An Interview With Justin Richer
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space.
Justin Richer is the CTO of UberEther, a high-security identity and platform service company. Justin is a security architect, software engineer, standards editor, and systems designer with over two decades of industry experience. He is the lead author of OAuth2 In Action and contributor to OAuth 2.0 and OpenID Connect. Justin is the editor of a variety of standards including GNAP (RFC9635), HTTP Message Signatures (RFC9421), and OAuth extensions for dynamic client registration (RFC7591, RFC7592), token introspection (RFC7662), and rich authorization requests (RFC9396). Justin is a co-author of NIST SP 800-63, FIPS201, and NIST SP 800-217.
I’m excited to hear Justin’s views on CIAM, identity and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Justin: Our customers manage identities in high security environments, and most of our focus has been on supporting workforce identities with our IAM Advantage product. Even so, the fundamental needs of an identity system remain consistent - the master user record to collect all the attributes and tie them to an entity for each user, a set of access rights available against that record, and all the lifecycle management that comes with it.
The biggest differentiator is the target for the identities - customer and employee functions are rightfully quite different. It’s important to keep these systems sufficiently separated, otherwise a compromised customer account could escalate into control over the system.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Justin: One of the biggest challenges in the CIAM space, especially with the move to cloud systems, is going to be privacy management. Unlike workforce identity, where there’s an employment contract governing the company’s treatment of user data, CIAM needs to deal with whatever jurisdictions the customers are in.
Justification for use of information, the right to be forgotten, and handling of various forms of PII that have to get collected — all of these and more complicate the processing of user accounts in the course of the application’s day to day functions.
To make matters even harder, CIAM systems need to deal with a wide variety of authenticators, even ones that might be less than ideal, in order to reach and accommodate the target user populations. Sure, passwords have a lot of security problems, but not everyone has a passkey available on their platform, even today.
Add to this the account binding and recovery that we see in the CIAM space, and you’ve got a recipe for wild edge cases that even the most grizzled professionals wouldn’t expect.
Dan: What excites you about the future of CIAM? Any predictions?
Justin: All of these challenges are also the source of some of the most exciting parts of CIAM - the fact that at the end of the day, it’s all about the people. The technology is great, and I love working on technology, but it’s the people that make things interesting. If we aren’t enabling people to do things, what’s the point of the technology in the first place?
I believe we’re going to see an increase in demand for smoothing the onboarding process. If the user can bring with them attributes that can be ingested in a safe, trusted, and privacy-preserving way, then that’s a win for everyone involved. I also think there’s going to be more of a shift towards systems that work in disconnected spaces.
We’re already seeing that with the desire for wallet-based credential presentation, which doesn’t rely on a remote IdP, and I think that trend is going to continue towards other systems.
I don’t know if it’s backlash against the cloud, exactly, but I think we’re realizing some of the value in things that we gave up when the world moved to a cloud-first mindset. The hybrids that we’ll see going forward are going to open up even more exciting possibilities across a wide range of technologies and systems, and I can’t wait to be a part of that world.
Thanks again to Justin for sharing his perspective, and thanks to you for reading!
Dan