The Power Of Self-Service In CIAM
Heya,
CIAM (customer identity and access management) is self-service profile management. This is the ability of a person to create, update and manage their own profile data, which has multiple different types, including credentials, consents and more.
The user’s ability to manage their own data is what makes CIAM different from CRM (customer relationship management).
With CRM, user profile data is not directly managed by the user. Sure, user actions (phoning into a call center, favoriting a product) may be stored in a CRM, but only because the system captures them. The user is not actively managing that data.
In contrast, CIAM ties profile management and the identity of the user. While there are levels of profile management, at the least there is a login identifier and some kind of credentials.
If your CIAM system doesn’t offer self-service capabilities, then it is really a shade of IAM (identity and access management). A centralized authority controls the user identity and profile data.
Consider the B2B2E use case, where the business who employs the employees owns the user profile data and delegates it, though federation, to an appliciation. There’s no self-service. I’m not sure this is pure CIAM.
What are the consequences of CIAM’s foundations in user profile self-service? There are many, and they impact both the user and the CIAM system and the applications it serves.
The User
The user can create, update and delete their accounts at their convenience.
The user controls the accuracy and completeness of their data, though application developers can gate functionality on certain data.
Most users will never delete or de-provision their accounts. A few will, exercising their right to be forgotten.
The user can reset their credentials without any intervention from employees or humans involved with the application.
The user won’t keep profile data accurate without incentives or reminders. Some ways to encourage accurate data include gating access based on verified email address, personalization which rewards accurate profile data, and a public profile where an audience can encourage accurate profile data.
The Application And CIAM System
CIAM scales to many more users, requiring less customer support than alternatives.
The CIAM system can verify account ownership, tying user accounts to real world people. This is identity proofing, and ranges in efficacy from verifying email inbox ownership to checking government documents.
Because of the lightweight interaction, all kinds of freemium business models open up, especially in digital services like info products and games.
The CIAM system can be a hub for other aspects of applications, pushing profile data out. It can also be a datastore, capturing user data exhaust or being enriched by first or third party data.
There are also some consequences for interactions between CIAM systems and users.
User CIAM Interactions
Users occasionally need to pop out of the self-service process. This might happen if the user loses access to an associated login identifier account such as a phone number and email. They then lose the means to reset credentials and regain access. The application and organization using the CIAM system needs to have processes for these situations.
Security of accounts is a partnership between the user and the system. For example, users can set up MFA, either by choice or through appliation requirement. The system can monitor for abnormal usage and require extra layers of verification before risky actions are taken.
Summing Up
Self-service with CIAM centers your user in your application in a way previously impossible.
But they aren't in complete control. They are responsible for creating and maintaining their account, but the data accuracy and available functionality can be enforced by the application or applications to which access is granted.
Cheers,
Dan