A Guide to Key CIAM Capabilities and Implementation Blueprints (CIAM-Part 3)

This guide outlines important CIAM capabilities and effective implementation options. It covers Customer Experiences, Identity and Access Management features, and solutions for Single Page Application (SPA).

This article discusses how adaptive customer-centric customer identity and access management (CIAM) capabilities are essential for digital transformation and integration with emerging digital ecosystems. By dynamically managing customer identities and access across channels, CIAM allows organizations to deliver seamless, personalized experiences across an expanding set of touchpoints. This helps build customer trust and loyalty while streamlining processes like onboarding, authentication, authorization, and identity governance. Well-implemented CIAM also improves security by strengthening access controls and reducing vulnerabilities from outdated or inactive credentials. As digital interactions proliferate, CIAM will remain a core pillar for enabling frictionless customer journeys and maximizing value in an increasingly distributed and connected business environment.

1. Its Purpose and Benefits in Today’s Digital Landscape
2. Explaining the blueprint for an adaptive CIAM
3. CIAM Capabilities for Customer & Experiences
4. CIAM Capabilities for Identity & Access (A)
5. CIAM Capabilities for Identity & Access (B)

Key Capabilities of Client Identity & Access Management (CIAM) :

The capability model provides a framework for understanding the interplay between customer experience and security, enabling organizations to strike an appropriate balance between these important priorities. By modelling their capabilities, companies can gain insight into how different customer experiences and security strategies impact each other, supporting decisions that maximize benefits for both customers and the business.

Note: In my CIAM capabilities model below, privacy and consent management capabilities are included under the user profile management function. Specifically, the ability to manage a user’s privacy settings and consent preferences is considered a key sub-capability of user profile management, which allows customers to have fine-grained control over how their personal data is used. This hierarchical organization helps customers understand how a CIAM system is designed to integrate privacy, consent, and user preferences throughout the user experience. User profile management serves as the central place for a user to indicate their privacy and data-sharing preferences. These preferences can then be respected by the system wherever a user’s data is involved.

Key Architecture Capabilities of Client Identity & Access Management (CIAM):

Figure: Client Identity & Access Management (CIAM) Capabilities

Quick Links:

Customer Experience Management — I

• Customer Self-Service Portals
• User Registration and Sign-in Experiences
• Account Maintenance Experiences
• User Profile Management
• Customer Identity Proofing
• Customer Authorization
• Customer Profile Management
• Progressive Profiling

Identify & Access Management — II

• Authentication
• Session & Token Management
• Stateless and Stateful Tokens
• Authentication & Authorization Protocols
• OAuth 2.0, OpenID Connect (OIDC), JWT Token
• Multiple-Token vs Single-Token Implementation
• Session Control & Management
• Single Page Application (SPA) — OpenID Connect (ODIC) Flow
• Authorization
• Policy Management
• User Profile Management
• CIAM APIs

Other

• Prevention & Control
• Extended Customer Data

Customer Self-Service Portals

Many customer experiences would benefit from CIAM capabilities that streamline processes like onboarding, registration, authentication, profile management, preferences, consent, delegation administration, and more. CIAM can help provide a seamless digital experience for users while also giving businesses more insight into customers and better tools to engage with them online.

Leverage Out-of-box Experience vs Custom-build Experience

CIAM Platforms offers some of these experiences out-of-the-box by balancing between streamlined universal user experiences and the brand’s unique requirements to provide brand differentiating customer experience. Here is how CIAM platforms and custom-build solutions compare in terms of user experience and brand distinction:

CIAM Platforms for User Experience

• Out-of-the-box functionality: CIAM platforms come pre-built with common authentication workflows, registration forms, and user interfaces. This allows companies to quickly implement standardized and secure authentication experiences with minimal customization required.
• Easy integration: CIAM platforms offer out-of-the-box integrations with many authentication methods like social logins, multi-factor authentication, and biometrics. This significantly reduces development efforts compared to building these integrations from scratch.
• Rapid deployment: New solutions can be deployed on CIAM platforms much faster than custom development cycles since they leverage pre-existing features and integrations. This gives companies the flexibility to quickly respond to changing business and technology needs.
• Scalability: As user bases grow, CIAM platforms can easily scale authentication services through their cloud-based architectures. This ensures authentication processes remain high-performing and reliable as traffic increases.
• Security expertise: Vendors focus on security best practices and compliance within their platforms through features like access control policies, audit logging, and identity governance. This offloads security responsibilities from internal development teams.
• Customization and Branding: These capabilities are important for aligning the user authentication experience with an organization’s overall brand identity and visual style. The platform should allow for customizing elements like login pages, registration pages, and authentication flows. It should also support customer models, enabling brands to white-label their sites and authentication processes for customers or partners. This helps present a consistent branded experience across an organization’s different properties and relationships.

Custom-build Brand differentiation for User Experience

• Brand differentiation: Custom-built solutions allow organizations to craft unique user experiences that differentiate their brand and provide value above competitors. A tailored experience strengthens brand identity and loyalty.
• Customization and flexibility: Organizations can design custom solutions to fully reflect their brand identity, visual aesthetics, and customer preferences. This provides flexibility to innovate and experiment with modern design approaches like design thinking to enhance personalization and emotional engagement.
• Innovation: The flexibility of custom-built solutions enables continuous innovation. Organizations can gather customer feedback in agile development cycles to rapidly iterate and improve the digital experience over time. This helps stay ahead of competitors with new features, functionality, and an experience tailored to evolving user needs.
• Overall, custom-building digital solutions empower organizations to craft differentiated, innovative experiences that deepen customer relationships and strengthen their competitive advantage in the market. The flexibility also drives ongoing improvements through close collaboration with users.

In summary, CIAM platforms offer a balanced approach between providing a streamlined, universal user experience, convenience, scalability, and pre-built features that are faster and cheaper to launch. CIAM platforms leverage standardized solutions that are already built and tested.

However, custom-built identity solutions provide greater flexibility, allow for more innovation, and give organizations more control over their authentication and authorization processes. Custom solutions also enable brands to better differentiate themselves through a customized user experience.

While CIAM platforms take advantage of standardized, out-of-the-box features, custom solutions require more time and resources to develop but provide organizations with more ownership over how user identity is managed. The optimal approach depends on an organization’s priorities around speed, cost, flexibility, and brand differentiation.

User Registration & Sign-in Experiences

User Registration Experiences

User registration is typically the initial phase in a customer identity and access management (CIAM) workflow. During registration, a user provides their personal details to establish an identity within the CIAM system. This user identity then allows the individual to authenticate themselves for access to various digital services and applications.

CIAM solutions support user-based authentication in user-to-machine (U2M) scenarios, where “user” is the main authentication entity. CIAM platforms provide many features to streamline the registration process, such as self-service sign-up forms, identity verification, email confirmation, password policies, terms and conditions acceptance, and more. These capabilities help onboard new users onto the system securely and ensure their digital identities are uniquely tied to the correct individuals.

Overall, user registration establishes the foundation for CIAM by capturing user attributes and validating user identities upfront, before granting access to downstream systems and authorizing user-to-application interactions.

The level of information and effort required during the user registration process should be tailored to the customer journey stage. A customer’s registration experience needs to be contextualized within their current journey stage, such as brand awareness, product exploration, or purchase. In the early pre-sale stages of the journey, for example, when a customer is exploring products, a lighter registration is typically most appropriate. The goal of this phase is to convert anonymous casual website visitors into registered guest users. These conversions are critically important for business, as requiring a cumbersome registration process may cause users to abandon registration altogether. This negatively impacts the business’s ability to generate leads and reduces the brand’s capabilities to personalize services, engage users with relevant marketing content and campaigns, and further drive the customer along in their journey. An optimized registration experience tailored to the customer’s current needs and stage in the journey benefits both the business and the customer experience.

Digital registration in the early stages of a user’s journey is critical for business success. However, digital users have short attention spans and are easily frustrated. Therefore, the registration process needs to be as seamless and frictionless as possible. A simple, friendly user experience during initial registration establishes the first rapport with a potential customer. If the registration fails to meet the user’s expectations by creating unnecessary friction, the organization may lose the opportunity to make a good first impression and gain that user’s trust and business. A positive initial registration experience is important for converting visitors into long-term customers.

This concept is also explained in “Progressive profiling”. It is an approach that allows for the gradual collection of a user’s information through smaller, progressive interactions. Rather than requiring extensive registration upfront, progressive profiling collects minimal data initially. As the relationship develops and the user expresses interest in making a purchase, a more thorough registration process can then prompt for additional details. This just-in-time approach balances data collection needs by providing a smooth user experience. Details requested depend on the risk level associated with the specific product or service being purchased. Progressive profiling aims to make registration less burdensome over time as trust is built between the user and system through successive interactions.

CIAM enables organizations to offer flexible customer registration options across multiple channels. Some key capabilities include:

• Self-registration on digital channels like websites and mobile apps, allows customers to create accounts independently.
• Agent-assisted registration for non-digital channels, integrating with CRM systems so customer-facing agents can register users.
• In-context registration during processes like online shopping checkout or campaign activations to streamline the customer experience.
• Support registration using popular social identity providers like Google, Facebook, LinkedIn and Twitter for a simpler sign-up process.
• Progressive registration models at different stages of the customer journey, such as guest checkout converting to a full account.
• Graded identity verification and validation over time as the customer shares more information and builds trust with the organization.

Here are the key capabilities that a user registration experience can provide:

• Self-service and agent-assisted registration processes.
• Customizable registration forms to collect relevant customer information based on their journey stage.
• Identity proofing such as email verification, address validation, and linking existing accounts.
• Provisioning user profiles across systems like CRM, MDM, marketing, and backend systems
• Welcome communications via email and other channels including onboarding documents.
• Collection of user preferences like communication methods and availability.
• Terms of service and consent management for compliance and transparency.
• Support for privacy and data protection regulations regarding the collection and use of personal information.
• Password policies for secure credential management.
• Optional multi-factor authentication enrollment.
• Integrations with external identity providers like governments, banks, etc.

The user registration experience aims to securely collect necessary customer information, verify their identity, and onboard them across relevant systems — all while ensuring transparency, privacy, security and regulatory compliance.

Sign-in Experiences

Sign-in authentication plays an important role in securely granting users access to protected digital resources. Through a multi-step verification process, authentication confirms a user’s identity before allowing access to websites, mobile apps, APIs, and other protected services. Common methods like user credentials, multi-factor authentication, adaptive authentication, and single sign-on help securely verify users while also providing a convenient sign-in experience. By ensuring that only authorized individuals can access private information and services, authentication protects both users and systems from unauthorized access. This security benefit is increasingly important as more activities and data move online.

There are generally two main philosophies for user sign-in experiences in organizations:

• Universal sign-in: Universal sign-in centralizes the authentication process by directing users to a single sign-in page before permitting access to any protected resources across multiple websites or applications. This offers security benefits as credentials only need to be entered once on a dedicated sign-in interface that can be thoroughly tested. However, universal sign-in can create friction in the user experience by interrupting the user’s task or workflow with a redirect to another page.
  
  Use case: An organization implements a universal sign-in page for all users. When users access the organization’s website or applications from any part of their journey, they are redirected to the central login page. Upon successful authentication, the user is redirected back to the original page they were accessing before the sign-in prompt. This allows the user to continue their task or journey seamlessly after signing in through the single sign-on system.
  
  Universal sign-in is a standalone authentication page that is not specific to any particular website or application. When a user needs to sign in to access protected resources, they are directly taken to the universal sign-in page rather than being prompted for credentials within the app/site they were originally accessing. The universal sign-in page provides a consistent login experience regardless of the downstream resource the user is trying to access. Its sole purpose is authentication — it does not provide any additional context about the user’s intended task or journey after signing in. By standardizing the sign-in workflow outside of individual apps/websites, universal sign-in allows a user’s credentials to be securely validated before granting them access to protected resources across multiple digital properties.
  
  Universal sign-in can offer improved security by allowing users to authenticate with a single set of credentials that are entered and tested in a common application without other dependencies. However, universal sign-in may negatively impact the user experience by introducing friction as users are redirected away from their original task or journey to complete the authentication process on another page before returning. A careful implementation approach is needed to gain security benefits while minimizing disruptions to usability and workflow.
• In-context embedded sign-in: In-context embedded sign-in streamlines the authentication process by allowing users to sign in without leaving the context of their task. Through in-context sign-in, credentials are requested and verified directly on the page where authentication is needed, keeping users engaged in their workflow without unnecessary redirects away from the core experience. This embedded approach improves usability and conversion by removing friction from the sign-in step.
  
  Use case 1: Shopping cart journey implements in-context sign-in. This allows users to sign in directly within the shopping cart journey without being redirected to a separate login page.
  
  Use case 2: Mobile app implements in-context sign-in. This allows users to use their fingerprints to login without being forced to a login page.
  
  In both use cases, in-context sign-in streamlines the user experience by eliminating redirects away from the primary task (checkout or app usage) to a separate login page. The user can authenticate seamlessly without interrupting their workflow.
  
  In-context embedded sign-in offers a better user experience. When a user is engaged in a journey and needs to leave that journey to go to another page just for sign-in, it creates friction that may irritate the user and cause them to abandon the experience altogether. With in-context embedded sign-in, the user can enter their credentials directly within the journey they are already engaged in, without having to leave that experience.
  
  While in-context embedded sign-in adds a dependency on the central security system, any applications providing this functionality within their journeys would need to be tested for changes to that system. In React-based applications, this added dependency can be mitigated by creating a centralized React component for sign-in that can be embedded dynamically within journeys at runtime. This would allow sign-in to be handled consistently across applications without requiring changes to each one when the security system is updated.

While embedded user agents may be more convenient for users, security experts warn that they pose significant risks. If an application uses an embedded login, it will have access to both the authorization grant granted by the authorization server as well as the user’s full authentication credentials. This presents vulnerabilities for data protection and enables potential malicious use of users’ accounts and data. Even if the application itself is trusted, allowing it unnecessary access to both the authorization grant and credentials is poor security practice. For these reasons, the preferred approach recommended by OAuth standards and implemented by providers like Google is a universal, browser-based login that avoids embedding credentials and grants within third-party applications. [Universal vs Embedded]

Overall, universal logins uphold important security best practices by restricting what data and rights are exposed to applications during the authorization flow.

Regardless of the two approach approaches of sign-in, key capabilities in user sign-in remain the same. They include:

• User experience: Providing seamless, frictionless sign-in experiences across platforms via SSO and other UX best practices.
• Authentication: Verifying the user’s identity, usually by validating their username/email and password. Common authentication methods include password, multi-factor authentication, biometrics, etc.
• Adaptive Authentication: Enforcing additional authentication steps based on risk profiles. For example, MFA for high-risk logins from unknown devices.
• Support for multiple identity providers: Allowing users to sign-in via social logins, enterprise directories, government IDs etc.
• Single Sign-On (SSO): Allowing users to sign in once and access multiple applications without re-authenticating. SSO is enabled by technologies like SAML, OAuth, and OpenID Connect (OIDC).
• Session Management: Tracking the user’s authenticated session across devices and applications. This includes session timeouts, renewals, revocation on logout etc.
• Security measures: Ensuring logins happen over secure connections, preventing attacks like brute force, protecting credentials etc.
• Logging and Auditing: Collecting login data to analyze usage patterns, detect anomalies, measure success rates etc.

Account Maintenance Experiences

Account maintenance experiences for customers are improved through proper integration between customer CIAM platforms and CRM platforms. CIAM platforms often directly handle core functions like updating passwords, secrets, and credentials. However, broader customer profile attributes, preferences, and consent data require coordination between the CIAM, CRM, and other platforms.

CIAM supports user profiles for both customers and partners. These profiles contain information about individual users who belong to organizations that are customers or partners. The relationships between an organization and its customers or partners are typically managed in Customer Relationship Management (CRM) or Partner Relationship Management (PRM) platforms. CRM systems are used to track leads, prospects, customers, and all interactions associated with those entities. Similarly, PRM systems are used to manage partners, the individual users representing partners (such as agents and advisors), and all interactions associated with those partner entities.

The user profiles in CIAM can be linked to profile information for the corresponding customers and partners stored in the relevant CRM or PRM systems. This allows for a unified view of identities across both the CIAM and CRM/PRM platforms.

By integrating CIAM, CRM, PRM and other platforms, users can seamlessly update all relevant account information and preferences through a single interface. The changes will then be automatically reflected on these platforms. This level of integration is critical for delivering intuitive and comprehensive account maintenance journeys. It gives customers or partners control over their digital identity and preferences across all customer touchpoints.

Coordinating data between CIAM, CRM, PRM and other platforms in this way enhances the experience of managing account profiles and settings. When a user updates their information in one system, the other system is also automatically updated. This provides a seamless experience for customers and partners. It ensures their information and preferences are consistent everywhere.

User Profile Management

In a CIAM platform, a user profile containing information about a lead, prospect, or customer can be linked to that customer’s corresponding contact record in an organization’s CRM platform. This allows for a common view of the user’s profile across systems and enables the sharing of relevant profile and interaction data between the CIAM and CRM platforms.

A CRM platform typically provides a comprehensive customer account and relationship model, allowing organizations to track key information about their customers. As part of this model, a contact record in CRM will contain a contact’s name, address, email, phone number, and other personal details like date of birth or social security/insurance number. In contrast, a CIAM solution focuses more narrowly on authentication and authorization. While a CRM aims to capture a holistic view of a customer’s profile and interactions, a CIAM is primarily concerned with verifying a contact’s identity and managing their access to websites and applications. CIAM solutions generally do not require as many detailed personal attributes as a full-fledged CRM platform.

The key points are:

• CRM stores full customer contact profiles and relationship details.
• CIAM only stores a subset of attributes focused on identity/authentication.
• CRM view is more comprehensive, CIAM view is narrower/focused

Review the CRM’s account relationship model below:

Figure: A Basic Account Relationship Model Telecom Industry

Implementing account relationship models and user profile models in isolation can create a poor customer experience. When organizations have separate profiles in CRM and CIAM systems, users may get confused about which profile they are updating. This is because the two profiles contain similar but not identical information.

Telecom companies can help address customer data issues by aligning their systems to common standards, like those defined by the Telecom industry’s Tele-management Forum (TM-Forum). The TM-Forum provides a well-established reference architecture for managing customer data in the telecom sector. While other industries may lack similarly comprehensive standards, most CRM systems still have defined account relationship models (ARM) that aim to organize customer data and connections between entities like individuals, accounts, and opportunities. By mapping their internal data to the relevant ARM, companies can help ensure their CRM captures relationships accurately and allows for more consistent views of the customer across departments and systems. This alignment to CRM data models helps mitigate issues that can arise from disorganized, inconsistent, or disconnected customer information.

An effective profile management system should provide a unified user experience for maintaining and updating profile information across an organization’s platforms and applications. Key capabilities include::

• Profile Updates: Allowing users to easily edit contact details, preferences, passwords, and other credentials in a centralized location.
• Data Enrichment: Leveraging external data sources to validate and enrich profile fields, such as address verification systems to validate addresses during maintenance.
• Segmentation and Targeting: Facilitating segmentation of user profiles based on attributes like location, demographics, behaviour, etc. to enable personalized experiences and targeted marketing campaigns.
• Verification and Validation: Implementing identity proofing methods, such as email verification and address validation, to confirm the accuracy of the provided profile information.
• Consent Management: Giving users control over data collection and communication preferences through options to opt-in, opt-out, and unsubscribe from marketing communications.
• Integration and Synchronization: Synchronizing profile data across relevant internal systems like CIAM, CRM, PRM and campaign management to maintain a single source of truth for user profiles.

This provides a more cohesive overview of the key user-centric and data-related capabilities needed for effective profile management across an organization.

Customer Identity Proofing

Identity proofing is the process of verifying an individual’s claimed identity. It typically occurs during registration or enrollment for digital services. The goal of identity proofing is to confirm that the person registering or creating an account is who they say they are. As more information becomes available over time through ongoing interactions, systems will perform additional identity verification checks to continually re-validate identity in a progressive profiling approach. Regular re-validation helps ensure the account owner’s identity has not been compromised and adds an important layer of security and trust to digital transactions.

The level of identity verification required varies based on the industry, business model, and associated risks. For example, financial companies must adhere to strict anti-money laundering regulations due to the risks involved in handling money. Insurance companies need to thoroughly verify medical histories to accurately assess risks. Telecom companies focus more on credit checks since services are provided on credit.

The verification level also depends on the stage of the customer journey. In early stages like creating brand awareness or allowing users to explore options, less rigorous identity validation is needed for activities like receiving marketing emails or saving shopping carts. More robust verification is important later in the funnel for higher risk transactions like purchases or accessing sensitive accounts. A risk-based approach allows tailoring verification without compromising user experience or compliance requirements.

This blueprint outlines a three-step process for verifying and validating user identities:

1. Light Identity Verification: A lighter process that can verify basic personal information like name, date of birth, email, phone number, etc. through a digital process. This establishes a basic identity profile.
2. Robust Identity Validation: Conduct more thorough checks like criminal background checks, document verification, biometric authentication, etc. depending on the product and business model. This may require in-person meetings or validating government records to ensure the identity is valid.
3. Unique Identity Creation: Establish a single verified identity for each user to prevent multiple account creation. Uniquely identifying users is critical for personalized experiences, data privacy, and protection for most brands.

The goal is to balance convenience through digital identity verification with security through robust in-person or document-based identity validation procedures. This ensures providing a frictionless onboarding experience depending on the risk level of each product or service at a given stage of the customer’s journey.

A user and an account represent two separate but related entities in our system. A user refers to an individual person, while an account allows that user to access services and data. It is important to distinguish between users and accounts because they require different access controls and levels of security. As a living person, a user’s identity and personal information need strong privacy protections. An account, on the other hand, contains the data and activities associated with that user’s access to our services.

Proper access controls and logging on accounts are necessary for regulatory compliance, security monitoring, and legal defensibility in the event of any issues. Review the digital identity’s relationship to a customer’s account below:

Figure: Digital Identity’s Relationship to a Customer Account

The diagram illustrates the differences between the user registration processes for prospects and customers. Prospects require fewer validation steps to simply register their information, whereas registering a customer involves additional validation steps to verify their customer status before completing the registration. This distinction in the registration workflows helps streamline a lighter verification process for prospects while ensuring proper validation of customer identities.

In addition, whenever identity proofing is conducted, it generates an activity record recorded in the CRM’s activity history. Authorized agents can access this information. The identity proofing also creates an event that updates the “Customer Authorization State.” This record indicates whether a customer is fully or partially authenticated to the CIAM. It is a critical piece of information that controls the level of access granted to a user. We will discuss this topic in more detail later.

Identity Verification

Identity verification is a lighter verification process that may require only a few pieces of personal information to register, such as a name, date of birth, email address, and phone number. This type of registration is often used early in a customer’s journey, during brand awareness or product exploration and consideration stages. For lighter verifications, the person does not need to be physically present — the verification can be conducted virtually.

The personal information required for a lighter verification process will vary depending on each company’s individual needs and risk assessment. For example, some businesses may choose to verify basic contact details like email, name and phone number against internal or third-party databases to check for fraudulent activity, blacklisting, and other risks. However, a lighter verification process generally aims to collect less sensitive personal information from users to streamline the signup experience while still preventing harmful behaviours.

This lighter verification process is sufficient to create a digital identity for the user, granting them access to relevant digital assets from the Brand. This simplified onboarding allows the Brand to:

• Track user behavior like interaction history and preferences to gain insights into their interests.
• Deliver a personalized experience tailored to each individual user based on their interactions and selections.
• Send the user marketing communications about promotions, campaigns, new products, and services.
• Allow users to take advantage of any free digital offerings, such as a wealth management organization offering a free portfolio evaluation.
• Generate new potential customer leads from users of their digital services.

Allowing a simplified and frictionless registration process for users has several benefits for building brands and trust with customers. It establishes an early relationship by making account setup easy without requiring extensive private information upfront. This allows the brand to start providing value to the user through a customized digital experience. It also builds trust with customers by demonstrating the brand’s commitment to privacy and a good user experience from the very beginning of the relationship. Overall, a simplified registration process can help attract more users and improve customer satisfaction, engagement, and loyalty over time.

Several processes can be used to verify a person’s identity:

• Unique identifiers: Verify identity by using unique credentials like a username or email address that is tied directly to the individual. Proper identity creation processes help ensure identifiers are truly unique.
• Email verification: Confirm an email address belongs to the person by sending a verification link or code to the provided email. This helps validate they can receive communications at that address.
• Address verification: Leverage third-party address validation services to verify the accuracy of a person’s residential address. This provides additional data points to corroborate their identity. Popular services include e.g. Canada Post, Melissa Data, Google Address Validation, Amazon Location Service, Postalcodes.io, Addressy, etc.
• Duplication checks: Scan existing user records to identify any matches on attributes that could indicate an existing or duplicate identity attempting to re-register. Attributes like names, emails, addresses, phone numbers, etc. can be checked.
• Multi-factor authentication: If a phone number is included as part of the initial identity creation process, then multi-factor authentication can be implemented.

The goal of these lighter verification processes is to gather and verify distinct details about a person to establish their identity. However, the processes aim to do so with less onerous requirements compared to full verification. This supports the initial stages of a customer’s journey with the Brand.

Identity Validation

Identity validation is a rigorous process where a brand validates an individual’s identity. The goal is to confirm a person’s identity to establish trust, enhance security, and prevent fraud. For higher levels of validation, a person may need to physically present valid identification documents to an authorized agent in person. This allows the agent to directly validate that the identification belongs to the person. Rigorous validation helps ensure only legitimate users can make purchases.

Many validation processes may be required, depending on a business’s operating model. In some organizations, there are several situations where an individual’s identity and associated identity details need to be verified before creating a user account. Therefore, the degree of validation can differ in each organization.

• Higher-risk accounts will require more sophisticated validation techniques, whereas lower-risk account operations may require little to less validation.
• The type of product being offered can dictate the level of validation required. For example, opening a passport, life insurance, or bank account may have different validation needs.
• An organization’s risk management policies for a particular brand or product may mandate additional validations. For instance, credit checks may be required for postpaid accounts. Medical exams could be necessary for health insurance benefits. Accounts may need to comply with regulations like ATF and FATCA for investment products.

The main objective of validation is to apply rules and policies to data elements. It aims to validate the information provided and ensure that users are who they say they are. Even where rigorous validation may not be required, basic validation can still provide significant value.

NIST Guidelines

The National Institute of Standards and Technology (NIST) provides guidelines and standards for identity proofing in the context of digital identity validation. NIST has a special publication, 800–63–4 (Digital Identity Guidelines), that includes recommendations for this domain. This publication presents the process and technical requirements for meeting different levels of assurance (LOA) in digital identity management. It also provides considerations for enhancing privacy, equity, and usability of digital identity solutions and technology.

Some of the key components of identity proofing include:

1. Something the individual knows (e.g. knowledge-based verification on internal or external sources)
2. Something the individual has (e.g. possession of a smart/mobile device)
3. Something the individual is (e.g. biometrics verification)

NIST specifies three assurance levels of identity proofing:

1. Identity Assurance Level 1 (IAL1): Little or no confidence in the asserted identity’s validity
2. Identity Assurance Level 2 (IAL2): Some confidence in the asserted identity’s validity
3. Identity Assurance Level 3 (IAL3): High confidence in the asserted Identity’s validity.

Each enterprise needs to determine the appropriate assurance levels required to support its customers’ journeys based on reference models. In our blueprint, these assurance levels can be mapped to an entity called “Customer Authorization State” that will record each customer’s authorization level. This domain plays a key role in determining a customer’s authorization level.

The processes that can be used for identity validation include:

• In-person validation: A brand’s branch office appoints an authorized agent to meet the person and validate documents through examination and cross-examination.
• Document validation: A brand may require users to provide official documents like a driving license, passport, national ID, or other government-issued IDs during enrollment or registration.
• Biometric validation: Biometric data like fingerprints, facial recognition, iris scans, or DNA can validate a customer’s identity. These measures are unique and difficult to fake. Biometrics can be physiological or behavioural. Physiological are based on physical characteristics while behavioral are based on patterns of behavior.
• Knowledge-based validation: Reflex questions may be asked based on a user’s personal history, financial transactions, or other information available internally or through third parties. For example, banks often ask questions like “Can you tell me your last credit card charge?”.
• Social media validation: Open IDs can leverage social media profiles for verification.
• External agencies: External agencies can provide validations on individuals, e.g. government security clearances, credit check vendors, etc. Others include Jumio, Trulioo, iDnow, Onfido, Thomas Reuter Clear, Acuant, Veriff, Mitek, and many more. These agencies provide identity validation services for biometrics, facial recognition, document verification, and risk management. Agencies can be private, semi-governmental, or government-run. Country/region legal/compliance dynamics impact choosing the right agency for a brand.
• Blacklist Validation: Each Brand may have additional specialized business rules to comply with their own industry and region. For instance:
  
  Anti-Terrorist Financing (ATF): Checks the information provided against the terrorist list. The Customer Validation process must check that the customer does not exist on the ATF listing.
  
  Anti-Money Laundering (AML): Reflex questioning and assessment to ensure all investors are who they claim to be and are not investing on behalf of somebody else. It validates that the customer does not exist on the AML listing.

Suitability of Identity Proofing Process by Customer Journey

Generally, a lighter process is more suitable for early stages like prospecting and pre-sales, where the user does not need to be physically present and can be verified virtually. As the user progresses further in their journey, such as to the purchase stage, they may need to provide additional personal information to better validate the authenticity of their identity claims. The exact requirements will depend on factors like each brand’s offerings, risk policies, and regulatory compliance needs.

Figure: Suitability of Level of Assurance (LOA)

Unique Identity Creation

CIAM platforms employ various techniques to ensure the creation of unique user identities. They perform fuzzy matching and conduct duplicate checks. Maintaining a unique identity for each user is critical for most brands to ensure privacy and data protection. It also helps prevent identity theft and fraud.

Traditionally, IAM platforms have not had the best capabilities to address the overall architecture on their own. Hence, they rely on other platforms like Customer Relationship Management (CRM), Master Data Management (MDM), or other specialized vendors in this space to help solve identity management challenges.

Some of the common practices and processes that CIAM uses for unique identity are:

• Unique Identifiers: CIAM often uses common unique identifiers like “username” or “email” during the registration process to associate a user’s digital identity. Email addresses are unique and can be verified by sending an email to the user to confirm it is their own address. Similarly, a user ID is uniquely assigned to each user. Both the email and user ID can be validated against an internal user profile database.
  
  Telecom companies used to use phone numbers in the past, however, that practice was abandoned, especially after number portability was introduced. A telephone number can be used for duplicate checks but not as a unique identifier for a user profile.
• Email Verification: Email verification is a commonly used verification process. When a user provides an email address during registration, the CIAM sends an email to the user with a verification link or code to confirm email ownership. When the user clicks on the verification link, it is recorded that the email has been verified.
• Fuzzy Matching and Duplicate Checks: Fuzzy Matching and Duplicate Checks: CIAM may employ algorithms for fuzzy matching and duplicate checks to identify similar or potentially duplicate records. Simple duplicate checks are common at storefronts where customer-facing interfaces may inform the user that their account already exists by checking their name, phone number, or address. These duplicates are often presented back to the channel, where the user can select a previously created record.
  
  Fuzzy logic: Fuzzy logic considers similarity or closeness between customer attributes rather than exact matches. Fuzzy logic employs various approaches to detect a duplicate match including:
  
  Data cleansing: Data cleansing may be required before applying fuzzy matching, e.g. standardizing user input to the correct format, validating the address against an external address database, or confirming the phone number by sending an SMS. This ensures the quality of data provided by the user is trustworthy.
  
  Phonetic Algorithm: A phonetic algorithm helps identify names that sound similar or are spelled differently.
  
  Levenshtein Distance: This algorithm measures the minimum number of single-character edits required to change one string into another. It’s used to detect similar or misspelled names. Other algorithms exist like Hamming Distance, Damerau-Levenshtein, Jaccard Similarity, N-gram or Q-gram Matching, and Ratcliff.
  
  User matching policies: Each brand may define its own user matching policy rules appropriate for its risk policies and compliance. Policies may include identifying duplicate accounts that are manually reviewed by administrators or automatically merging duplicate accounts. Policies may also specify which personal attributes to use for matching and merging.

Figure: Fuzzy Matching

• Match & Merge Process: To improve account management and data quality, brands may employ match and merge processes to identify potential duplicate user accounts based on their individual user matching policies. These potential duplicates are either manually reviewed by administrators to validate a match, or an automated process can merge confirmed duplicate accounts while notifying the affected users. The goal is to consolidate multiple accounts belonging to the same user while maintaining accurate user data.

Customer Authorization

Customer Authorization State

Customer Authorization State is a sub-domain of Customer Profile. It stores the results of Customer Identity Proof (either verification or validation), which is critical information. This information provides relevant (authorized) access to customers’ digital resources from the Brand. For example, if a customer is not fully authorized, they may not see account balances or other protected information.

The relationship between a “User” and a “Customer” is often not one-to-one. Customer accounts may have many “users” associated with them, both for retail individual customers and business-to-business (B2B) customers. Therefore, identity proofing needs to be validated for both the “user” and the “customer”, as well as the proof of the relationship between the “user” and a “customer”.

See an illustration below:

Figure: Customer Authentication States with ARM

As mentioned above, NIST specifies three assurance levels of identity proofing:

1. Identity Assurance Level 1 (IAL1): Little or no confidence in the asserted identity’s validity
2. Identity Assurance Level 2 (IAL2): Some confidence in the asserted identity’s validity
3. Identity Assurance Level 3 (IAL3): High confidence in the asserted Identity’s validity.

In our blueprint, Assurance Levels are reflected in Customer Authorization States. Each Brand may decide its own codification of authorization States, depending on their product or service offering, their risk policies, and their regulatory and compliance needs. In this example, we have provided six customer authorization states across two categories:

1. Verification States (Not Verified, Partially Verified, Fully Verified)
2. Validation States (Not Validated, Partially Validated, Fully Validated)

Other dimensions that can be added to the Customer Authorization State sub-domain include:

• Customer Classifications (e.g., Retail, Government, Military, Business)
• Product Classifications (e.g., Wireless, Wireline, Cable, Home Security)
• Attributes required for Authentication State (e.g., email, date of birth, name, address, driving license, etc.)
• Registration Type (e.g. Guest, Customer, etc.)

The following diagram illustrates an example of Customer Authorization States:

Figure: Customer Authorization States

Progressive profiling allows organizations to gain a more complete understanding of customers over time through various interactions. Rather than collecting all information upfront, customer data can be gathered incrementally as they engage with a business. This staged approach reflects today’s modern digital experience.

The identity proofing process can continuously assess new attributes received from the customer to verify or validate them. It will appropriately update the customer’s authorization states as their profile becomes more robust. This ongoing profiling enables strong customer relationships to develop gradually through ongoing engagement and trust-building.

Customer Authorization — Account Permissions

Authorization based on Customer Account Relationship:

Another aspect of CIAM’s authorization capabilities is to be aware of two important relationships:

1. The relationship between the user logging in and the customer’s account. For example, in a household or business account, what level of access does the user have to each associated account?
2. The relationship between customer-facing agents (CFA) and the customer’s account and associated users. For example, what level of access do agents have to review a customer’s information, personal details, account balances, etc?

Both relationships play a critical role in authorizing user access and granting access to digital resources. Incomplete authorization checks could expose critical customer information to unauthorized users.

1 User authorization is based on the user’s relationship to the customer’s account:

Figure: User access is based on the Account Relationship Model

The above example from the telecom industry shows a basic account relationship model for an individual (retail) customer. John is the owner of the account, he receives the bill and makes the payment. He has access to all the information on the account and the subscriptions (e.g. a wireless phone line). However, Jane only has access to her subscription. Hence, while authorizing user access to a website, the CIAM needs to ensure that a user only has relevant access to the information they are entitled to according to the service level agreements.

Traditionally, IAM platforms do not maintain this level of granular authorization or information related to service agreements. This type of data is typically maintained in other business platforms like CRM systems. In the past, it was left to individual channels to implement these rules within their own applications. This introduced significant duplication in maintaining and consistently applying these authorization rules in each channel application. When the rules change, all the channel applications require updating. Hence, in modern CIAM implementations, these rules are aggregated in authorization services. A common authorization service is then used by all channel applications.

2. Customer Facing Agent (CFA) authorization based on their roles on the Customer’s Account:

Figure: CFA access is based on their Role to Account Relationship Model

In the above example, Agent 1 has a role that grants access to information on retail customers. Agent 2 has a role that grants access to information for a specific business customer, “Acme Inc.”. Role-based access can get more granular based on detailed entitlements. Entitlements can grant or restrict users’ access to certain sensitive information.

Traditionally, these role-based entitlements are maintained in individual channel applications. In large enterprises, there are often numerous channel applications for each line of business. Therefore, maintaining these security rules across so many different applications is extremely complicated and expensive. On digital channels like the web or chat, customer-facing agents may shadow a customer’s online account or access customer information. In many organizations, authorization and access rules are repeatedly coded into different applications. To simplify this, these rules can be externalized into a common customer identity and access management (CIAM) platform in authorization services. This would allow all participating channel applications to retrieve information from a single source, significantly reducing redundancy.

Since authorization services between identity and access management (IAM) systems and customer relationship management (CRM) platforms are often orchestrated, and the services are custom-built for most industries, modern IAM and CRM platforms can now provide out-of-the-box solutions with built-in orchestration and integration capabilities.

Customer Profile Management

Customer profile management is an important part of customer information management (CIM) within CRM platforms. While CIM covers a broad range of topics, this discussion will focus on some key components that relate specifically to CIAM, such as journey milestones and progressive customer profiling. Understanding these CIAM-related aspects of customer profile management can help organizations better manage customer identities, access, and experiences across digital channels.

Customer Journey Milestones

Customer Journey milestones are key moments in customer interactions with a Brand or product. These moments span from initial awareness to consideration, purchase, and beyond. Milestones vary by industry, offering, business model, customer preferences, and insights. Each enterprise defines its own customer journey maps and addresses important moments.

A customer journey refers to the end-to-end process to achieve a customer’s goal and the brand’s outcome. For example, a customer’s goal may be “vacation in Hawaii.” Their journey has many phases, like buying tickets, flying, lodging, sightseeing, etc. Each phase is often an independent experience to complete. These are called macro and micro journeys.

Providing a consistent and personalized experience across each phase allows the customer to feel it was one connected journey. This provides a good customer experience.

Figure: A typical Customer Journey

A Journey Management Platform provides technologies that help stitch together customer journeys and support overall customer experience journey management capabilities.

This example shows key moments in a customer’s journey, such as receiving a promotional email, getting a quote, and buying a ticket. Journey Management Platforms typically record these key moments with their respective customer journeys.

However, this information is also critical for CIAM and related processes. CIAM uses this information for authentication, registration, and identity proofing. A sub-domain within the Customer Profile should record a summarized view of these moments.

Our digital blueprint also proposed Persona Cards within Digital Intelligence. Persona Cards effectively aggregate common customer intelligence that can benefit various customer journeys and processes. If an enterprise has built such a capability, CIAM platforms can leverage this digital intelligence to supplement and enhance their processes. Brands may develop their own unique taxonomy for milestones. This taxonomy plays a pivotal role in facilitating integration with various digital experience sub-systems, including CIAM.

Customer journey stages commonly include:

1. Awareness: The customer becomes aware of the brand, product, or service through a channel like marketing, online searching, referrals, etc.
2. Interest: The customer expresses interest in the brand or a specific product/service. This could indicate a desire for more information and potential leads.
3. Consideration: The customer is considering the product/service, triggered by actions like configuring online, reviewing quotes, adding to the cart, etc. This indicates a prospective customer, new or for cross-sell/up-sell.
4. Decision: The customer’s actions show they decided to purchase.
5. Purchase: The customer completes the transaction in-store or online.
6. Onboarding: Many products/services require onboarding like setup, learning to use, etc. This helps brands provide personalized onboarding content.
7. Activation: The customer activates a marketing campaign or journey. Journey activation aims to create meaningful interactions to facilitate goals.
8. Engagement: The customer engages regularly with the product/service through self-service, use, or community engagement.
9. Retention: The customer is satisfied based on tenure, agent interactions, repeat purchases, ongoing subscriptions, etc.
10. Expansion: The customer explores or adds new features like roaming or voicemail. Feature changes help track loyalty, interests, finances, etc.
11. Advocacy: The loyal customer actively refers, reviews online, or shares on social media.
12. Re-engagement: An inactive customer re-engages digitally or with an agent/advisor.

Customer experience milestones can vary by product or service. They are not always linear. Milestones may also relate to a customer relationship model with multiple users per household. Milestones could also be separated by specific products, services, or features. The experience team maps customer journeys to identify key moments and milestones. They do this by better understanding customers’ behaviours, needs, and pain points. The goal is to recognize meaningful progress points in a customer’s relationship with the company.

Progressive Profiling

CIAM capabilities can progressively collect user or customer profile information through various interaction points during customer journeys. Some information directly relates to CIAM’s identity and access management functions, while other information relates to providing contextualized and personalized experiences. Several CIAM functions support progressive experiences, including user registration, identity verification, profile management, privacy settings, policy management, risk assessment, and fraud detection.

The concept of Progressing profiling is that the user’s data is gradually collected through smaller interactions over time. Initially, only minimal necessary data is collected from the user. As the relationship with the organization develops and the user expresses interest in purchases, additional optional information may be prompted in that interaction. Similarly, identity proofing systems progressively validate and confirm the accuracy of the customer’s provided information at each step. This is done in a step-by-step manner as the relationship grows.

In the context of a digital registration or onboarding experience, it is critical in the early stages of a user’s journey to provide a simple and seamless user registration process. The registration should not frustrate the user. As I explained earlier, a simple registration is important at the beginning of a user’s experience to ensure they have a positive first impression and are more likely to continue using the service.

Registration processes aim to balance data collection with user experience. If registration creates unnecessary friction, the organization risks a poor first impression. They may lose the opportunity to gain a new user’s trust and business. A positive initial registration is important for converting visitors into long-term customers. As the relationship develops, a more thorough process can prompt for additional details. This just-in-time approach balances needing information with providing a smooth experience.

Progressive profiling makes registration less burdensome over time. It does this as trust is built between the user and the system through repeated interactions. The goal is to make providing details less taxing as the relationship strengthens.

Figure: Progressive profiling during a customer journey

In this interaction model, each customer touchpoint has the potential to trigger profiling or contribute to their overall profile during a customer journey. Some interactions require identity verification to confirm a customer’s identity. Others contribute additional intelligence gathered at each touchpoint. This helps the organization gain a deeper understanding of each unique customer over time. An enriched profile allows for personalized experiences and tailored recommendations. These improvements strengthen the customer relationship and drive positive business outcomes.

While customer attributes related to authentication, authorization, identity proofing, risk and fraud protection are directly handled by the CIAM platform, other customer data and interactions can be leveraged to develop digital intelligence through tools like Persona Cards, customer data platforms, or other intelligence platforms. This digital intelligence captured outside of the CIAM system can then be utilized by the CIAM platform to supplement and enhance processes like profiling, segmentation, and personalization. For enterprises that have invested in building customer intelligence capabilities, leveraging this data within the CIAM allows for a more unified and comprehensive understanding of each customer for security concerns.

CIAM enables organizations to progressively build user profiles over time through various capabilities including:

• User registration proportionate to customer journey: Provide a streamlined registration process that collects only the most essential information upfront to reduce friction for new users. As the customer’s relationship and interactions with the service develop over time, periodically prompt for additional optional details that can help verify their identity and tailor the experience. This allows a gradual onboarding that balances security with an easy initial experience to engage users early in their journey.
• Incremental data collection: Provide the ability to collect user profile data incrementally over time. This allows for collecting non-essential data gradually as the user’s engagement increases, rather than requiring a full profile upfront. For example, preferences or security questions could be optional in initial registration if the user is primarily browsing for brand awareness. Collecting non-critical data incrementally reduces friction for casual users and makes the onboarding process more gradual.
• Customizable User Profiles: Customizable user profiles allow organizations to define profile attributes tailored to specific customer segments and stages of the customer journey. This feature enables configuring user profiles according to interactions and journey stages. For example, collecting demographic details like age, gender, address, and language preferences may not be necessary during initial registration but could be important for providing customized quotes or offers later. Customizable profiles provide flexibility in gathering relevant information at each stage to enhance customer experience and outcomes.
• Customer Identity Proofing: Gradually onboard and verify customers by validating attributes as they are provided. Maintain unique customer identities by checking for changes to information or added identifications during progressive interactions. This ensures a consistent, verified identity as the customer relationship develops over time.
• Privacy & Consent Management: To ensure organizational processes respect user privacy and consent, the customer journey should prioritize privacy-sensitive approaches. Users should have full transparency and control over their data through simple opt-in/opt-out mechanisms. This means minimizing data collection to only what is relevant to the interaction. It also means providing transparent opt-in/opt-out mechanisms for personalized experiences. Doing so ensures processes respect users’ privacy preferences. A personalized experience should only occur with the user’s explicit consent.
• Policy Management: The ability to implement dynamic policies associated with each user or customer’s journey. For example, a policy could require that a user provide at least one government-issued identity if they are registering for a risk-based product. Implementing relevant policies for progressive profiling can help ensure compliance with privacy regulations, build trust with users, provide personalized experiences, and simplify the user experience.

Next: A Guide to Key CIAM Capabilities and Implementation Blueprints (CIAM-Part 4) — Identity & Access Management

The views expressed are my own and do not represent any organization. I aim to have respectful discussions that further positive change as we navigate unprecedented technological transformation. Change is constant, so my perspective may evolve over time through learning, testing, and adapting to new information.