Identity Proofing In the CIAM Context
Heya,
CIAM exists is part of a workflow for your customers or users, with the end goal of getting access to your applications functionality or data.
When you register for an application in CIAM, users usually provide their own credentials. Depending on the application is, there are additional forms of identity proofing that may be required.
Identity proofing is the process of proving who a user is and connecting that identity to an online account, typically the one just registered.
Levels Of Proofing
There are many different levels of intensity for such a process.
For a game, the user might need to prove nothing additional, especially if it is a free game supported by ads.
For a business application that a user is trialing, they might need to prove they own the email address you provided by verifying it.
For a money transfer application, they might need to prove they have a real bank account by providing two numbers of pennies that were deposited into their account.
For an application with legal ramifications such as signing into a government program, the user might need to provide government documentation and proof that it is theirs.
What a spectrum!
These are all over the place based on the seriousness of the application in question and the real world effects that a misidentification might have. The process of tying a real world person to an online account becomes more and more important as the account can increasingly impact the real world.
Your application might do this due to business needs. Keeping garbage accounts out of your system by requiring email or phone verification keeps reporting simpler and blocks bots from using your application. Or it at least delegates that to the email providers, who have a vested interest in preventing blocking bot accounts to keep their spam risk low.
The higher the effort, the more often identity proofing is for compliance with government regulation. Finance is one industry that is often affected. Patrick McKenzie has a great article about Know Your Customer (KYC) programs that banks are required to have.
When Does It Happen
Usually identity proofing takes place at account creation. It makes sense. The CIAM system has a typical registration process but the account exists in a pending state. Full access is delayed until the user proves themselves. That can take seconds if all they need to do is prove they own an email inbox, or days if they need to provide government documents or bank account ownership.
The user eventually either proves themselves, or your proofing has filtered out a fake account and you can remove it.
Another time when you might want to require proof of identity is before a high impact event. One example I've heard is when someone goes to pick up prescribed pills mailed to them, they can't get them until they prove their identity. This is because medical goods are highly regulated and it is important only the person they were prescribed to can access them.
Another example is if there’s a substantial amount of money transferred.
Conclusion
Identity proofing is a critical part of almost any CIAM system. It lets you tie real world people to accounts that they create.
It introduces friction, but you can increase or decrease it based on your business needs and compliance requirements.
Dan