close icon

The Evolution of CIAM

Why the 'solved problem' of customer identity access management continues to be unsolved

December 11, 2020

You see something you want on the internet, provided you have the funds, you click, and you buy. From the business side, you receive the data from the click and provide the goods or the service.

Whether you understand the underlying technology or are not, this can seem like a problem that's been solved for a long time, especially when you've had years of Amazon packages reaching your doorstep.

(Gentle spoiler: Part of the reason we created Auth0 was that we didn't see this as a "solved problem;" We saw a lot of potential for the experience to be improved, and we also saw a world becoming more complex and subject to threats.)

How do you choose the best CIAM solution for your needs?

Download the Guide
CIAM Buyer Guide

From 'Nobody' to 'Target'

In the beginning, I think consumers tended to see the process of registering for a website or logging in as an annoyance rather than something that was front and center. "Of course, I need to log in, but who cares? I'm going to use my very original password.' And who's going to check that I'm using the same password for ordering tasty sandwiches, for ordering off eBay, and for my bank account. After all, nobody knows me." Most people in the world are not famous, and so they believed that anonymity would keep them safe because who would target an unknown person?

This clearly changed over time. Consumers suddenly started having problems remembering passwords, having their accounts hacked, dealing with getting locked out of an account, having multiple accounts for a website, or experiencing problems logging in. As our lives transition to all things being digital, and consequently, with more online accounts than ever, the problem got worse.

I believe we have proved that old problems have a nasty tendency to appear again. History will repeat itself, and in some cases, with new force.

So Customer Identity Access Management (CIAM) was a solved problem that got unsolved again as our context evolved.

In fact, it was becoming worse every day because, in the process of creating strong customer experiences, organizations had been gathering and keeping a lot of data… and bad actors had realized that you didn't have to target a famous person to see a return on nefarious deeds — average people could be lucrative targets, too.

And as a lot of people — famous and average — turned to the internet for business, and for all things in life: education, healthcare, food, and entertainment, more value was out there to be stolen. This year has only accelerated this process.

Future of CIAM 1

Mix in Complexity

Another aspect of today's reality is that an average middle-class house is also becoming more complex with crisscrossed and interconnected systems.

Just pause and think about all the devices and software you likely interact with on a daily basis.

You wake up. Your watch might have been monitoring your body all night. If you're like me, you head out for a run. Your watch or other wearables keep track of your running stats, or if you were going to the gym, your phone knows you are going there, so it shows the fastest route. Then take a shower and jump on the scale, which is WiFi enabled and sends your weight to your phone. Then you likely check your email or Slack; or have an early Zoom with colleagues. Then maybe you log into your bank. Then your kids' school assignments. Maybe it's getting chilly, so you alter the temperature in your home from your phone and send some music to get your day going through your home speakers.

There's a whole myriad of systems that are part of my daily routine, and they are all different. They are also all built, designed, and marketed by different companies. According to Think with Google, the average person has 35 apps on their phone, plus apps that may be on other devices.

And while they're all supplied by different vendors, they all have one thing in common:

They need to know who I am.

And who my family is. And what is the relationship between all the members? What is each person allowed to do (and not do, like rearrange my favorite playlist)? As well as those outside people and organizations that we deal with.

It's pretty sensitive.

The cameras in my home are watching my family, and my bank has my financial information. My health records, even my gym schedule — everything is pretty sensitive information.

The problem space has exploded in complexity. The old ways of solving these problems don't work anymore.

Even if you go with a password that is more complex than "password," we're dealing with literally tens or dozens or hundreds in some cases of applications that we need to interact with all the time. Now people are conscious that everybody is a target. That awareness of the situation is actually influencing the nature of the problem to be solved.

The Case of the Flawed Candy Surprise

Thankfully, the mindset of consumers is changing. It's a funny story and a good example of how consumer behavior and expectations are changing (for good). This is what happened recently when I tried to surprise my mother.

My mom lives in Argentina. With travel restricted, I haven't been able to see her for a while, so I ordered a box of chocolates online and had them shipped to her home.

Remember, this is meant to be a surprise. A good one, but instead, it turned into a somewhat scary moment for her. When a random guy appears on her doorstep at 7 p.m. at night saying, "Ma'am, I have your chocolates.", she simply says, "No, I didn't order any chocolates. I'm not going to fall for that." Here we have someone involved in a relatively minor transaction rejecting it as suspicious. She knows she didn't order anything, it's kind of late, and I've never done that before. The context of all this raises some alarms.

Now it's pervasive. We are all on the watch. My mom rejected my chocolates and called me very proud, saying, "You know what happened to me? Somebody tried to trick me by pretending that I had ordered chocolates, and they wanted me to sign for them and show my identity card, so I rejected the package."

So now I have to do "multi-factor authentication" to send my mother a gift, "No, Mom," I say. "That was me. I was trying to send you a surprise. I'm going to send you another gift, and it will arrive on this day, and you can accept it."

I ended up sending another present. This particular use case also presents some interesting challenges from a user experience perspective, but that would probably require its own blog post.

The bottom line is, like, it's very complex. It's not solved from a technical point-of-view or from a consumer end-user point-of-view.

The Future Is Already Online

A recent Twilio survey found that COVID-19 has accelerated organizations' digital transformation by an average of six years. Some of our customers have said as many as seven or even 10. What does that mean for the average person?

The world that we're in has forced a lot of interactions in our lives to happen through a computer; whether the computer is an actual computer or a phone, it is irrelevant. And this has reached all levels of societies.

The digitalization of interactions has accelerated. Everybody — organizations and end-users — need to drive more and more with systems and software. And they all have one thing in common. It doesn't matter what they do — they need to know who you are to perform their function.

Are you a subscriber of this newspaper? Do you own this account in this bank? Do you have this Insurance policy? Are you a member of this club? A member of this gym? Are you a student from this class? Are you entitled to contribute to this particular campaign? Identity permeates everything. It has become a fundamental construct in all systems.

These completely unrelated systems all need to know who you are and then decide what you can do.

And businesses are now expected to not only keep pace with this change but remain ahead of it.

Future of CIAM 2

Immediate CIAM Challenges for Businesses

Because Auth0's been in identity for a while, I get asked a lot of questions about where the identity industry is going, in particular CIAM. It's really fun to think about things like intelligent agents having authorization to do things on your behalf and other topics, but faced with the rapid pandemic-induced shift online; I see a handful of immediate challenges for businesses.

  • Companies will have to continue to fine-tune security and user experience. Shaping the customer experience often means exploring trade-offs between security and user experience. Finding that unique balance for a particular use case is part of why extensibility is such a large part of Auth0. But with the increase of Zoom classes and meetings, the number of bad actors coming for customer data has also increased. Given options, consumers will naturally migrate to the one who is more protective.

  • Companies that know their customers best will succeed. Understanding your customer is key to delivering experiences to keep them returning to your brand. With increasing data privacy laws, that means securing customer consent to share information. PwC research found that providing great experiences means access to more information — 63% of respondents said positive experiences made them more willing to share information. But not understanding your customers' expectations can have rapid negative effects. A third of those surveyed said a single bad experience would cause them to abandon a brand they love.

  • Only companies who don't make it hard to onboard or login, will be successful at retaining customers. With COVID-19's acceleration of digital transformation, customers have accelerated expectations. As companies expand partnerships, they're drawing data from multiple sources and often asking customers to traverse multiple brands during their buying journey. Partnering with other businesses often means introducing legacy challenges at a time when it's increasingly important to get your product to market to deliver seamless experiences across brands and loyalty programs. Customers expect your solution to suit their needs — in real time.

  • Privacy will be paramount. The ironic silver lining of data breaches is that they have raised awareness for the average person that their personal data is valuable and deserves to be protected. For organizations, this means starting to think of data as a liability. But at the same time, customers expect organizations to recognize them and only pause their interactions during key moments — like when they need to make a payment or share sensitive health care information. There's a lot of complexity around how much data to gather, how long to store it, and when you might need to ask your customer to interrupt their experiences with additional verification. Data privacy laws, in effect, shift the power back to the consumer because breaches aren't just about accidentally letting someone into the database, but neglectful care of the consumer data and trust.

As Dave Limp, Amazon Senior Vice President, Devices & Services, said at the 2019 Geekwire Summit, "Sometimes there are gray areas, and then you don't know how to write code." Figuring out the right mix of security, privacy, and convenience that provides the ideal experiences for your current and future customers isn't easy, but that's part of why we created Auth0.

Code vs. No Code

Solution architects and developers are tasked with building things from scratch. The key is choosing the right building blocks. With very few exceptions, no one would build a database from scratch. Or re-invent a new communications protocol. And this is true for the vast majority of applications that businesses need —. The role of the application builders has become deciding what they are going to build on and what they will make themselves.

There isn't one out-of-the-box solution that will satisfy every legacy, security, privacy, convenience requirement that allows you to rapidly scale for the future. While many CIAM solutions are consolidating, there is a real risk that the solution only solves for the challenges the solution sees at the moment and not for a future when you might need to send your mother in Argentina a box of chocolates during the pandemic.

The power of Auth0 is that it provides developers with out-of-the-box power for the most common requirements and the building blocks of identity that allow them to build on the foundation of a modern approach to application development.

But application builders are a skilled bunch, and sometimes your marketing team wants to test rapid changes, like, for instance, altering the color of the login box to adjust to a brand change. These kinds of changes can easily be handled by the marketing team and allow you to save your developer for more complex problems, like solving for future needs. There will always be things that we think of as advanced features that every customer will come to expect.

But the very best CRM (customer relationship management) systems operate completely behind-the-scenes. And this is not to be underestimated. This kind of invisibility doesn't just happen naturally. It requires grace and skill on the part of an organizations' team as well as the identity vendor (ideally Auth0) they choose to help deliver that experience because the best identity experience for your customer is the one that pretends not to exist so that your customer doesn't have an annoying interaction with a login box but signs in directly to your brand.

About Auth0

Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit

  • Twitter icon
  • LinkedIn icon
  • Faceboook icon