1 Executive Summary
The Customer Identity and Access Management (CIAM) market continues to grow and evolve. CIAM is a well-established and innovative branch of the broader IAM field. CIAM solutions are designed to address specific technical requirements that consumer-facing organizations have that differ from traditional “workforce” or business-to-employee (B2E) use cases. CIAM encompasses business-to-consumer (B2C), business-to-business customer (B2B), and government-to-citizen (G2C) use cases and functions.
The main reasons organizations acquire CIAM solutions are to:
- Provide identity management for consumers and customers
- Improve customer experiences through personalization
- Enable stronger authentication and authorization
- Improve defenses against fraud
- Convert unknown users into known users and customers
- Gain insights for targeted marketing
- Increase account acquisitions and revenue and improve retention
- Provide mechanisms to allow users to consent, revoke consent, and/or request deletion in accordance with privacy regulations
- Manage regulatory compliance
CIAM systems allow users to register, associate devices and other digital identities, authenticate, authorize, collect, and store information about consumers from across many domains. Unlike workforce IAM systems though, information about consumer users often arrives from many unauthoritative sources. Information collected about consumers can be used for many different purposes, such as authorization to resources or for transactions, or for analysis to support marketing campaigns, or Know Your Customer (KYC) and Anti-Money Laundering (AML) regulatory compliance. In B2B customer scenarios, the CIAM systems increasingly need to pull authoritative attribute information from partner, contractor, and customer IAM systems. Moreover, CIAM systems must be able to manage many millions to even billions of identities, and process potentially tens of billions of logins and other transactions per day. SaaS delivery of CIAM services is the norm and will remain so.
CIAM systems can aid in other types of regulatory compliance. Privacy regulations and the requirement to collect consent have been a strong driver for CIAM implementations. For example, GDPR took effect in the EU in May of 2018, and CCPA took effect in California in 2020, the need to collect consent from consumers for the use of their data has become mandatory in many jurisdictions. Many CIAM solutions provide this capability, plus offer consumers dashboards to manage their information sharing choices. Moreover, CIAM systems can help corporate customers implement consistent privacy policies and provide the means to notify users when terms change and then collect consent.
Improving the consumer experience is often a goal in deploying or upgrading CIAM solutions. With the increasing digitization of Business-to-Consumer (B2C) interactions, consumers are asked to create and use more and more accounts and passwords. Managing the escalating numbers of digital accounts can be burdensome for consumers if the CIAM systems with which they are engaging are not optimally designed, implemented, and continuously tuned.
CIAM platforms are used by both for-profit and non-profit organizations. For-profit businesses typically have more consumer data and marketing objectives. Non-profits use CIAM to host the identity information of donors, volunteers, and service recipients. Government agencies use CIAM to manage citizen identities for government interactions, such as paying taxes, fees, or fines; registering for licenses and services; managing applications; and various other use cases. All such organizations need to provide the means for B2B customers, consumers, or citizens to register, manage their user profiles, authenticate, and get authorized for different kinds of resource access. CIAM deploying organizations need dashboards for monitoring utilization, reports on historical activities, and the ability to collect other metrics.
The CIAM market continues to grow in terms of numbers of vendors, numbers of organizations deploying CIAM, and the numbers for consumer engagement. The trend toward digitalization of consumer experiences was well underway in the late 2010s, and the Covid pandemic forced more businesses and other organizations to expedite digital transformation. With every iteration of this report, we observe significant acquisitions of CIAM specialists by others in the market, and entry into the market of new vendors. These trends will continue for the foreseeable future.
All kinds of organizations buy CIAM solutions: from small-to-medium size businesses to large enterprises and governments agencies. Any organization that needs to interface digitally with consumers, customers, or citizens, whether for-profit or non-profit, can benefit from CIAM. Some solution providers are themselves global businesses, while others are regional specialists. Organizations across most all industries can improve their customer experiences and security with well-implemented CIAM platforms. Moreover, CIAM is useful to the deploying organizations regardless of their longevity, from startups to long-established institutions.
To better understand the fundamental principles this report is based on, please refer to KuppingerCole’s Research Methodology.
1.1 Key Findings
- Innovation in CIAM requires adherence to industry standards and capabilities to interoperate and integrate with many different and discrete service functions.
- Some of the leading services embrace the Identity Fabrics architecture and deliver IAM and CIAM as flexible microservices.
- CIAM solutions are increasingly catering to B2B customer use cases as well as consumer and citizen use cases. Services that include these features are considered innovative.
- Identity verification (IDV) capabilities, primarily through integration with service providers, are becoming more common across the CIAM market, with 65% of solutions offering IDV connectors.
- Fraud prevention functions and/or connectors to Fraud Reduction Intelligence Platforms (FRIP) are becoming more common due to customer demand and the expanding threat landscape.
- Decentralized Identities (DIDs) are not widely supported by CIAM solutions due to very low demand. Services that include these features are considered innovative.
- Customers increasingly need Identity Governance and Administration (IGA) and identity lifecycle management capabilities within their CIAM systems. Services that include these features are considered innovative.
- Some CIAM solutions are innovating by providing connectors to third-party solutions for Customer Data Platforms (CDPs), payment services, AI chatbot interfaces, and Consent and Privacy Management (CPM) systems. Services that include these features are considered innovative.
- FIDO has gained acceptance, and the use of passkeys is growing, due to their security and convenience.
- Consent and privacy management features are a must, and more advanced solutions provide Data Subject Access Request (DSAR) portals, family management, support Kantara Consent Receipt, and offer integration with third-party Consent and Privacy Management (CPM) solutions.