An Interview With Warren Parad
Hiya,
This is another in my series of interviews about the future of CIAM from experts in the space.
Warren is the CTO at Authress, an AWS Community Builder, AppSec evangelist, public speaker, and the host of the popular Adventures in DevOps podcast. In his two decades of experience, he has journeyed through many different locations, technologies, and industries from building identity and data exchange systems for Health Care IT in Wisconsin to architecting global distributed software platforms for E-Commerce in Switzerland. Now he now focuses on Authress, helping to deliver the auth that users expect.
I’m excited to hear Warren’s views on CIAM, identity, authorization and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Warren: The core problem CIAM solves isn’t logging in—that’s mostly a solved problem and, and frequently a broken one. Passwords are inherently flawed. Magic links via email seem clever until you realize that email domain ownership itself is a security risk. TOTP and most MFA options are riddled with usability issues, phishing vectors, and a false sense of security. Even if you wanted to get it right by using something off the shelf, very few open source libraries support real solutions like hardware-backed cryptographic keys, trusted platform modules (TPMs) or WebAuthn and hardware-security modules (HSMs), and SaaS providers are too busy enabling the broken-by-design authentication schemes to focus on what’s actually required to keep identities secure.
What CIAM actually solves is everything that comes after login. Fundamentally, CIAM is login and access control for the software applications you build. And the real value lies in the complexity of managing identity and access after you’ve figured out how to identify a user. This is where businesses face the most challenges where their legacy systems or open source libraries can’t handle. CIAM handles tenant management, user group syncing, resource based access permissions, audit trails, access requests, invites, access reviews, and other workflows that grow exponentially harder as your application scales and your user’s privacy needs evolve.
For businesses stuck on homegrown systems or clunky on-prem setups, CIAM offers a much-needed upgrade. But for most, it’s less about the act of authentication and more about managing the complexity of access control and compliance that comes with modern, multi-tenant applications. The real opportunity lies not in making login better, but in untangling everything else that comes with it.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Warren: The biggest challenge with CIAM is that most organizations lose interest in committing to it over time. Even when they begin with the ambitions to improve security and access management, internal support fades after a few months. Security is treated as a cost center, not an investment, and teams are left scrambling to work around their existing incomplete implementation rather than implementing durable, long-term solutions. This short-term thinking is pervasive as companies focus more and more on “what can we do today?” rather than “how do we build for tomorrow?” let alone planning for next year.
Regulations only make this worse. While well-intentioned, they do little to improve actual security. Instead, they force companies to pour money into compliance efforts that satisfy auditors, but fail to address the underlying risks. And, of course, there’s always another SaaS provider ready to charge you for the privilege of meeting the latest regulatory checkbox.
The industry continues to pile on new obligations without rewarding companies for doing the right thing in the first place. It’s littered with shiny new solutions and open source “gimmicks” that exist to funnel companies into a SaaS paywall. Decision-makers often fall for these because they look good in a demo or promise a fast PoC. But how many of those solutions are actually designed to last? Too often I hear from customers who’ve committed to another product for a year+ only to realize it doesn’t scale or fit their needs. This happens when the person signing the check isn’t the one who has to live with the decision.
Even at the standards level, the problems are glaring. As a member of the IETF OAuth Working Group, I’ve seen firsthand how mired down we get by outside pressures. We come up with great ideas, but the reality is—even if we create the perfect standard, why would anyone implement it? Businesses are rarely rewarded when they follow one. Where the incentives lie is paramount.
Another issue is the lack of privacy focus among major identity providers. Passkey implementations, for example, have been plagued by failed rollouts, and very few providers, besides Authress, prioritize privacy in social login. Worse, many companies have fundamentally wrong opinions about how to design their architectures, leading to flawed trade-offs that weaken security. While often concerned with the cost of switching tools, migrations are fundamentally easy; it’s changing mindsets that are hard.
Finally, internal politics remain one of the most frustrating obstacles. CIAM providers like ours have already solved the durability and reliability challenges with five 9s SLAs, so those aren’t even issues anymore. But getting teams aligned and thinking beyond immediate needs is often harder than solving the technical problems. Until security becomes something businesses are actively rewarded for, rather than penalized into compliance, these challenges will persist.
At Authress, we try to address this by making privacy-based solutions accessible, disabling features that harm security by default, and ensuring that problematic options are only available after deliberate action—because the best security solutions should protect companies not just from attackers.
Dan: What excites you about the future of CIAM? Any predictions?
Warren: One of the things I’m really glad about is that many of the historical security concerns are finally being taken seriously. Passwords, magic links, and one-time passwords are now universally rejected, even if some customers still request them and some providers still enable them by default. We are getting to the point that TPMs are included in every computer and all interactions are signed not just by TLS certificates but also by device bound derived keys. This is a huge win.
The other innovation currently in the works is FedCM, which will eliminate most of these entry-level authentication providers. FedCM provides a website-agnostic login and negotiation protocol to unify the login experience. As sites roll this out in the coming years coupled with federated networks for online tools, we’ll finally start to make a major dent in the traditional security practices that have for far too long been out of date.
I’m the last person to bring up AI, but this is actually a good thing here. Not in the sense that AI or LLMs help at all, even if the LLMs themselves provide poor quality, factually incorrect information at a huge cost to our environment and society—but rather to address the norms. The prevalent use of LLMs will start to significantly dissuade the expectation that getting a phone call or an email is normal. If interactions with our data never require login and never require emails or phone calls, then those mechanisms will all cease to exist as phishing strategies, because when you do get one, you know it is just that. Since logins are being fixed with iterations of the physical passkeys, the use of LLMs will help change the prevalent expectations of tooling interactions.
Thanks again to Warren for sharing his perspective, and thanks to you for reading!
Dan