How to support an effective Digital Identity Lifecycle?

Author: Thomas Bröker

Posted on October 18, 2018

In order to provide fully secure identities and access, a CIAM system needs to support a number of key functions related to the digital identity lifecycle. But what exactly is this lifecycle, and what does each of the stages entail? We’ll take an in-depth look at the features that must be supported at every stage.

What is the Digital Identity Lifecycle?

The digital identity lifecycle represents each technical stage of your relationship with online customers or other users.

Screen Shot 2018-09-26 at 11.35.41

Onboarding/registration

To bring your customers online, you need to help them create a digital identity. This must be a flexible process, since modern customers expect a smooth, obstacle-free experience. You can onboard customers in a variety of ways, depending on the level of information you need about the person’s identity. For ease of use, you could allow users to register using existing external identities such as Facebook, a passport verification service, or an industry identification system like the Dutch iDIN (banking). Or you could keep it simple and just have the user create a username and password. The CIAM platform you choose must also be able to link the new account with existing systems like your CRM.

Identity management

Users must be able to self-service their identities as much as possible. That way, they don’t have to call or send a letter to your helpdesk, reducing frustration on their end and workload on yours. Your CIAM platform needs to support this. Moreover, you may need different identification levels depending on the actions the customer wants to take. If a user is only requesting information, a Facebook login may be sufficient, but as soon as money or personal details get involved you may want some more official identification. A good CIAM system will allow you to create an automatic flow with different identification assurance levels. Based on the required identification level, it should trigger an additional identification process – this is called smart security. In addition, you need to be able to manage customer identities centrally (user management application) and link accounts to or disconnect them from external IDs (e.g. Facebook).

Authentication/login

Authentication is a key aspect of the customer experience. It must be as easy as possible for the customer to log in, across different channels if need be, and using any device the customer wants. As a result, your CIAM platform must be incredibly flexible and support a range of different forms of authentication; from username and password to mobile apps and external identity providers. You may want to include step-up authentication for added security in certain areas of the account or to double-check identity. You could use the same type of authentication (step-up) or another one (multi-factor). This should be easy to configure in your CIAM. Finally, if your business has different customer portals or applications, a single sign-on is the best way to provide a frictionless user experience. That way, people only need to log in once and can then switch freely between different portals.

Authorization

Amid all the integration of different systems that is going on, your CIAM platform must differentiate who can access which system based on the authorization rules you have set up. The feature to look out for is course-grained authorization. This will allow you to authorize access based on roles and groups that can be assigned to users. Moreover, if you are in a larger enterprise you may want to delegate this responsibility: let your managers or branch offices decide who gets access to which system through delegated user management.

Access

If the course-grained authorization rules say you can access a particular service, the CIAM solution should securely manage this access as well as the access to APIs while constantly checking that this user is allowed to be there. A Secure Reverse Proxy will go back and forth between the API and the application to check that the user’s access and session is still valid. Finally, you can choose to add payload encryption on top of the standard security. This can help you mitigate any risks your data could be exposed to due to the use of public Wi-Fi networks, for example.

Deregistration

As a business, of course you hope it will never come to this point: the relationship is ending. No matter the reason, European legislation (GDPR) dictates that all users who want to deregister have the right to be forgotten. This means you need to be able to remove the digital identity at the user’s request, only keeping information that you are lawfully obliged to, and storing this securely. Your CIAM system must support these processes.

Overview

In short, your CIAM system must support the following functionalities:

 Lifecycle stage

Feature

Onboarding: how do you bring the person online?

 

-        Flexible onboarding

-        External identity registration

-        Creating the digital identity

-        Providing ID to external systems like CRM

Identity management: how sure are you that this person is really the person he says he is?

-        Identity self-service

-        Identity assurance level

-        Smart security

-        User management application

-        Coupling and decoupling external ID providers

Authentication/login: how sure are you that this is the same person as before?

-        Multi-factor authentication

-        Step-up authentication for additional security layers

-        SSO to enterprise services

Authorization: what is this person allowed to see/do?

-        Course-grained authorization

-        Extended delegated authorization with delegated user management

Access: how is the content accessed from a technical perspective?

-        Access to enterprise services based on identity

-        Access to APIs managed by Secure Reverse Proxy

-        Payload encryption (double encryption for public Wi-Fi networks)

Deregistration: what happens to the information in the digital identity when the customer wants to leave?

-        Forget me (GDPR)

-        Digital ID removal

 
Want to find out what all these functions can do for your business? Have a look at our dedicated blog “How can CIAM help your business”!

Onegini is here to help

Onegini offers its very own comprehensive CIAM solution Onegini Connect. But that is not all. We will go above and beyond to help you ensure you have the right support in place for your customers’ digital identity lifecycle, from onboarding to deregistration. Interested? We’d be happy to tell you about your options. Get in touch with us today for a no-strings consultation. 

Get in touch with us