to, to use.
And, you know, to do this identity proofing, we're seeing more and more use of remote onboarding apps. These are the apps that, you know, can do take a selfie, look at your authoritative ID and, you know, match that up to do some remote identity proofing T smart device management. This is still an increasing thing. You know, everybody's got smart devices and those device identities need to be tied to a pH, a digital identity related to a person, you know, and then looking at consent management consent management, obviously we've needed that for, you know, going on five years for GDPR, then other privacy regulations around the world. But you know, the quality of it kind of varies from vendor to vendor. Some are of the will help you comply. We'll give you everything you need to, to comply and other vendors are well, we'll give you the tools. You figure out how to, to make this work on your own. We still see, you know, an increased emphasis on API, you know, exposing all functions of the CA and platform through the API. This means also that the Cain vendors themselves are still increasingly marketing to developers. It's developers, you know, probably more than CMOs or CIOs that are the ways in, you know, to a customer organization.
And then lastly, customer organizations that are using say CIN platforms and fraud reduction, intelligence platform capabilities. It just doesn't seem like they're making the most out of what's available there, technically, which really leads to lost revenue and lost consumers.
So, you know, we hear this term a lot friction. I, you know, I think it's a good analogy, you know, friction in the physical world. We're totally familiar with that, with what that is, you know, the consumer processes, whether they be registering, doing identity proofing or authentication, you, you can't experience friction depending on how well those are implemented, how well they're orchestrated, you know, but our goal is not to totally eliminate friction. There are times when we expect that as consumers. I mean, if I were to log into a mobile banking app and try to transfer 10,000 euros or something, I, I feel a little bit more safety when I get a, a question saying, do you really want to do that? You know, so friction is necessary and even expected by consumers in some situations. But I think what we have to do with Cain platforms is figure out how to implement just the right amount of friction.
So we, you know, enterprise Iams been around a lot longer consumer identity management as a field maybe 10 years or so, but, you know, I think in many ways, consumer I am is kind of driving innovation in enterprise I am. And why might that be? Well, you know, employees are also consumers and in cases where companies get their cm authentication, right. And that kind of experience, right. Employees start to demand that, you know, from a workforce experience as well. And that can be things like using mobile apps or biometrics, you know, employees want that same kind of convenience in, you know, from a company perspective, security. And then the things that you can do with fraud reduction technologies can also be piped in and used for, you know, enterprise risk based authentication use cases as well. And the remote onboarding that I was talking about for, let's say, you know, a hospitality industry, short term rental, you know, trying to make sure this is the real person. Well, that's been used a lot during the pandemic for onboarding employees to where, you know, a new employee might be in a totally different location, not able to go in to the HR office and get validated. So a remote onboarding app, you know, can essentially do that. And I think that as a trend will only continue.
So we see also, you know, more and more services being added on to cm solutions. We've heard a lot the last couple of days about mobile and passwordless authentication. That's definitely a trend that will continue to, to bloom my hope in the cm world, using risk adaptive authentication, and, and turning that into continuous authentication, you know, so that you don't have to be bothered by an explicit authentication event or step up authentication event. Every time you wanna do something, you know, if the context hasn't changed that much, then don't bother the user, you know, look at all the other attributes in the environment and then decide if you need to raise the risk level, the identity proofing fraud reduction, device, identity integration, lots of opportunity for making a more enjoyable and secure user experience there. Seeing more consent and privacy management features being built in. But we also see API connectivity to third party consent and privacy management platforms as well.
So what are we talking about with authenticator options? Well, you know, mobile apps SDKs that allow customers to build their applications and, and leverage the, and authentication service provider biometrics, mostly fingerprint and, and facial recognition. You know, we talked about that a little bit yesterday where where's voice recognition or Iris scanning. You know, I think they suffer from usability issues, they're they certainly can't have, you know, high accuracy if implemented correctly, but it doesn't seem like consumers are choosing those forms of biometrics. We do have behavioral biometrics. That's kind of looking at how you, you know, use a computer, use your phone, there's gyroscope in your phone. There's all kinds of sensors in there. Same thing with the computer, how you type, how you use a mouse. Those actually make pretty unique patterns and can be used as a, you know, a factor to be evaluated in a risk based authentication system.
And then in some cases we see USB and proximity to devices. Sometimes this is in like a shop floor or retail store context. And as you know, we've sure have a lot of SMS OTP, but there are lots of security problems involved with that. And there, it's not really the most user friendly thing to do, but we do have Fido and Fidos come a long way in the last 10 years or so fi oh two has been on for a couple of years. I like to say it bridges the gap between mobile and web. You can use your phone in conjunction with your computer. You know, you can register with it, you can authenticate with it. It can be used for step up authentication and authorization. It really enjoys pretty broad vendor support. At this point, Microsoft, Google, Samsung, all the major browsers I checked yesterday, there are almost 900 different authenticators and servers that have been certified against the U two F UAF and 2.0 standards. So I would say, you know, Fido has, is, is experiencing the uptake that we predicted a few years back. Couple other specifications there that I like that I like to to call out is being really useful is they have built in security certifications and biometrics certifications. And the biometric one I think is really useful because without that, there's no like independent verification of the claims of a false acceptance rate or the false rejection rates on these particular authenticator types.
So on the risk based consumer authentication, what do we mean by that? Well, you know, this is looking at whole collection of attributes about the subject consumer, you know, and this can include identity assurance level, their email address, their physical address, you know, any linked accounts, then information about the device that they're using, whether it's a computer or phone, you know, the type, the device fingerprint, that's not the device. Fingerprint is like, what makes this device unique in the world? The, the different kinds of peripherals or software, or, you know, patch level, what apps it may have installed behavioral biometrics could be, you know, a part of that as well. You know, looking at how you use the mouse or the keyboard there's network, you know, that can be IP, IP reputation. There's lots of IP reputation services out there. So that can be a, a big indicator as well. You know, then the wifi or mobile network history, user behavioral analysis, UBA, that's about, you know, not only where have you been making transactions from, but, you know, failed logins, successful logins, different transaction types. Are you trying to add a new payee, you know, and a financial transaction and transfer some large amount of money to it. If, if that doesn't fit sort of the pattern of past behavior. It's nice when that too raises a flag and allows the bank to say, now, wait a minute, let's just verify this.
You know, I talked about cyber crime yesterday, account takeover, fraud, account opening fraud, just a quick reminder, how this plays into CEM account takeover, fraud. Exactly what it sounds like, you know, using, you know, breached passwords that have been discovered out maybe on, out in the dark web, they could be used in credential stuffing attacks where let's say a fraudster finds a whole bunch of username, password combinations that, you know, worked on site a, but they know that, you know, people have dozens and dozens of accounts, maybe they've reused that username and password elsewhere. So they script it or get a bot to blast that out. That's a credential stuffing attack, brute force, password attacks, unfortunately, still work. And these are used for value transfers. Anything you could do to a fraudster can do to transfer money or anything that can be converted into money.
Then we have AO fraud, you know, account opening fraud. This happens when they get PII from a user or about a user, you know, this could come from their school, their work, their health records. This is used for major financial fraud. You know, it's more than just running a couple of fraudulent credit card transactions or something. This is build a fake identity that you can then try to go get a line of credit or a mortgage or something massive out of it, or use it as a mule account to move money from different, you know, different kinds of fraudulent transactions. Maybe it's in crypto and you want to get a, the fraudster wants to get it out into the real world. Two main, major mitigations here for ATO fraud that multifactor authentication and risk based authentication, and then identity proofing on account opening.
So one of the concepts that we've been promoting the last couple of years is around the identity fabric. And I think this really applies well to cm too. So I've kind of adapted, you know, our standard. I am identity fabric to talk about how this relates specifically for consumers. So, you know, over on the left, we've got the different types of accounts, the different types of entities, consumers, partners, administrators, devices, things, and even bots. You know, there are bots that can act on behalf of consumers now. And, you know, there are different kinds of identities. You can be, bring your own identity, decentralized identity. A lot of this is predicated upon Federation and APIs, but then here in the middle, we've got, you know, the different capabilities that get bundled into services. So there's like identity life cycle, the identity proofing, the identity Federation. These get packaged into services like authentication service, authorization, service, various fraud reduction, intelligence services. Then they're implemented in a microservices architecture, you know, using containers, using APIs and SDKs to get access to it from various applications. There's still plenty of legacy applications that require, you know, maybe a pre-built connector, but the goal is to attach, attach these users to the services that they need, whether that be SAS, you know, partners on premise applications that we may be running or even embedded.
So by connector, you know, we use this term a lot connectors or integrations, you know, it's really kind of a bundling or a prepackaging of code API calls that helps connect a cm instance. You know, if you've, if you're running a cm instance and you need to connect to, let's say other public IDPs or, you know, identity proofing services, fraud reduction, Intel platforms, or even, you know, your CRMs, your, your, or customer data platforms, analytics. This is what a connector is. And oftentimes either the C generally the CIM vendor will provide these in a supported fashion. Sometimes there's communities that put these together that are a little less supported, but these are actually essential for getting cm business done.
So to try to wrap up here, identity fabric for cm, why is this useful? You know, it allows for modular upgrades, you know, instead of like having to rip and replace an entire cm solution, having, you know, discrete services that you can add or take away as needed, it can be more scalable. You know, cm solutions often have to deal with very high volume authentication events related to, you know, login in at school. Or there was one example I heard yesterday, you know, eight o'clock in the morning, every the experience, a massive influx of, of logins. And then after that, it goes quiet. You know, sales, holiday sales, if you're running a retail site. So scalability is important and the identity fabric certainly helps with that. They're all built upon standards. And, you know, there are quite a few different relevant standards in the identity space. You know, this it's distributed, it can help with cyber crime prevention by allowing you to, you know, download configured connectors to various fraud reduction intelligence services. This it's built on an agile platform normally, you know, so they're using DevOps sec dev method methodologies. And then lastly, you know, this allows for your cm deployment to be much more extensible than it otherwise would be if you're following standards and, and using connectors.
So wrapping up here, there's still a lot of innovation in the authentication space. Fraud reduction is necessary because of the increase in sophistication of fraud types that are out there. And we increasingly see, you know, more connectors for fraud reduction and more cm platforms that are building that in. But on the unfortunate side, there's lots of good features of these Cain platforms, but, you know, I think the vendors need to help their customer organizations more so that they deploy these in a way that helps give consumers a better experience and provides more security on their part. And really this will be advantageous for those organizations because it generates more revenue. So with that, I will close.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00