Introduction
Retailers have rapidly responded to the shift in consumer preferences for online and hybrid shopping with digital transformation initiatives that aim to create smooth and secure omnichannel experiences. But maintaining security while offering a low-friction shopping experience is a challenge most retailers must overcome to entice customers to buy while preventing costly fraudulent activity. Thankfully, retailers don't have to pit security against shopping convenience: it is possible to have both.
As digital trends continue to redefine business and societal interactions, the importance of robust customer identity and access management (CIAM) cannot be overstated. CIAM serves as the gateway to secure, convenient, and personalized customer experiences, enabling your organization to thrive in a hyper-competitive environment. It's not just about managing identities; it's about delivering trust, enhancing customer loyalty, and driving business growth in a secure manner.
This guide is designed to help your organization navigate the complexities of selecting and implementing a CIAM solution. By understanding the critical elements of CIAM, your team can make informed decisions that align with their strategic objectives and digital transformation goals.
of consumers have stopped using an account or online service due to login frustrations.
– 2024 Ping Identity Consumer Survey
The Critical Role of Modern CIAM
As your teams strive to deliver exceptional shopping experiences, they are often hindered by legacy identity solutions and homegrown systems that have become too costly and can no longer keep up. These outdated systems are ill-equipped to meet the demands of today's digital consumers who expect convenience, security, and personalization at every touchpoint.
Both homegrown and traditional IAM systems were designed for internal employee management, not for the complexities of customer interactions. They often fail to provide the scalability, flexibility, and security needed to manage customer identities effectively. Moreover, disparate and legacy systems can create significant security vulnerabilities, increase operational costs, and lead to fragmented customer experiences across channels.
In contrast, modern CIAM solutions are purpose-built to address these challenges. They enable retailers to unify identity management across all digital channels, providing a single view of the customer and laying the foundation for successful personalization. By integrating advanced security measures such as risk-based authentication and fraud prevention, CIAM solutions ensure that businesses can protect their customers without compromising user experience.
The way forward is clear: to stay competitive and secure, retailers must adopt a CIAM approach that is flexible, scalable, and capable of delivering personalized experiences. CIAM not only helps in safeguarding against threats but also plays a crucial role in building and maintaining customer trust and loyalty.
Embarking on Your CIAM Journey
Starting your CIAM journey requires a strategic approach. It begins with understanding your organization's specific needs and challenges. Are you looking to improve customer acquisition and retention? Do you need to enhance security to prevent fraud? Is your focus on providing a seamless, passwordless experience across all digital channels? Maybe it's all of the above!
Once your objectives are clear, the next step is to choose the right CIAM approach. This involves evaluating your current identity infrastructure and determining how a CIAM solution can be integrated or replace existing systems. It's crucial to consider both functional and non-functional factors such as security features and the ability to deliver personalized experiences, along with scalability and deployment options.
A successful CIAM strategy is primarily about aligning your identity management practices with your broader business goals—and then finding the technology that can deliver. Whether you are enhancing customer loyalty to drive retention and revenue growth, or ensuring compliance with regulatory requirements, your CIAM solution should be a key enabler of these objectives.
Weaving customer identity seamlessly into your online shopping experiences can give you an advantage over competitors to make a good first impression when customers start shopping and keep them coming back with personalization to earn loyalty and grow customer lifetime value.
Getting Started with the Basics
The first step in the process is to start with some high-level questions to streamline the list of vendors to which you'll apply the more elaborate evaluation criteria in the next section. Evaluate these higher-level questions to get started.
Of course, you also need to evaluate vendors' capabilities to meet your specific objectives and requirements. To help you do that, we've provided an overview of CIAM capabilities, evaluation criteria, and details about why each is important.
The criteria are organized such that they continue the alignment between common business initiatives and customer identity capabilities, while adding other important criteria considerations, such as compliance, implementation, and operations. In establishing your evaluation criteria through this lens, you'll be able to prioritize the capabilities that will make the greatest impact on your organization's specific objectives.
Key Strategic Initiatives in Retail
A CIAM solution built for retail success will help organizations meet top business priorities.
Improve Customer Acquisition
Increase the number of new customers as well as the number of customers who register for accounts, allowing for more effective marketing and personalization. If applicable, create a smooth and secure guest shopping experience that minimizes cart abandonment while still encouraging account creation after the purchase.
Increase Customer Loyalty & Lifetime Value
Improve the likelihood that customers will return repeatedly to shop with you and cultivate loyalty over time to grow revenue.
Decrease Ecommerce Fraud
Stop fraudsters from committing crimes across your digital shopping channels while still maintaining smooth, low-friction experiences for legitimate shoppers.
Maintain Regulatory Compliance
Comply with data privacy regulations across every region while cultivating customer trust.
Evaluation Deep Dive: The Comprehensive Criteria
Customer Acquisition
The criteria in this section focus on converting new customers and the key factors that can make all the difference between an unknown prospect creating a new account with you, or abandoning the process in frustration and moving on to one of your competitors.
Social registration allows users to register and authenticate quickly and easily using their existing information from a social networking service, such as Google or Facebook. This capability can increase customer conversions as users can enter little—or even no—information in order to complete a registration, as the data is leveraged from the customer's social account. Additional data can be collected later (see progressive profiling below).
This capability simplifies registration and lowers abandonment.
To provide secure, effortless user journeys, a CIAM solution should provide organizations with no-code/low-code identity orchestration capabilities. With a drag-and-drop workflow interface, the capability allows administrators to easily assemble and adjust workflow for steps such as registration, authentication, authorization, and more. This capability means users will receive highly tailored and personalized user experiences across channels and brands.
This capability accelerates digital agility and reduces costs.
No-code/low-code identity orchestration also gives administrators the ability to build authentication workflows that easily configure, measure, and adjust user login journeys using a wide array of contextual signals. Administrators can also quickly consume out-of-the-box authenticators, utilize existing authenticators, and integrate with cyber security solutions.
This capability strengthens security.
No matter how convenient you make MFA, it still adds friction. Intelligent policies that allow you to step MFA requirements up or down depending on risk introduce friction only when the request warrants it.
This capability strengthens security and enhances customer experience.
You need to give your customers convenient options that make it easy for them to use MFA so everyone can reap the security benefits. Vendors should support methods like SMS and email OTPs, soft tokens, FIDO, and more.
This capability strengthens security and enhances customer experience.
Your customers expect to have access to all of your applications without having to remember unique credentials for each one. Give them what they want by providing a consistent and convenient login experience with federated SSO.
This capability strengthens security and enhances customer experience.
FIDO allows customers to leverage credentials stored on a trusted device. It's a very convenient and secure standard that's growing in use and can ultimately replace passwords entirely.
This capability strengthens security and enhances customer experience.
Most customers will forget their passwords at some point. Provide a secure and simple account recovery process by using password reset best practices and centralized password policies.
This capability strengthens security and enhances customer experience.
Being forced to create an account is one of the top causes of cart abandonment. Secure guest checkout that flows seamlessly into one-click account creation after the customer has already completed their purchase can significantly improve both abandonment and customer acquisition.
This capability decreases prospect abandonment.
Revenue and Loyalty
The following criteria relate to things a CIAM solution can provide that help reduce customer churn and increase customer loyalty by providing easy sign on methods, personalized experiences and intuitive self-service options.
To provide secure, effortless user journeys, a CIAM solution should provide organizations with no-code/low-code identity orchestration capabilities. With a drag-and-drop workflow interface, the capability allows administrators to easily assemble and adjust workflow for steps for all access journeys. This capability means users will receive highly tailored and personalized user experiences across channels and brands.
This capability accelerates digital agility and reduces costs.
To continuously improve and secure the customer journey, data-driven insights are essential. As part of identity orchestration, user login analytics provide metrics and timers to analyze end-user interactions and their devices across all channels and business lines. These platforms should empower administrators to optimize the customer journey by using contextual and behavioral analytics to examine factors like devices and browsers used, login locations, and the duration of login processes across the user base.
This capability strengthens security, and customer experience, and reduces costs.
Real-time bidirectional data synchronization lets you consolidate disparate identity silos to create a unified profile. It also reduces mitigation risks and prevents downtime.
This capability strengthens customer experience and drives revenue.
Most enterprise organizations create a hierarchy of departments or lines of business (LOB) to fit their needs around how they structure their business. These hierarchies inform how they then delegate administration as well as access rights to users within those organizations. The hierarchical, multi-brand, and complex organization design feature gives enterprises the flexibility to set up unique identity and access management configurations, like password policies and access permissions, for different audiences.
This capability strengthens security, and customer experience, and reduces costs.
To create secure, personalized, omnichannel experiences, CIAM providers must allow organizations to aggregate relational data between people and their IoT things to create a highly comprehensive, single view of the customer. This is achieved by establishing a common customer data model, connecting a broad range of data sources, implementing simple synchronization and reconciliation logic, and allowing access to customer data in an appropriate format.
This capability strengthens customer experience and drives revenue.
A single view of a customer (an identity) organization-wide improves security, customer service, marketing initiatives, and more. For CIAM platforms to support a unified view of identities, they must have the ability to integrate with other systems and consolidate multiple customer data silos to create a single view of an identity organization-wide.
This capability strengthens customer experience and drives revenue.
Boost security for your customers by turning your mobile app into a second factor using secure push notifications. They're more convenient and secure than many other forms of MFA.
This capability strengthens customer experience and drives revenue.
Every user is unique and should be treated as such. Organizations with multiple brands or channels must recognize each user and provide a personalized experience, guiding them to the appropriately branded access point. In multi-party ecosystems, organizations need to manage different business units or user groups separately within their identity hierarchy, sometimes extending certain privileges to partners to better manage their end customers (B2B2C). A robust CIAM solution should offer multi-brand UI theming, allowing organizations to create tailored user journeys that align with the appropriate brand or channel. It should also support hierarchical user tiers and delegated administration for more effective management.
This capability strengthens customer experience and drives revenue.
Organizational representatives, like call center staff, may occasionally need to "impersonate" a user to take defined action on their behalf. A secure impersonation feature allows users to grant temporary control of their account to another party for a specified period. Extending consumer digital services to third parties requires support for OAuth 2.0 token exchange.
This capability strengthens security and customer experience.
Most customers will forget their passwords at some point. Providing a secure and simple account recovery process by using password reset best practices and centralized password policies improves customer experience and reduces call center costs.
This capability strengthens security and customer experience.
By giving customers the ability to control who and when their data is shared with third parties, organizations can achieve regulatory compliance with privacy regulations (such as the GDPR) while building long-lasting customer trust and loyalty needed to maximize lifetime value.
This capability strengthens security, customer experience, and compliance.
Fraud Prevention and Security
Ecommerce fraud may end with a transaction, but it usually begins with an identity crime. Things like account takeover (ATO), new account fraud (NAF), synthetic identities, deepfakes, and the malicious bots that often help perpetrate fraud, can typically be detected and prevented by identity systems—provided they have modern security features. These features keep the fraudsters from ever seeing the "buy" button at all. The following criteria can help evaluate fraud prevention and security solutions by looking at risk detection, decisioning, and mitigation capabilities, as well as the customer experience impacts of these solutions.
Regulatory Compliance
CIAM systems and the identity data that they process are directly impacted by privacy regulations and other compliance factors, such as data residency and data sovereignty requirements. These are important considerations for any CIAM solution—especially for enterprises already doing business globally or looking at entering new regions.
Open standards are established technical norms that developers use to ensure consistent capabilities and functionality across systems. Identity security is fundamentally built on standards like OAuth2, OpenID Connect, and SAML. However, leading digital identity providers are going beyond these core standards to support emerging trends by integrating advanced protocols. For example, UMA 2.0 enables users to securely share access to personal data with third parties. Other advanced standards include OAuth 2.0 Proof-of-Possession, which ensures that the bearer of a token is its legitimate owner, and OAuth2 Device Flow, designed for client devices with limited user interfaces.
This capability strengthens security and compliance.
Security concerns, like data sharing and data sovereignty, have led many large organizations to hesitate in adopting fully cloud-based CIAM platforms. Traditional SaaS vendors often use multi-tenant architectures that combine multiple customers (tenants) into a single instance, increasing the risk that one organization's actions could affect others. To address these concerns, the ideal CIAM SaaS platform should offer full tenant isolation, ensuring that data and workloads are completely separate. This isolation not only reduces risks but also simplifies scaling and storing sensitive identity data in the cloud.
This capability strengthens security and compliance.
If your unified profile can't scale, it risks going down, leaving customers unable to sign in or access their data. Vendors should be capable of supporting hundreds of millions of stored identities and billions of attributes, even during peak usage with hundreds of thousands of concurrent users. To ensure they can meet customer needs, they should also provide references that confirm high availability and low latency during peak demand periods.
This capability strengthens performance and security.
Scale, performance, and availability are critical in a CIAM platform because if the identity platform goes down, so will the business. CIAM providers should support both 'service availability' and 'session availability'. Service availability ensures users can access a site when a server goes down. Session availability preserves and keeps a session running if a server goes down. CIAM providers should also support a variety of scale scenarios. This includes a shifting number (often in the millions) of users, devices, and things that need to be stored in a database, as well as changing frequencies and lengths of simultaneous and concurrent sessions.
This capability strengthens customer experience, performance, and security.
Data residency and data sovereignty are crucial concepts that govern where user data is stored and the legal authority that applies to it, regardless of location. Data residency typically requires that a user's data be collected, stored, and processed within their country's borders. To comply with regulations like GDPR, CIAM providers should offer flexible data residency options, enabling privacy-bound data storage and fractional replication of personal data across data centers in multiple jurisdictions. This ensures that user data can be processed in a way that is sensitive to the legal and regulatory requirements of specific regions.
This capability strengthens security, performance, and compliance.
When collecting customer consent, you must collect the data in an auditable way. Your CIAM vendor should be able to store the time the data was collected, evidence of collection (such as an IP address), and other information needed for privacy audits.
This capability strengthens compliance.
Privacy regulations like GDPR require that users have control over their personal data, including privacy, security, and usage preferences. To ensure global and regional compliance, CIAM platforms must incorporate Privacy by Design principles and consent mechanisms based on the UMA 2.0 standard. They should also integrate with other tools that help meet regulatory requirements. These mechanisms should offer users fine-grained control to manage and audit data related to themselves, their devices, and their things. Equally important is that the user interface for these privacy and control features is intuitive and user-friendly.
This capability strengthens compliance and enables customer trust.
Privacy regulations are diverse and can vary by organization, industry, geography, and more. CIAM solutions should contain centrally managed privacy policies that let you enforce customer consent and govern data sharing on an attribute-by-attribute level to every application.
This capability strengthens compliance and enables customer trust.
Federated single sign-on (SSO) allows users, like partners, to securely access multiple organizations' web properties and applications using a single account. This trusted system is based on federated relationships between organizations and enables SSO by passing authentication tokens between their identity providers. Federated SSO relies on open standards like OAuth, WS-Federation, WS-Trust, OpenID Connect, and SAML to facilitate secure authentication across different organizations.
This capability strengthens compliance.
System auditing and analytics capabilities are mission-critical functions. CIAM platforms must be able to conduct audits for system security, troubleshooting, usage analytics, and regulatory compliance. Audit logs ought to gather operational information about events occurring within a deployment to track processes and security data, including authentication mechanisms, system access, user and administrator activity, error messages, and configuration changes.
This capability strengthens compliance.
PSD2 (and soon-to-be PSR1/PSD3), privacy, and open banking requirements continue to evolve rapidly across most parts of the world. To enable organizations to meet regulatory requirements and maximize ROI on open banking and open finance investments requires modern customer identity and access management (CIAM) solutions that include comprehensive fine-grained authorization capabilities.
This capability strengthens compliance, accelerates revenue, and reduces costs.
Financial services organizations looking to advance their open banking offerings need to ensure the external APIs that allow applications to access customers' financial accounts, data stored therein, and privacy settings are secured and compliant with industry standards. FAPI 2.0 specifications provide the basis for doing so.
This capability strengthens compliance, accelerates revenue, and reduces costs.
Open banking providers need to provide customers with a wide range of SCA options to introduce the appropriate amount of friction/security needed to protect customer data. Higher assurance of verification can also be required to complete high-value transactions.
This capability strengthens security, customer experience, and compliance.
Implementation and Operational Considerations
Implementation and operational considerations can make or break a CIAM program. Choice of deployment options, like multi-tenant cloud, private cloud, software deployment, or a hybrid combination are just the tip of the iceberg. When evaluating a CIAM solution, it's critical to evaluate things like: how you can migrate from old solutions without disrupting customers; how easy will it be for your organization's IT administrators and developers to administer and integrate applications. Even though some of the evaluation criteria in this section addresses non-functional requirements; consider them just as carefully as any other group in this document.
The API First Model is a developer-centric method of creating a solution. Within this model, a provider first creates the API and then builds the platform around it. This results in less complexity for external developers and organizations. For ease of use, scalability, and flexibility, digital identity providers should apply this API first development model to create one common REST API framework across the entire platform to provide a single, common method to invoke any identity service. The result should be a simple and secure way to extend identity to all realms, including social, mobile, cloud, and IoT.
This capability drives revenue.
While your platform must support standards, many of your customer-facing applications may not. Your vendor should be able to connect to these applications and provide simple access to any digital properties in your portfolio.
This capability accelerates agility and reduces costs.
The strongest CIAM solutions are those that work well with a wide variety of other technologies, software, and industry leaders to solve the unique goals of each organization. As such, CIAM providers must have a strong ecosystem of respected consultancy, technology, and integration partners. This ecosystem should include pre-built, tested, and always updated integrations ready to be easily utilized.
This capability accelerates agility, reduces costs, and drives revenue.
You need to deliver secure and seamless experiences for your customers. CIAM vendors should make this easier by providing tools and resources to ensure your success, including extensive API documentation, sample apps, and out-of-the-box integration kits to get you up and running quickly.
This capability accelerates agility, reduces costs, and drives revenue.
Legacy protocols like LDAP are necessary for communicating with legacy directories to create a unified profile, but modern apps prefer APIs when accessing customer data. A unified profile should provide those APIs.
This capability accelerates agility.
You should be able to choose where to deploy customer identity to meet your specific business needs. A CIAM vendor should be able to provide you with deployment options, including the simplicity of a multi-tenant SaaS solution, the configurability of a single-tenant managed solution, or the customizability of an on-premises solution.
This capability accelerates agility, reduces costs, and drives revenue.
Many organizations are prioritizing deployments in clouds that are managed for them. If yours is one of them, you need a vendor that offers IDaaS deployment options that suit your needs, whether that's multi-tenant or private-tenant IDaaS to give you the control you need over your environment.
This capability accelerates agility, reduces costs, and strengthens security.
Some organizations want to maintain full control over their identity solution by managing identity in an environment they fully control (whether that's a private cloud or self-managed). If either of these apply, be sure your vendor can support your preference.
This capability accelerates agility, reduces costs, and strengthens security.
DevOps enables software development and deployment to run in a continuous cycle, allowing organizations to roll out new capabilities faster by reducing time to production. CIAM providers should provide a DevOps-friendly architecture with the ability to leverage DevOps tools, such as automating and orchestrating push-button deployment and continuous delivery. They should also use containerized images for rapid automation, with Docker support, as well as have an intelligent architecture that separates configuration from binaries to easily leverage version control for DevOps artifacts.
This capability accelerates agility, reduces costs, and strengthens security.
CIAM platforms should include flexible consumption options that include multi-cloud and hybrid-cloud deployments. Multi-cloud environments have become popular due to their increased flexibility, availability, and scalability. These environments allow organizations to eliminate vendor lock-in and speed time-to-market while reducing complexity and saving time and money. Hybrid environments include both on-premise and cloud environments. Cloud environments support needs at scale, while on-premises environments are advised to store sensitive data for better security.
This capability accelerates agility, reduces costs, and strengthens security.
For most organizations, it usually isn't feasible to take a rip-and-replace approach when moving from a legacy system to a modern CIAM solution. When your vendor can support a phased migration approach by allowing the legacy and modern systems to co-exist, you'll greatly minimize the potential for downtime and other risks.
This capability accelerates agility, reduces costs, and strengthens security.
Disclaimer: Gartner, Predicts 2024: The Changing Role of the Identity and Access Management Leader, 1 December 2023, Michael Kelley, Rebecca Archambault, Nathan Harris, Henrique Teixeira, Oscar Isaka. GARTNER is a registered trademark and service mark, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Evaluating Vendors & Solutions
After you've defined your evaluation criteria, you'll want to organize them in a way that makes it easy to evaluate how your shortlist of vendors stack up. You can use a Google Sheet or Excel spreadsheet. We suggest first creating rows for each of your evaluation criteria. Next, add columns for each vendor you want to evaluate. Then you can rate each vendor on how well they meet your criteria using a point-based rating system like this:
- 0 = Does not meet requirement
- 1 = Very limited support for requirement
- 2 = Partially meets requirement
- 3 = Meets or exceed requirement
Where to Go From Here
Choosing a customer identity solution is an important decision. The first step is identifying your organization's critical objectives and measures of success. Then you can apply your understanding of customer identity capabilities as detailed throughout this guide to ensure you prioritize vendor solutions that meet your specific requirements.