An Interview With Aeneas Rekkas
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space.
Aeneas Rekkas is a prominent software engineer and influencer, driven by a passion for open-source and software. His journey began in 2008, developing his first learning management system for serlo.org, an initiative aimed at creating a Wikipedia for eLearning. From 2008 to 2014, he contributed to various PHP authentication libraries and continued to build authentication systems for side projects, culminating in the creation of Ory Hydra. Rekkas founded Ory in 2015 and, in recognition of his contributions to serlo.org, received the German Federal Cross of Merit from President Frank-Walter Steinmeier. After completing his computer science studies with a focus on machine learning and artificial intelligence in 2018, he began commercializing Ory in 2019.
I’m excited to hear Aeneas’ views on CIAM, identity, authorization and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Aeneas: Customer Identity and Access Management (CIAM) often presents unexpected complexities. Challenges come from keeping up with new and evolving technologies like Passkeys, OpenID Connect, and FedCM, along with protection from ever-increasing security threats such as credential stuffing, SIM swapping, and advanced malware. Scalability and reliability, crucial for any user experience and access scenario, compound these issues. Additionally, integrating CIAM with complex legacy systems adds significant hurdles. Developing a CIAM solution tailored to unique customer needs becomes costly and difficult.
Organizations face the choice between building in-house, requiring substantial dedicated teams, or adopting commercial SaaS solutions. Keeping up with evolving technology, standards, or security threats is easier with Ory (the company I founded) because of the open-source community involvement of thousands of developers to keep solutions current. Ory scales because of its stateless architecture and fits seamlessly into all environments because of the API-first approach taken since the beginning. Because organizations have varying CIAM approaches, Ory offers flexible deployment options: fully managed services, supported self-hosting, and DIY open-source implementations.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Aeneas: The implementation of CIAM presents several significant challenges. A primary issue is the inconsistency and inadequacy of existing standards, such as SAML, which are often poorly defined or misapplied, like using OAuth2/OpenID Connect for simple session management. These standards are often web-centric, neglecting native applications and non-browser environments, leading to fragmented custom solutions. The slow pace of standards development compared to evolving web technologies, such as the phase-out of third-party cookies, necessitates active participation in standards bodies.
Scalability is another concern, as engineers may opt for libraries unsuitable for large-scale deployments, highlighting the need for solutions like Ory’s Go-based, stateless architecture. Moreover, the tendency for engineers to “create their own” security implementations, often based on limited knowledge, introduces vulnerabilities, underscoring the value of open-source, community-vetted solutions.
Finally, the inherent complexity and unique requirements of CIAM systems necessitate extensive code to handle edge cases, making an API-first approach, as adopted by Ory, crucial for flexibility and maintainability.
Dan: What excites you about the future of CIAM? Any predictions?
Aeneas: I’m driven by a vision that all software can rely on standardized open source such that you never have to build authentication again. You simply use the open-source version and determine if you want it self-hosted, with or without support, or via a SaaS model. Just as open-source databases like Postgres, MySQL, and MariaDB have eclipsed proprietary solutions like OracleDB, open-source CIAM will render traditional SaaS and enterprise (in-house and closed-source) CIAM obsolete.
The question becomes, why reinvent the wheel? Similar to database development, where building a custom SQL database is now largely confined to dedicated vendors, CIAM will follow suit. This shift will also accelerate the adoption of robust, phishing, stuffing, and brute-force resistant credentials, such as passkeys. Ultimately, this movement addresses the fundamentally flawed way humans currently interact with the internet, characterized by password overload and fragmented accounts, paving the way for a more secure and streamlined digital future.
Thanks again to Aeneas for sharing his perspective, and thanks to you for reading!
Dan