An Interview With Brian Pontarelli
Hiya,
This is the second in my series of interviews about the future of CIAM from experts in the space.
Brian Pontarelli is a technology entrepreneur currently solving login, registration, and user management challenges with FusionAuth. Brian started programming at the age of 8 and studied Computer Engineering at CU Boulder. During his early career, Brian worked as a software engineer at companies such as BEA and Orbitz. He started working on his own products on nights and weekends and quit his day job after selling a few enterprise licenses. Brian still codes, but spends most of his time focusing on growing FusionAuth and helping customers solve their auth problems.
I’m excited to hear Brian’s views on CIAM, identity and more.
Full disclosure, I work for FusionAuth.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Brian: There are a pretty broad range of problems people are trying to solve these days, but here are a handful that come to mind:
Overhead and expense - companies understand that implementing solid and secure features like multi-factor authentication (MFA) is time consuming, dangerous if you get it wrong, and not part of their core business. It’s far more cost effective to outsource these features now.
Scale - authenticating and authorizing one hundred users is pretty simple. They probably log in once per day or less. Scaling to 100 million users is crazy difficult. What was originally handled by a simple plugin for your MVC framework now takes an entire team of highly skilled engineers to do well.
Usability - statistics show that bad login and registration experiences can lead to significant loss of application users. Making sure everything is secure at the same time as the login experience is smooth is a hard problem to solve. Companies are now looking for tools that make usability simple and which are also secure.
Reliability - I like to say that if your login is down, your cash register is closed. The best CIAM solutions out are extremely reliable. Heck, at FusionAuth, we have customers that have been running for years with zero downtime.
Complexity - If you look at it, login is pretty simple. However, once you add in MFA, single sign-on (SSO), registration, password resets, email changes, email verification, organizations, authorization, token management, devices, machine-to-machine communication, and the hundreds of other big and small features that companies need, things quickly become very complex. The best CIAM solutions hide this complexity and make it simple to add and manage these features.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Brian: The CIAM industry is suffering from an identity crisis (pun intended). There is a current push to make everything as simple as possible. The issue is that the real world is not always simple. You can’t just hide complexity and make all the decisions for developers.
Take the example of changing an email address. This looks simple on the surface, but once you start digging a bit, you uncover a rats nest of complexity.
What happens if the account has been compromised? Changing the email allows the attacker to own the account including any form of emailed password resets.
What if the account isn’t compromised but the real user mistypes their email? How do they fix that if the email change logs them out or their session times out?
What if the user needs to have multiple emails on an account temporarily, but then require the ability to set a primary address and delete others? Is this safe in all cases?
Other examples of seemingly simple tasks that are complex include things like Know Your Customer (KYC), identity proofing/verification, account provisioning, account takeover, and much more. At some point, we need to tackle complexity without alienating developers or frustrating users. This is a challenging problem to solve.
Dan: What excites you about the future of CIAM? Any predictions?
Brian: Scale. Applications with larger and larger user bases are starting to look at alternatives to homegrown solutions. They realize that even though they might have tens of millions of users, they still need to provide awesome security with a great user experience. And they want something that doesn’t require a bank of quantum computers to handle the volume.
CIAM solutions need to be capable of scaling as user bases grow. They should also be able to conserve resources when traffic slows down. Understanding the demands on computing power, storage, and networking throughput make this a very exciting area of CIAM.
My prediction is that cloud-hosted solutions will continue to struggle to handle true scale without having to contort their solution in unnatural ways. Solutions that run natively in scalable infrastructure systems such as Kubernetes and that have been building with scale in mind will find their solutions fit more naturally in these areas of CIAM.
Thanks again to Brian, and thanks to you for reading!
Dan