The hottest Substack posts of ciamweekly

And their main takeaways

Types Of User Profile Data

2 HN points 05 Mar 24
🕹 Technology Data Management
  1. Credentials in a CIAM system help identify users through login info, passwords, public keys, MFA, etc.
  2. User Provided Profile Data includes details users share, ranging from basic to complex attributes, gathered during registration or progressively.
  3. Consents in a CIAM system capture user permissions for marketing or legal purposes, different from other profile data as they can be explicitly granted or revoked.

Normalizing User Data

2 HN points 26 Feb 24
🕹 Technology Data Modeling Normalization Performance optimization
  1. Data modeling involves the choice between normalizing data and using denormalized data, each with its own strengths and tradeoffs.
  2. Normalized data leads to less data duplication and easier data updates, but may result in challenges with historical data and performance.
  3. CIAM systems, along with IAM and directory systems, normalize user data to centralize customer information, providing benefits like easy querying and centralized authentication, but also introducing challenges like session handling and updating data across systems.

CIAM for the single application

14 HN points 21 Aug 23
  1. CIAM servers offer convenience by centralizing user logins for multiple applications.
  2. Even with just one application, using a CIAM system can simplify implementing advanced login features.
  3. Outsourcing authentication to a CIAM system makes it easier to maintain features like social login and magic links.

B2C vs B2B vs B2B2E CIAM

1 HN point 11 Mar 24
🕹 Technology Authentication Online Security User Experience Integration
  1. B2C, B2B, and B2B2E applications require different approaches to customer identity and access management (CIAM) systems.
  2. B2C applications aim at end consumers, requiring smooth registration and authentication processes due to user choice.
  3. B2B and B2B2E applications cater to business and employee users, with focus on organization structures, payment collection, and different authentication needs.

User Data Migration

2 HN points 16 Jan 24
  1. User data migration in CIAM involves moving users from a legacy system to a new one.
  2. Options for user data migration include bulk, drip, and hybrid approaches.
  3. Reasons for migrating user data include cost, functionality, system end of life, and offloading effort.
Get a weekly roundup of the best Substack posts, by hacker news affinity:

Workflows For A CIAM System

1 HN point 29 Jan 24
  1. CIAM systems help customers authenticate, while IAM systems help employees.
  2. CIAM systems typically have more users than employees.
  3. Key workflows for a CIAM system include authentication, account association, self-service registration, password management, and multi-factor authentication.

CIAM and the Trust Thermocline

2 HN points 04 Dec 23
  1. Trust in a community of customers can easily be lost without clear detection.
  2. For CIAM, ensuring consistent and accessible authentication processes is crucial for maintaining trust.
  3. Respecting user consents and avoiding unauthorized password resets are key in preventing trust erosion in CIAM.

On WebAuthn and PassKeys

1 HN point 22 Jan 24
  1. WebAuthn (passkeys) is a standard for easier web authentication, replacing traditional methods like passwords.
  2. Different authentication methods like federated logins or magic links have their own weaknesses, such as shared points of failure and trust issues with remote servers.
  3. WebAuthn improves security using public/private key cryptography, but comes with challenges like handling private keys securely and potential account recovery issues.

Complexities of Magic Links

2 HN points 13 Nov 23
  1. Magic links are a convenient form of user authentication for CIAM systems.
  2. Consider where users receive messages and the deliverability of codes or links.
  3. Security concerns with magic links include the risk of attacks and the need for additional layers of authentication.

CIAM isn't just OIDC and SAML

2 HN points 06 Nov 23
  1. CIAM encompasses various protocols beyond OIDC and SAML, such as NTLM, Kerberos, LDAP, and session-based solutions.
  2. Different client applications may require different authentication protocols, highlighting the need for flexibility in CIAM solutions.
  3. Continuous evolution and adaptation of authentication technologies are crucial to address new threats and meet changing security needs.

Federation

1 HN point 02 Jan 24
  1. CIAM federation allows users to sign in with credentials from another provider like Google or GitHub.
  2. Account linking in federation is crucial to prevent multiple accounts for the same user.
  3. Benefits of federation include centralized access control and a smoother sign-up process, but tradeoffs include potential data limitations and dependence on big providers.

Be careful who you trust

3 HN points 07 Aug 23
  1. Be cautious about who you trust, especially when it comes to user identity verification.
  2. Understand how identity providers verify user identity when offering single sign-on for consumer scenarios.
  3. Mitigate federation risk by carefully choosing who you trust, segmenting users and identity sources, and avoiding matching accounts on mutable attributes.

Hashing and integrity verification

2 HN points 02 Oct 23
  1. Hashes are crucial for securing our online identity, from passwords to token signatures.
  2. Using hashes for storing secrets prevents access to plaintext values in the database.
  3. Cryptographic hash functions have been used for password encryption since the 1960s and remain essential in authentication systems.

State of Identity Podcast Episode on CIAM

1 HN point 11 Dec 23
  1. The podcast episode discusses the origin story of FusionAuth.
  2. The episode covers how FusionAuth's customers addressed authentication issues before using FusionAuth.
  3. Brian Pontarelli shares insights on passwordless adoption challenges and his predictions for CIAM industry growth.

Signing out: more interesting than it looks

2 HN points 18 Sep 23
  1. Authentication is not just about signing in, but also about signing out and ending sessions.
  2. Proper sign-out processes are essential for security, especially when dealing with multiple applications or identity sources.
  3. The importance of sign-out varies based on the type of CIAM system you are using, whether standalone or integrating with other identity sources.

Let's talk about the step up auth RFC

2 HN points 11 Sep 23
  1. Step up authentication requires users to provide additional proof of identity for certain actions.
  2. Step up authentication is crucial for high-risk activities like money transfers or modifying sensitive information.
  3. The RFC outlines how resource servers can request elevated access conditions for step up authentication.

Interesting anti-phishing approach

2 HN points 17 Jul 23
  1. Using multi-factor authentication (MFA) can help secure user accounts by requiring an additional proof of identity.
  2. Phishing occurs when attackers create fake sites to steal user credentials, which can be problematic with MFA.
  3. Leveraging DNS in authentication processes can provide an additional unphishable factor in account security.

Federation vs passkeys

1 HN point 09 Oct 23
  1. WebAuthn technology allows for user authentication using public/private key cryptography.
  2. Passkeys, or WebAuthn, are becoming more widely supported by various services.
  3. Federated logins and passkeys serve different authentication needs based on user device ownership.

What is the difference between CRM and CIAM systems?

1 HN point 03 Jul 23
  1. CRM and CIAM systems both focus on people interacting with an organization and provide profile information.
  2. A critical difference is that CRM records customer actions but customers do not interact with it directly, while CIAM systems face the user directly.
  3. CIAM systems focus on profile management tasks like changing passwords or updating profiles, while CRM systems focus on the customer relationship.

BOLA: A Critical API Vulnerability

0 implied HN points 26 Jun 23
  1. BOLA (Broken object level authorization) is a major vulnerability in APIs.
  2. Understanding BOLA is crucial as our world becomes more API-dependent.
  3. The article provides unique perspectives on BOLA from the manager, developer, and attacker viewpoints.

An intro to CIAM from IDPRO

0 implied HN points 20 Nov 23
  1. IDPRO is an organization for identity professionals with a certification program and a Book of Knowledge.
  2. CIAM focuses on delivering personalized experiences and engagement for customers, rather than just access management for employees.
  3. The main difference between CIAM and IAM lies in the relationship between the organization and the user, with CIAM being customer-centric.

Direct user creation

0 implied HN points 08 Jan 24
  1. Users can be added directly to a system by either letting them register themselves or by manual/admin addition.
  2. Consider the options for credential management when adding users, such as using passwords or passwordless options.
  3. Automating offboarding of users can help to efficiently remove access when needed, especially when using systems like SCIM.

Seldom Considered CIAM Attack Vectors

0 implied HN points 12 Feb 24
🕹 Technology Security Authentication Passwords Verification
  1. Implement email verification in CIAM systems to connect new accounts to valid email owners, reducing account takeovers and bot attacks.
  2. When changing login identifiers in CIAM systems, re-verification is crucial to prevent unauthorized access and alert users of potential attacks.
  3. Account recovery in CIAM systems should not be sent to unverified accounts and should implement additional security measures like session invalidation and multi-factor authentication.

User models and how they fail

0 implied HN points 19 Jun 23
  1. User models in CIAM systems can be amorphous and lack accountability.
  2. User models often do not consider real-life complexity like different profiles and related accounts.
  3. Developing compassion for users is essential in building a successful business.

Password Hashing Explainer

0 implied HN points 18 Mar 24
🕹 Technology Security Passwords Algorithms Guidelines
  1. Passwords are still widely used due to being supported by many applications, being cost-effective, and familiar to users.
  2. Hashing passwords adds a crucial layer of security by making it harder for attackers to retrieve passwords in the event of a breach.
  3. When it comes to password hashing algorithms, it's important to stay updated on recommendations, such as NIST guidelines, and to choose wisely based on current security best practices.

Surge Pricing For Restaurants

0 implied HN points 05 Feb 24
  1. Restaurants are exploring surge pricing to adjust prices based on variable factors.
  2. Implementing surge pricing for online orders requires knowing user identities over time.
  3. CIAM systems play a crucial role in enabling surge pricing strategies for restaurants.

Country specific identity providers

0 implied HN points 27 Nov 23
  1. Identity providers are important for customer identity and access management.
  2. Countries or regions may have their own identity providers.
  3. Consider factors like geographic domain, business use case, and integration effort when deciding to support niche identity providers.

Brute forcing TOTP

0 implied HN points 30 Oct 23
  1. Time-based one time passwords (TOTP) are a common additional factor for IAM and CIAM systems.
  2. TOTP works by combining a secret with the current Unix time to generate a number.
  3. Rate limiting TOTP submissions can significantly increase security against brute force attacks.

Verify those emails

0 implied HN points 17 Oct 23
  1. Verifying emails is crucial for security in a CIAM system
  2. Unverified emails can lead to unauthorized access by attackers
  3. Using stable identifiers instead of emails is recommended for downstream user data lookup

Multi-region CIAM

0 implied HN points 04 Sep 23
  1. Multi-region architecture helps with resilience and performance by directing users to different regions during natural disasters and routing them to the closest server for better performance.
  2. True multi-region active-active setups allow users to login and interact with the application seamlessly, regardless of their location.
  3. CIAM systems face challenges in multi-region deployments, particularly in scaling data storage across regions, with only a few database options available.

Blast from the past: A look at the Okta Auth0 acquisition

0 implied HN points 14 Aug 23
  1. Okta's acquisition of Auth0 focused on owning the CIAM market.
  2. Auth0 experienced significant ACV growth of 63% after the acquisition.
  3. There are challenges for Okta's sales team in explaining and leveraging the differences between Okta and Auth0's offerings.

Video about single logout

0 implied HN points 31 Jul 23
  1. The video is a 45-minute overview of single logout, the reverse of single sign-on.
  2. Upcoming changes to standard implementations are discussed.
  3. It highlights the complexities of logging out of multiple platforms.

Auth situation report

0 implied HN points 05 Jun 23
  1. Choose an authentication solution that supports all login options needed by your users.
  2. Beware of extra charges for SSO integration and user management when selecting a vendor.
  3. Ensure the reliability of the authentication system to prevent software inaccessibility during downtime.

Federated Identity and Browser Changes (video)

0 implied HN points 22 May 23
  1. Browser cookie handling changes will impact federated identity in web applications.
  2. Federated identity involves one app delegating authentication to another app.
  3. Heather Flanagan is leading the effort to address upcoming changes in the Federated Identity community group.

Software Obsolescence

0 implied HN points 08 May 23
  1. Software obsolescence is a significant concern as software becomes more integrated with connected hardware.
  2. When considering building or buying CIAM solutions, don't forget to factor in obsolescence.
  3. Securing user identity in CIAM is essential, and addressing software obsolescence is a crucial part of this.

Customer Identity and access management news and analysis

0 implied HN points 03 Jul 21
  1. The post discusses Customer Identity and Access Management (CIAM) news and analysis.
  2. Dan Moore is the head of developer relations for FusionAuth and has over 20 years of experience in software development.
  3. Readers are encouraged to sign up for CIAM Weekly to receive the first issue and to share it with friends.

Three stages of user models

0 implied HN points 23 Oct 23
  1. The first option is to roll your own data store for user models, but it requires maintenance, security, and updates.
  2. The second option is to use a library or framework for user models, offering benefits like community support and battle-tested software.
  3. The third option is to use a standalone identity server for user data storage, providing normalized user data across applications.

Self-service Registration

0 implied HN points 26 Dec 23
  1. Self-service registration is a great way to offer users additional functionality or personalized content.
  2. When designing registration forms, consider what information you need, such as login identifiers, passwords, demographic details, and payment data.
  3. Complexities of self-service registration include account validation, progressive data collection, account recovery, profile updates, and defense against account enumeration.