back arrowBack to Identipedia

Customer Identity and Access Management (CIAM) 101

WebAuthn 101: How Web Authentication Works


Consider the following two stats:

  • 86% of web app attacks in 2022 were due to stolen credentials according to the Verizon DBIR.

  • 60% of US-based users said they gave up accessing an app in the last month because they forgot their password according to the FIDO Online Barometer Report.

This shows the delicate balance organizations need to strike between security and user experience when considering customer authentication and identity management. Too much friction and users drop off, not enough security and cybercriminals profit. 

Apart from building auth in-house, organizations usually consider investing in a Customer Identity and Access Management (CIAM) platform purpose-built for the task at hand.

In this article, we will explain the basics of CIAM, how it differs from IAM, its benefits, and tips to choose your CIAM provider.

What is Customer Identity and Access Management (CIAM)?

CIAM solutions are responsible for handling authentication, identity management, and access control for an organization’s external identities. These identities may include customers, free end users, contractors, suppliers, partners, and any other stakeholders not under the ambit of standard workforce identity management.

CIAM tools seek to help organizations provide secure, seamless authentication and user journeys to their customers, while also saving time for their engineering and IT teams.

End users will interact with CIAM through the familiar signup / registration process and validating their identity during logins. For organizations and developers, however, CIAM involves a variety of user identity-related tasks, including:

  • Collecting pertinent information, such as names, phone numbers, emails and any relevant documentation

  • Storing this data in a secure repository 

  • Governing login procedures for users, such as enforcing Multi-Factor Authentication (MFA) or One-Time Password (OTP) verification

  • Analyzing login attempts and checking them against stored credentials

  • Deciding which features of a service different users have access to

  • Delegating certain aspects of identity management to end users 

The capabilities of different CIAM platforms vary, but they’re often at least partly the solution for an app’s security, user management, and authentication needs. While some CIAM solutions provide on-premise support, most are Identity-as-a-Service (IDaaS) platforms hosted on the cloud.

CIAM vs. Identity and Access Management (IAM)

Much like CIAM, Identity and Access Management (IAM) is a set of tools that verifies identities and controls access to digital platforms. These two solutions perform similar functions, including:

  • Safeguarding who has access to sensitive information

  • Verifying identities against stored credentials

  • Granting permission to different aspects of a platform based on the user’s authorization level

Despite these similar functions, however, a few crucial distinctions exist between CIAM and IAM. Put simply, IAM solutions are generally used for employees and internal stakeholders, while CIAM is used for customers and external stakeholders.




CIAM is generally used to manage an organization’s customer base and other external stakeholders.

IAM solutions control access permissions for employees, contractors, and other internal stakeholders.


CIAM solutions balance security with UX to appeal to a larger audience that can choose which systems they use. 

IAM solutions generally aren’t public-facing; they prioritize security over functionality, intuitiveness and user experience (UX).

Use Cases

Popular CIAM use cases include customer authentication, customer SSO, and adaptive MFA.

Popular IAM use cases include employee SSO and user provisioning in HR systems.

How does CIAM work?

Robust CIAM solutions are adaptable to an app's specific needs and its developers' preferences. They may provide a wide range of security, identity verification and authentication tools, such as: 

  • Customer registration and profile creation

  • Support for a wide range of customer authentication protocols and methods 

  • Self-service account management

  • Access management / fine-grained authorization

  • Data access governance

  • Directory services

  • Federated authentication and single sign-on

  • Preference and consent management

The specific CIAM capabilities an app employs will depend on its purpose and design. Take, for example, ridesharing platforms, which may use CIAM to:

  1. Facilitate the registration process for users and drivers by analyzing their identification or sending a code to their cell number.

  2. Store sensitive user information in a secure database powered by a trusted Identity Provider (IdP).

  3. Enforce security controls like risk-based MFA, trusted device checks, and session timeouts.

  4. Control the features specific users can access, allowing for the seamless implementation of tiered subscription services.

  5. Analyze customer behavior and tweak onboarding and login UX to suit their preferences.

  6. Allow users to alter their accounts, such as changing their phone number or password. 

While the functions of CIAM solutions are varied and adaptable, they all work to facilitate three central capabilities: 

CIAM core capabilities
Fig: Core responsibilities of a CIAM platform
  • Authentication validates users’ login attempts by checking their credentials against those stored in the CIAM solution’s database.

  • Authorization allows users the proper level of platform access based on the permissions granted to their accounts. 

  • Identity management refers to a diverse set of capabilities such as user provisioning (SCIM), tenant management, token and session management, and delegated administration.

Business benefits of CIAM

Companies are rapidly adopting CIAM solutions to power their external authentication systems. In fact, the CIAM market is projected to expand by 15.3% by 2026. Gartner estimates that organizations adopting passwordless CIAM will reduce customer churn by more than half.

CIAM’s rising popularity can be attributed to the many benefits it provides businesses, including:

  • Improved user adoption and conversion. CIAM tools provide capabilities such as progressive profiling, consent and preference management, self-service admin, and passwordless login – all in service to organizations providing a frictionless and personalized experience to their end users.

  • Enhanced protection against identity attacks. CIAM solutions provide capabilities like risk-based MFA, secure session management, bot protection, and device fingerprinting to prevent account takeover and other forms of broken authentication.

  • Increased engineering productivity and focus. Handing over identity management to a trusted CIAM provider reduces developer effort spent on session management, credential storage, password reset resolution, and MFA implementation.

  • B2B enterprise readiness. CIAM platforms provide vital capabilities such as SAML and OIDC SSO, federated authentication, tenant management, and user provisioning – enabling B2B companies to move upmarket and sell to enterprise customers.

Tips to evaluate CIAM solutions

If you’re considering implementing a CIAM solution for your app, here are some criteria you can use to evaluate your chosen shortlist of providers.

Breadth and depth of auth method support 

An organization may have differing identity needs at different stages of its growth. CIAM providers that support a wide range of authentication methods and implementation approaches are best placed to adapt to the changing identity landscape.

Organizations should look for capabilities like:

  • Support for popular authentication methods like passkeys, magic links, OTPs, social login, authenticator apps, and passwords.

  • Support for standard, interoperable protocols like SAML, OpenID Connect, WebAuthn, and FedCM.

  • Support for different authorization models (RBAC, ReBAC, ABAC).

  • The ability to integrate with a variety of apps (custom, off-the-shelf, etc.).

Low-code customizability

Customer authentication is never a one-size-fits-all approach – each app and organization has its nuances and unique implementations. A preferred CIAM provider will enable organizations to easily modify their user journeys and auth flows.

Organizations should seek capabilities like:

  • Customizable user journeys, preferably in an intuitive and low-code visual interface.

  • Flexible user models with custom attributes and granular access control. 

  • The ability to A / B test and measure login approaches and user journeys.

  • The ability to easily customize user-facing screens and implement progressive profiling.

Extensible ecosystem

Customer identity touches every part of an organization. A preferred CIAM solution will provide a robust and scalable system of integrations with third-party services to keep customer identity in sync with every other business tool and team.

Organizations should check for capabilities like:

  • Integrations with existing tools in the fraud prevention, identity verification, CRM, and CDP space.

  • Flexible integration framework that allows for easily adding more integrations.

  • The ability to add custom and in-house integrations (HTTP, SMTP, audit).

  • Low-effort integration implementation (setup, testing, switching out one tool for another).

Reliability, security, and support

Problems with customer signup or login directly result in lost business. Security breaches involving customer identity have dire consequences. Organizations must evaluate the architecture, availability, and team background of the CIAM vendor they select.

Organizations should ask questions about:

  • Historical availability, SLA performance, and response times.

  • Session and token management best practices (rotation, reuse detection).

  • The largest customer the CIAM solution serves, which is a strong proxy for scalability.

  • Implementation flexibility for developers with multiple abstraction layers (UI, SDK, API).

  • Key certifications like SOC 2 Type 2 and ISO 27001.

  • Active and passive support offerings as well as migration support.

  • Customer reviews on public platforms like G2 Crowd.

Manage user identities and access with Descope 

CIAM solutions are a powerful way to manage identities, authenticate users and protect apps against data breaches. They offer a wide variety of features, from customer authentication to self-service onboarding, to provide a frictionless and secure user experience. 

If you are evaluating CIAM solutions for your organization, Descope can help. Our drag-and-drop CIAM platform helps hundreds of organizations improve user onboarding, protect accounts against account takeover, and unify identities across customer-facing apps – all without writing code.

Fig: Drag-and-drop magic links with Descope
Fig: Drag-and-drop CIAM with Descope

Sign up for a Free Forever Descope account to get started! If you have questions, book a demo with our auth experts.