Petya Petrova - Fotolia
The top thing to keep in mind when embarking on consumer identity projects is to ensure the signing up process is easy, according to John Tolbert, lead analyst at KuppingerCole.
“Consumers or citizens just want to get things done and are not overly concerned about the identity piece, but they will abandon the sign-up process if they find it overly burdensome or if it asks for too much information,” he told Consumer Identity World Europe in Amsterdam.
Next, said Tolbert, it is a good idea to provide a choice of authentication methods that not only reduce risk, but also provide a good user experience.
The desire to move away from things like passwords and security questions, he said, means things like biometrics are becoming increasingly popular.
In the longer term, Tolbert predicts behavioural analysis will become one of the most popular ways of authenticating users, especially from session to session.
“Despite the decline in popularity of social logins since the Facebook-Cambridge Analytica scandal, this continues to be a popular authentication method and is a viable choice to offer, especially when used in conjunction with things like device fingerprinting behind the scenes,” he said.
One time passcodes, are also still popular as an authentication method, but Tolbert said organisations planning to use them should thoroughly research the options available and choose one that is secure and avoids common security problems.
Other authentication methods to consider, said Tolbert, include the growing range of smartphone-based authentication apps on offer to authenticate users for a particular service or, more interestingly, authorise transactions.
Consumers also want to connect to smart devices, and adding to the identity management challenge, these devices each have an identity. “So we need some way to associate device identity with a consumer identity,” said Tolbert.
“A lot of consumer identity suppliers are now beginning to support Device Flow as a way of associating devices with digital identities for consumers, but this is an area that needs quite a bit more standardisation because we are going to need a good, secure way of managing the billions of devices expected to go online in the next few years, which will be difficult without standards.”
While security is not top of mind among consumers when they choose online services, Tolbert said there is an unconscious expectation that their data will be secure, which service providers should always keep in mind.
Common features of a CIAM system, he said, include self-registration as an easy way to get started, progressive profiling to gradually build up a data picture of the consumer, and collecting data within the guidelines set by legislation like the EU’s General Data Protection Regulation (GDPR) to build a 360-degree view of a consumer and all they have consented to.
“There is growing discussion about whether CIAM is the next generation of CRM [customer relationship management],” said Tolbert.
“For companies that are doing direct consumer marketing and sales, CRM might not make as much sense. With CIAM retailers get consumer information directly, so there is no need for sales to put it into a CRM system for marketing and marketing automation,” he said.
Another trend to be aware of, said Tolbert, is that just like employees are bringing their own devices to work, consumers are bringing their own identity, so CIAM systems need to include ways to use common OpenID Connect kinds of accounts.
A common challenge in CIAM is ensuring a fairly consistent user experience across all communication channels. “Whether we are using a PC, mobile device or set top box, we all like things to look and feel the same or similar,” said Tolbert.
A key difference between enterprise identity and access management (IAM), he said, is that IAM scaled well to hundreds of thousands with lots of access control decisions going on in the background, but with CIAM, there are a lot of companies that have billions of consumers and device identities that the manage.
“The scale on the consumer side can be orders of magnitude greater, so any organisation planning a CIAM system needs to keep the scale factor in mind.”
The consumer data that can be collected can be used broadly for identity analytics or marketing analytics. “By tracking things like registrations and incomplete registrations organisations can be alerted to problems such as asking for too much information up front, and adjust their sites accordingly,” said Tolbert.
“A lot of the identity analytics information, such as failed login attempts and password resets, is good to feed into a Siem [security information and event management] system for security analytics processing,” he added.
On the marketing side, Tolbert said the information collected typically includes demographics such as age, gender and location, search history, purchase history and relevant social media activity. “Again, service providers must make sure they get consent for collecting these types of data.”
When it comes to CIAM design considerations, organisations can either start with the cloud or run it in their own datacentre. “That needs to be an upfront decision for any CIAM project because that will guide your choices about which suppliers are the most appropriate,” he said.
The next upfront decision is whether to adopt a do-it-yourself approach or simply to use a service. “If you are doing it in your own datacentre, you are probably going to be doing it more of it yourself. Otherwise, there are turnkey services available, where you can sign up and brand it the way you want, but the service will take care of all the infrastructure, software, upgrades and storage.”
The CIAM market is evolving, said Tolbert, but currently there are three basic kinds of systems available. The “all-in-one” system, which is typical of cloud-based services, where they include CIAM, which can also pull in fraud and risk information from external sources to mitigate fraud, as well as security analytics and tie-ins with other identity systems to do identity and marketing analytics for the client organisation.
The “modular” approach, said Tolbert, lends itself to putting CIAM in an infrastructure-as-a-service cloud or building it in a company datacentre. “This means companies can pull data out of the CIAM system for use with their own marketing and identity analytics applications, fraud mitigation systems and security systems.
The third option is to adopt an “identity API platform” approach, which is best suited to companies that have only one or two line of business applications and they “just want to wrap an identity layer around them” without buying a complete CIAM system.
“There are some open source or freemium API and security packages to which you can wrap those line of business applications, and then also do your marketing and identity analytics outside of that, as well as fraud reduction and security integration,” said Tolbert.