Trends in CIAM
Heya,
There was a recent post about authentication on Hacker News and someone commented about the evolution of authentication over the last 20 years, talking about the pendulum swinging back and forth between ‘roll your own’ and ‘use a vendor’. The comment author is a software architect, per their profile. I responded with a comment about my thoughts on recent CIAM trends.
This post is an expansion of that comment. My knowledge of these trends is due to the fact I am employed by an authentication (auth) vendor. I am relatively outward facing and keep on top of trends in the business.
Many Startups
First off, there are tons and tons of startups entering the auth and adjacent spaces since the Auth0 acquisition by Okta in 2021. This is likely due to a combination of factors:
auth is a dev tool, which means devs can be their own ideal customer (at least in the beginning), which lowers the activation energy to create a startup
auth has stickiness, which contributes to a sustainable business model; companies don't change their auth solution on a whim
parts of the auth process, especially login, are standardized, which means that base functionality is well defined and somewhat interoperable, allowing newer products to leverage an existing ecosystem of applications and OIDC and SAML libraries
auth is a defined market (thanks Auth0!); startups don't have to explain the value prop
the critical nature of the problem; as a colleague puts it, functioning login "is akin to being "open for business""
There's also a trend of some auth providers helping engineering teams solve authentication as fast as possible, offering reduce time to market as a feature and ignoring said standards like OAuth and OIDC. If they don't ignore them entirely, they delay implementation.
In a bit of a Cambrian explosion, providers are niching down for specific use cases. Examples include:
WorkOS, which offers enterprise SSO as a service for other apps to integrate
Propelauth, focusing on b2b applications
Frontegg, focusing on b2b SaaS apps
Clerk, which started with react components, though they've expanded past that
And for all of the above closed source SaaS providers who raised money, there are now starting to be open source competitors.
Self-hosting Is Cool Again
While there have been self-hosted solutions for a long time--the Shibboleth project began in 2000 and Keycloak is a decade old, there are a number of self-hosting solutions with a more modern feel than these software packages:
Duende Identity Server
FusionAuth (my employer)
Zitadel
Ory
Some auth providers that are open source or free are making money by operating their solution and letting developers consume it in a SaaS like format. This is apparently so successful as a business opportunity that some of them make it difficult to download the software so you can run it yourself.
Bundling And Unbundling
Bundling services on top of identity is becoming more common, especially authorization. WorkOS bought Warrant, and Frontegg has a strategy of offering higher level services (subscription management) on top of identity. 1Password even bought an identity product, Passage.
Counter to the above bundling, there's also a new crop of authorization as a service vendors, such as Permit.io, Aserto and Cerbos. These all integrate with authentication standards, often consuming user identity via an OIDC identity token as part of their authorization ruleset.
Where Are The Hyperscalers
Hyperscaler solutions are usually the default for folks building in the cloud. It's just so easy. But when limits are reached, customers look elsewhere. These limits are typically functionality rather than cost. Hyperscaler solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
Surprisingly, no hyperscaler has adopted and then offered any of the more modern open source auth solutions.
And with the noted exception of Entra B2C, it feels like the hyperscalers are not improving their solutions in meaningful ways.
More Standards, Please
There is a move by browser vendors to mediate identity, federated credentials management. This would move identity infrastructure from auth vendors to the browser, and is under active development. The key premise is privacy, and all the browser vendors are driving this. It’s been a while since I went to one of the meetings, but when I was there, I remember staff from all the major browser vendors being present.
The FedCM effort was recently moved from a community group to a working group; here’s a draft specification.
Homegrown Wariness
Finally, there is a trend away from homegrown solutions. It could be the folks I see and talk to, but most engineering teams aren't interested in implementing auth themselves.
They see it as undifferentiated functionality, like a database or message queue. They think it is only worth implementing in certain very specific circumstances: when it is a critical differentiator or if a company can't be certain of vendor performance or availability guarantees.
Occasionally cost comes up because the substitute for many of these vendors is a dedicated engineering team working with a platform framework, a homegrown solution, or running and improving an open source solution. This puts an upper bound on what any auth vendor can charge.
Depending on size and stage of the company, engineering teams are also thinking about the speed to market vs external dependency of SaaS offerings for critical application components. Finally, companies also worried about lock in, because, as noted above, auth vendors are sticky.
Summing Up
These are my observations of the modern CIAM market.
What are yours?
Dan
Safety. Rolling your own is risky, since bugs at login time are catastrophic... I may have misread your post, but that’s my top reason to recommend a vendor or established OSS. Secondary to that is, if there are vulnerabilities, whether local, unique ones are an advantage or not? Usually, for compliance, “keeping up with the Joneses” can be better than innovating.
Now, as for speed-running the 25-40 years it took for AuthN to get standardized for AuthZ permissions... Well, that’s what the community at AuthZ.substack.com is about. — thank you so much for your support!