Your customer login box is both a greeter and a gatekeeper. In addition to welcoming users, it helps to ensure that only approved customers can access the rights, information, services, and other privileges it guards.

• Authentication, or verification that “you are who you say you are” is only one aspect of Customer Identity and Access Management (CIAM).
• Authorization, the process of determining what resources a user can access, is equally important—even if it doesn’t receive as much attention.
• Identity Management is even broader. It pertains to the user information that’s gathered, stored, and shared with other systems to enable a wide variety of functions and business processes.

What starts as conceptually simple—a username and password controlling access to a digital system—can expand into a complex engineering problem. Decisions made for short-term convenience have the potential to limit future extensions and create burdensome technical debt.

In this Identity primer, we’ll review important aspects of CIAM, including:

• Fundamental functionality
• Questions that should be answered before implementing an Identity stack
• Common authentication and authorization standards

Whether you decide to build an Identity stack in-house or choose to incorporate a cloud-based CIAM solution into your applications, we’ll help you make an informed decision.

To get started, create a free account at Auth0.com.

CIAM fundamentals

In Identity terms, the three essential functions of an effective CIAM solution are authentication, authorization, and Identity management:

Authentication

• Ensures that a user logging into an account is who they say they are
• Prevents bad actors from accessing account privileges and sensitive user data (e.g., payment details, address, social security number, demographic information, etc.)**

Authorization

• Manages the level of access each user has
• Prevents users from accessing privileges and information that exceed what’s needed or allowed

Identity management

• Allows app providers to better understand their users
• Enables users to manage their own identities, data, and preferences
• Supports configuration, personalization, and other Identity-related functions (e.g., consent management)

But—just as describing a car as a combination of engine, drivetrain, and steering is woefully insufficient at capturing what you can do with one—simply summarizing these Identity elements doesn’t come close to telling the CIAM story.

As many developers have discovered, while Identity can seem conceptually straightforward, it very quickly becomes surprisingly complex.

The typical CIAM journey

For most organizations, CIAM is a journey, starting with the bare-bones basics needed to win initial customers and extending to a point at which Identity is a strategic enabler of a growing business.

Stage: Fundamental

• You have the bare essential capabilities and architecture for authentication (user sign-in), authorization (access rules, policies), and user management (user sign-up)
• Building and maintaining these capabilities consumes engineering resources, and a lack of experience around the larger role of Identity can lead to costly missteps

Stage: Scaling

• You understand the importance of being able to build and deliver great digital products and services repeatedly, at scale
• Your focus shifts internal operational efficiencies to support business growth, with automation, easier administration, and low-touch user lifecycle management (LCM) becoming important

Stage: Advanced

• You’re fully focused on optimizing and scaling digital offerings while safeguarding the security and privacy of end users and their data
• Customer expectations are high, with a growing base of users — perhaps in many regions — demanding frictionless and personalized experiences
• There’s a need to integrate Identity within your broader technology stack (e.g., marketing engine, content management system, data management platform, etc.)

Stage: Strategic

• Identity is regarded as a key to unlocking organizational success
• You have mature digital and omnichannel initiatives that optimize for both user experience and security
• Customers interact with your business via multiple channels, while demanding more advanced features
• Different teams across the company work together to devise, develop, sell, and scale digital offerings, but each has its own set of distinct requirements and priorities

Questions that need answers

A proof-of-concept web application might rely entirely on Facebook for authentication, and have an all-or-nothing authorization policy. In this scenario, your app performs a simple check: if a user isn’t currently logged in to Facebook in the current browser, you direct them to do so. Once authenticated, all users can access everything in your app.

However, it’s unlikely that such a simple IAM solution would meet the needs of your users, organization, industry, or compliance standards.

Instead, making informed implementation decisions requires carefully considering a number of questions.

How will users become a part of our system? Do we need to verify their identity?

Smooth and professional login and signup experiences occur within your app, with your brand’s—or your customers’ brands—look and language.

Plus, users expect to be able to log in using a variety of social (such as Google or Linkedin), enterprise (such as Microsoft Active Directory), and other Identity providers.

Effective identity flows make it easy for users to quickly create a new account; unnecessary friction may significantly decrease signups.

Additionally, you may want to—or may be required to—perform identity proofing as part of the sign up process.

Get started with Auth0: getting started, set up a connection, set up an application, enable universal login with your brand, and learn about identity proofing

What user information do we need to store? How will we get it? Where will we store it?

Now that a user is registered, you may need to secure their consent to collect and store information.

Some basic information may be available via social login; other information may be obtained through progressive profiling.

Also, you may be subject to regulations governing where (i.e., geographically) you are permitted to store user information.

Get started with Auth0: Auth0 Connections (Database, Social, and Enterprise Connections), How Metadata works.

During authentication flow, how will a user prove their Identity when they log in?

In an age when passwords are often stolen, requiring additional proof of Identity is the new standard.

Biometric (e.g., fingerprint, face ID) authentication and one-time passwords (OTPs) are examples of strong secondary factors that can be used as part of a multi-factor authentication strategy.

Additionally, passkeys can improve user experiences and prevent account takeovers by enabling phishing-resistant FIDO authentication.

How will we control what resources a user can access, once they’re logged in?

As the number of users grows, managing the access of each individual quickly becomes impractical. With Role-based Access Control (RBAC), users who have the same role have the same access to resources.

Enable user collaboration and granular access control in your applications using developer-friendly APIs with Fine-Grained-Authorization.

You may also want to consider step-up authentication, which prompts users to provide stronger proof of identity when they try to access advanced capabilities and sensitive information.

How do we protect API’s?

An API is an entity that represents an external resource, capable of accepting and responding to protected resource requests made by applications. Securing your APIs and ensuring that all data sent over the wire is encrypted and kept safe from malicious third parties should be a top priority.

Get started with Auth0: Get started with APIs

How will we protect our system from Identity-based attacks?

Preventing bots and bad actors from breaking into your system is fundamental to cybersecurity (and to avoiding the regulatory and marketplace consequences that can follow an intrusion).

Common attacks include:

• Fraudulent signups
• Credential stuffing and related password-based brute-force methods
• MFA bypass

Get started with Auth0: Attack Protection

With what other systems do we need to integrate our identity stack?

Being able to accommodate change and tailor Identity to your unique needs — and doing both without drawing too heavily upon developers — is the difference between CIAM as a necessary component of your application stack and CIAM as an operational and competitive advantage.

Satisfying advanced use cases often requires transacting with other business systems (e.g., a customer data platform, or ID proofing during registration flow) and third parties to execute complex conditional flows — but building such advanced logic from scratch is a major undertaking.

Get started with Auth0: Actions, Auth0 Marketplace

Authentication and authorization standards

Authentication and authorization standards are open specifications and protocols that provide guidance on how to:

• Design IAM systems to manage Identity
• Move personal data securely
• Decide who can access resources

As is the case with many standards, those relating to Identity are constantly evolving. Expectations are that the Identity capabilities of an application will keep pace. At present, these IAM industry standards are considered the most secure, reliable, and practical to implement.

The most common Identity standards include:

OAuth 2.0:

• A delegation protocol for accessing APIs
• Lets an app access resources hosted by other web apps on behalf of a user — without ever sharing their credentials
• The industry-standard protocol for IAM: allows third-party developers to rely on large social platforms like Facebook, Google, and Twitter for login.

OpenID Connect (OIDC)

• Builds on OAuth2.0, allowing more granularity
• Makes it easy to verify a user’s Identity and obtain basic profile information from the Identity provider

JSON web tokens (JWTs)

• JWTs define a compact and self-contained way for securely transmitting information between parties as a JSON object.
• Can be used to pass the Identity of authenticated users between the Identity provider and the service requesting the authentication
• Can be verified and trusted because they’re digitally signed

Webauthn

• Web Authentication is a new standard enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users using hardware authenticators.

SAML

• An open-standard, XML-based data format that lets businesses communicate user authentication and authorization information to partner companies and enterprise applications that their employees use
• Typically more work to get set up, making SAML more suitable for enterprise applications

WS-Fed

• Developed by Microsoft and used extensively in their applications
• Defines the way security tokens can be transported between different entities to exchange Identity and authorization information

Conclusion

User expectations, business requirements, and compliance standards introduce significant technical challenges. With multiple user sources, authentication factors, and open industry standards, the amount of knowledge and work required to build a typical CIAM system can be enormous.

A strong CIAM platform has built-in support for all identity providers and authentication factors, offers APIs for easy integration with your software, and relies on the most secure industry standards for authentication and authorization.

In fact, a recent global survey of application development team members underscored the value of incorporating third-party authentication into SaaS applications. Based on 675 responses from professionals in 56 countries, the survey found that:

• Authentication as a function takes the third-most time to build and maintain in-house, behind only Data Management and Storage, and DevOps Tooling and Automation
• Third-party authentication reduces time to market more than any other SaaS component: 88% of organizations that use a third-party SaaS platform for authentication report reducing time to market in the last year

Whether you’re updating your company’s website, building an app, or just getting started, authenticating your users safely and securely is paramount. That’s why Netlify and Auth0 by Okta have partnered to support you in your Identity and Access Management journey. Now you can rapidly integrate authentication and authorization for web, mobile, and legacy applications and focus on your core business.

Ready to get started? Start using Netlify + Auth0 today.

*Note: Any products, features, or functionality referenced in this material that are not currently generally available may not be delivered on time or at all. Product roadmaps do not represent a commitment, obligation, or promise to deliver any product, feature, or functionality, and you should not rely on them to make your purchase decisions.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.