If your company wasn’t a software company before, it likely is now. A Twilio study found that 95 percent of companies are seeking new ways of engaging customers as a result of Covid-19.
The pandemic has produced a boom in the number of custom applications being created for end-users (This is why your local coffee shop now has a coffee bean subscription service). And almost all applications today (83 percent) require customers to authenticate in some way to access these services.
Customer Identity and Access Management (CIAM) is the subset of identity management that concerns who you are, and what you can access as an end-user. CIAM from industry-leading providers are safe and trusted solutions that can be used to give access to digital services, as well as to secure data for those users.
But like much of the deep tech world, CIAM has a branding problem. Despite the massive migration online, the perception of CIAM has seldom advanced beyond ‘a login box.’ Even now, this tip of the iceberg mentality is causing companies to miss out on the revenue and trust benefits that CIAM is capable of delivering.
CIAM is how people access the digital world
If we’ve learnt anything about how we interact with technology, it’s that we’re impatient and have high expectations. Just think how many times you’ve abandoned a service because you’ve had to create a new password or fill out a long registration form.
By the way, the same is true on the security front. One study found that 41 percent of British consumers would abandon a brand forever after a data breach, compared to 21 percent of their American counterparts.
Attracting, retaining, and converting customers have been enormous challenges for companies since the dawn of the internet. But the ‘Amazon effect’ of marketing to a generation that has grown up with digital technologies has made making a good first impression more important than ever. I’m constantly reminded of this by my kids, who fit this description.
Adopting CIAM gets directly at the heart of these challenges. Consumer expectations come in three flavors: convenience, security, and privacy. As the front door of your brand, a major target for cyberattacks, and the point at which consent is collected, customer identity solutions have been shown to help companies address these demands without compromise, while removing the burden of identity from their development teams.
Missed opportunities for loyalty and revenue
To be clear, many companies have already invested significant resources in managing customer identities. The most common problems are, either they’re using rather limited identity functionality as part of another software platform, like Shopify, or they’ve built and maintained the system themselves.
In both cases, companies have effectively blocked themselves. We’ve seen many examples where identity is tied to singular applications, making it difficult to launch new ones. Likewise, developers who should be working on differentiated capabilities are instead ensuring the identity system can stand up to the latest authentication methods, cyber threats, and privacy laws.
As the pandemic continues to shine a spotlight on access management solutions, business leaders have an opportunity to think about CIAM as a strategy, not just for one application, but across their entire organization. Only then can they use customer identity to generate revenue in the form of branded experiences, friction-free access for customers, and a development team focused on innovation.
One notable example of a company that’s doing this is Arduino. Best known for their electronics hardware and IoT kits, Arduino has 19 different web apps in addition to their main website. Their main website alone attracts more than 33 million visitors each year, not to mention the e-commerce shop, resources geared toward educators, and forums where creators can share and discuss their projects with the community.
As is typical, they had built their own customer identity solution based on open-source tools, maintenance of which alone cost two full-time employees and carried the risk of security bugs. Plus with Arduino’s aims for rapid growth in IoT, this didn’t scale.
Having looked at CIAM as a strategy, Arduino was able to implement a Single Sign-On solution whereby when a user logs into any of their apps, they are automatically logged into the rest. They also enabled social logins with Google and GitHub, fan-favorites among their community. Logging in now takes less than a second, and Arduino has achieved 20 percent month-over-month growth in user conversions.
In a technology industry that lives and dies by conversion rates, this is more than a splash of positive news.
Modern defenses against automated attacks
Verizon’s latest Data Breach Investigations Report (DBIR) found stolen credentials are used in 80 percent of web application breaches.
This really isn’t surprising, when you think about it. Despite continually being advised not to, people reuse passwords across multiple accounts. If an account’s credentials (username and password) fall into the wrong hands, they can be used in large-scale automated, bot-driven attacks against other sites, looking for successful hits. These so-called credential stuffing attacks will work in some cases when details have been reused.
Defending against credential stuffing and other modern, automated attacks is risky business in itself. Part of the reason cyberattacks are still happening is that the perpetrators are constantly evolving and improving their methods. This means that defenses need to evolve and improve too. It’s essentially an arms race, and those responsible for building identity security into their apps are often on the front lines.
Once again companies have found a solution in the fated ‘login box’ of CIAM. With login data consolidated in one place, companies in the retail, financial services, and digital media sectors are using CIAM solutions to identify patterns that could signal an attack, such as known breached passwords among their user base, or a burst of traffic likely attributable to a bot or script. A centralized system also simplifies compliance, for example, in the case of auditing or when a user exercises their right to be forgotten.
CIAM data can also be shared with log streaming platforms like Datadog or Splunk and used as threat intelligence monitoring for DevOps and security teams. In a sense, CIAM is a silent defense system, stopping malicious login attempts and fines before they happen.
The real tip of the iceberg
It’s abundantly clear that the pandemic has accelerated the move to the cloud and development of new digital services for customers. Less clear, and often overlooked, is how companies plan to drive account creation and retention for these services in a simple, secure, and efficient way.
As the proliferation of cloud-based applications continues, I’m encouraged to see more private and public sector organizations alike embracing CIAM as part of their digital strategy. Privacy-enabled authentication methods, like Sign in with Apple; biometrics seen before only in Sci-Fi films; and adaptive security features that introduce friction only when necessary have all ignited mainstream interest in this long ‘techy’ industry. In this sense, we’ve only just scratched the surface of what CIAM is, and the value it can provide.
Jasmit Sagoo, Head of Solutions Engineering, International, Auth0