Interview

Trends, Innovations and Developments in the CIAM Market


Consumer Identity and Access Management (CIAM) is an emerging market with a strong demand for solutions. Especially with the increasing digitization of the workplace, the market is growing and there are more and more vendors entering this market. Our analyst John met with Sadrick Widmann from cidaas, one of the leading IAM solutions in Europe, to talk about the importance and relevance of CIAM.

Hi, this is John Tolbert. I'm Lead Analyst here at KuppingerCole. And today I'm joined by Sadrick Widmann of cidaas. Hi, Sadrick.

Hi. John, warm welcom from my side. My name is Sadrick, I'm CEO of cidaas, the leading European Identity and Access Management solution.

Welcome. Today I think we'll talk about that consumer identity and access management market and some of the trends and innovations and developments that we've been seeing there. You know, CIAM, as we call it, has been around for a good decade plus in many cases. And there are just more and more vendors getting into that market because, you know, it's a burgeoning market. There's there's a lot of need for solution in that space. We've seen, you know, an increase in digitalization, you know, over the last few years, especially, you know, in response to the pandemic. Everybody's doing business online. It's a it's a requirement, really, to just stay ahead these days. So not only is it a requirement to have it, but we've seen the types of use cases that CIAM helps to address, just really expand a lot in the last few years. And one of the things that I thought we could talk about is the you know, the increasing need for verified identities on the consumer side. You know, for a long time, you know, when a new employee comes on board, there's an expectation and need for proving that that employee is who they are, you know, to a certain degree. And of course, on the consumer side, that's been true for certain industries like finance, banking, where they have anti-money laundering laws and know your customer laws and regulations that have to be followed. But, you know, what we're seeing now, is more of a need for that same kind of getting to know the customer for other industries.

And they're looking to consumer identity and access management solutions for that. You know, one example is, you know, the hospitality industry where, you know, short term rentals, they are wanting some proof of who's going to be staying in a property. So there's a little bit more to the registration process than there used to be. Well, so how would you respond to all that, Sadrick? What are you seeing in the market? What are some of the emerging trends, especially around, you know, verified identities or anything related to that?

Yeah. Yeah, I totally agree with you, John. So, we also see a broad range of use cases for verified identities. So as you mentioned, starting from the regulatory environments like banks and insurance, that's where and digital identity verification processes are important. For example, for opening an account or getting a loan. But also, as you mentioned, use cases for non-regulated area environments.

So mobility, as you mentioned, renting a new scooter or renting a car. But also when rentals, if you consider retailers, you can rent a van to transport the products just purchased. So there's a really broad range of different use cases where and verified identities or the digital identity verification process itself is required. And I think it will grow, especially in the future.

Much more because the verification of a user and the identity of the user itself will be an integral part of the of the user identity in the future.

Yeah, I definitely agree. You know, one of the things I've noticed, you know, as we're working on our update to the CAM research, you know, a lot of vendors either have or they're partnering with third party service providers that make, you know, what I would call like a remote onboarding application, you know, usually mobile based, sometimes web based, and that can help with identity proofing.

You know, sometimes they can read information from, say, the chip on a passport or a national I.D. card you know, over NFC. And then, you know, they could read barcodes, you know, with the camera and then they even match the official picture on the document to a selfie. What sorts of capabilities are your clients looking for? Our clients are mainly using approach, which is called auto ident.

So that's basically a video stream which is analyzed by artificial intelligence. So automatically detecting ID document features of the ID document as well as the user interface of the user doing the match if possible, with a document image as well as the user. And there are some reasons for that One reason is NFC is quite comfortable, but not all documents provider NFC chip or barcode today.

So this visual approach provides some flexibility to analyze or detect different documents. For example, driver's licenses often don't have an NFC chip, so it will be hard to use these methods. So the origin and approach itself is really a benefit and then that audit approach is quite convenient for users. So it's not like the traditional video don't approach where you have to talk to an agent, let's say opening a bank account 10 p.m. in the evening.

You don't want to talk to a person for ten, 15 minutes. It's just more comfortable and comfortable. If you do audit and approach, hold your I.D., document, passport by vehicle, driver's license into the camera, smile, and then it's done. So that's much faster and much more convenient for the user. Then you know, I've also seen, you know, I'm aware of this kind of technology being used more and more for, you know, what some would call the B to E business to employee or workforce use cases.

I mean, especially since the pandemic started, you know, people have changed jobs they don't necessarily go in that office to get a a new badge. So, you know, you can use a remote onboarding app the same way for bringing a new employee in as as you would for signing up a new consumer for a bank site. Do you do you see the same kind of interest for workforce use cases, too?

Yeah, definitely. So we see a tremendous race and workforce use cases as you mentioned, especially during the pandemic it started. So nowadays during the pandemic, onboarding procedures just changed. So people are not coming site for onboarding, but it's more like a site onboarding where you have like completed your process of signing up, after which late entry verification and configuring your authentication methods lock in credentials, multi-factor options as well as compliance processes what you have to finish during the onboarding process.

So we see a big reason that started from the pandemic, but also now onwards where like this remote work is more entrenched and it's more require to identify the employees. But also in the context of our business, it's becoming more and more important. So if you have any supplier subcontractors also there, it's quite interesting to identify and the users and a person's working jointly with you.

Yeah, you know, that's a good point. I mean, the working arrangements these days are far more complicated than they used to be too. So having ways to, you know, say remotely bring on contractors and get some identity verification to that I think is probably beneficial for for everyone what what trends do you see in the horizon for identity proofing in general, especially with regard to this, you know, remote, remote onboarding kind of capability?

Yeah, I think definitely different trends. And that one big trend will be that the onboarding or the process of digital identity verification in general will be even more comfortable for the user in future because that's made competitive advantage of these processes. If it's comfortable users will do it. If not, they will stop doing it. Additionally, I think there will be a race between attackers and providers of such services.

And considering, for example, the automated approach with video streaming, their new attack patterns arise. For example, and deepfakes and all that same attack patterns will arise in different other sectors. So also there it would be a race in security features. What these processes would provide to really securely identify the identities. One big trend what I what I Chris to see coming is the reuse of verified identities.

So if I consider myself opening a bank account, I will do a digital identity verification process confirm it's me such treatment. And then in the next step I want to apply for a loan. I don't need to do a new digital identity verification process. I can trust reuse my verified identities in the latest step, so maybe two months later when I apply for a loan.

So I think the trend of reusing of verified identity sort of combination of the verified identity to a user account where I later can log in and reuse all the safe information, I'm quite curious to see how that will emerge in the future. So really acting as like a fully digital version of myself. Yeah, I agree. You know, once if you can trust the process, the identification of the individual, that verification process, that event, itself should be able to, you know, be reused within, say, a certain period of time for similar use cases.

Of course, there's you know, a bit of risk analysis. I would assume that most organizations they're going to trust that already verified identity would want to go through. But yeah, then anything that you can do to reasonably, you know, reduce the friction, you know, onboarding experiences can be somewhat frictional. And, you know, I think as consumers, we all expect a certain amount of that.

But if you can make it convenient and show the consumer that there's a value or a benefit for doing that, then I think it's something that is more easily accepted you're correct. I think that the combination of the time based aspect as well as the the risk based analysis what is what can be ensured. So if there's no suspicion, then a reuse might be possible.

And then if not a new process needs to be started. You're right, right. Yeah, that's that's a good point.

So, you know, we we can say that we have seen, you know, in my preliminary research at least that there's much more need for identity proofing, you know, across industries and places. Like like I said, you know, in hospitality, you know, some of the other trends that we see are around password less or, you know, making more and more use of what we call risk based analysis for authentication.

What do you see on the on the password list and risk based authentication? So I see a huge interest in that. So on a lot of the topics and taking to close authentication, I see a huge benefit for user come forward there as well as for security. So considering the biometric device biometrics, for example, that's already well known and feature for most of the users and I think it will provide a could use a computer.

And additionally, I think the most common attack patterns are still brute force phishing and below that. So they're really focused on on passwords. So passwords Authentications will also provide a really benefit, a real benefit in in a security perspective considering our platform, we see more than hundred thousand of slogans and per week. So we already see a bigger number there.

And I think that will be a tremendous increase in the coming months. And in the coming year and choose to see about that same as for risk based authentication. So we have a smart interface functionality which basically allows multifactor risk based. So when there are suspicious behavior, we'll ask for multifactor. If there's no suspicious behavior, maybe a single factor will be sufficient.

So that allows us to combine especially also the security and to use a for perspective. And I think that's quite important because to use a code for is a preliminary for all the activities on certain platforms. So the balance between security and comfort is quite important. So both risk based authentication as well as the possible authentication are really developments improving to use a for and therefore providing a better convenience here.

But I think there's also a few more things coming up there which you also focusing in your research which are quite interesting for the future yeah. You know, I think I will focus on, you know, the IOC talking about things like, you know, improving the consumer experience and, you know, risk based analysis is is a real I won't say easy, but at least it's something that's certainly addressed very, very well.

I think by seeing platforms, it's just that many of the the companies that buy these don't really fully deploy all the capabilities that these solutions have. You know, and like you were saying, if there's not much change in the context of a request, then, you know, don't necessarily need to ask for ask the consumer for an explicit multifactor authentication.

I mean, because that in itself adds friction. That's something that, you know, might convince a consumer that this this site, this this company is too hard to deal with. I'll find somebody else that's that's easier, you know? So you're right. Getting the amount of friction, right? Using technologies like password lists and the risk based authentication you know, I think definitely need to be more fully utilized by both companies and consumer consumer facing businesses today.

Yeah. I also think if you consider password less and if I remember we two had a very nice 2018 where we talked about our readability notification feature. So also there the goal is to connect the digital and the real world identity. And considering the real world identity passwords are not are not a good use case because in the real world you might not use a password at any smart TV or anything.

So there are other capabilities used to authenticate there and same is if you want to enter, for example, a stadium or enter like an event, you don't want to enter a password to authenticate yourself. You use other technologies or concepts like NFC barcodes, QR codes, things like that to authenticate yourself so there they're also two authentication is password less.

So I think that's also a big trend. Yeah, for sure. You know, on the whole Xoom see, I am still a growth market and probably it will remain a growth market for, you know, the foreseeable future. So that means there's lots of opportunities for, for vendors in the space, lots of room for improvement by consumer facing businesses that are adopting it.

What what do you foresee as growth in the market, what you know and how would you help customers that are getting into it to get the most out of their Kam solution? Yeah. So first of all, yeah, you're probably right. So CRM is definitely a growth market and we see many of the customers we are interacting with who are just starting with a CRM with the forms itself.

So there are many, many companies out there which didn't start in the field of identity nexus management, at least not for customer customers. So there's a real big group of companies which didn't at any starting point with that on the area. So it's really it's a real growth market and we support in particular B to B and B to see use cases.

So starting from an extensive set of authentication options, including MSA methods for a B2B use case list and also a group management or self administration capabilities where our customers provide their customers, which are then B to B, so companies or partners interacting there with a capability to manage their users on the customer portals, but also privacy related topics of our features which are of use by our customers.

So in the context of GDPR, the advanced quantum instruments are agreeing to terms of use content linked to transferring the information, user data or other data to partners or subcontractors. So different use cases where privacy is in place. So we see many use cases and we can support our customers and we happily pushing them forward I also mentioned a readable ID, so innovative features like that are quite often used for accessing, as I mentioned, stadiums, for example, where the context of soccer or football.

So there are really a broad range of use cases where our customers are utilizing our platform and we're happy to push that forward in the future and seeing to see unlikely to grow further and provide a good user experience to end users you know, that's interesting because I think you bring up a good point there too about, you know, sometimes we think too rigidly about B to C, B to E, there are a lot of B to B to C kinds of use cases or just even, you know, business to business, you know, kinds of customer arrangements that sort of fall into this middle ground between regular IAM and C and you know, the subject

you're bringing up there too about what I would call physical access controls. You know, that's something that might have been more traditionally on the on the workforce side, you know, letting employees into buildings, but, you know, letting letting ticketholders into sports events or other events. You know, I think that's it's really interesting crossover cases. And I think that really illustrates that there's huge growth potential here.

By combining these technologies and using the best of both to solve more and more kinds of use cases. Yeah, I agree. So I think especially there are many use cases just to use cases where single sign on multifactor and authentication is important. And then the use case has become more and more complex and extending to all different areas, including physical access.

And that's I think that's also makes it quite interesting to see how to market develops in the future. Yeah, definitely.

Well, great. Thanks for joining me in today's center. It's really interesting conversation. Thanks for having me today. Was this always great to speak to you and hopefully see you soon on the European Agenda in Law Conference in Berlin. Yes, thank you. Thanks, everyone, for watching. Thanks.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00