WSO2 SUMMIT 2020   ·   Building an Integrated API Supply Chain   ·   Register Now!


May 05, 2020
3 min read

Common Developer Errors to Avoid in a CIAM Strategy

The C in CIAM stands for the customer; this means that a business that wants to attract and retain customers should ensure that customer needs are met first. This post discusses some common mistakes we, as developers, should steer clear of when designing a CIAM solution.

In the post-pandemic world, amid ever-increasing competition to retain and attract more consumers, organizations will not only have to speed digital transformation efforts but also ensure that a customer's digital interactions are smooth and hassle-free. CIAM plays a major part in cracking this puzzle; this makes getting your strategy right all the more important, before hitting the ground running with developing a CIAM solution.

Viewing CIAM through the prism of workforce IAM

The most common mistake is failing to recognize the significant differences between workforce IAM and CIAM. Although the two are technologically similar, the use cases set them poles apart. Workforce IAM is aimed at employees whereas CIAM targets customers of a business. While you are unlikely to hear of an employee quitting their job because they did not like the user experience provided by their workforce IAM, a poor user experience can and does turn away prospective customers. Remember, there is no dearth of competition in the market. 

Making it easy for customers to onboard a platform, providing an intuitive user interface that allows ease of access, and giving them as much control of their data as possible become imperative in CIAM. In workforce IAM, user onboarding is typically performed by the employer. However, in CIAM, often customers have to register themselves. According to Blue Research, 86% of surveyed individuals stated they avoid websites that require filling out registration forms to create new accounts. Moreover, 88% of them admitted to entering incorrect information or leaving forms incomplete when confronted with a registration form. 

A sound CIAM solution should ensure that creating a new account is hassle-free. Here is where social login comes into the equation. According to a study conducted by Gigya, 56% of the users used social logins to avoid filling out registration forms. A further 43% of them used social login to avoid remembering additional login credentials. This indicates that incorporating social logins into your CIAM strategy can help you drastically change your customers’ onboarding experience. 

Facebook, Twitter, Microsoft, and Apple are some of the services that provide social logins for other websites. Nonetheless, some users are skeptical of connecting their social media profiles with business websites. This is why a CIAM solution should provide both registration forms and social logins. Instead of collecting all the information about a customer using a single form, a better strategy would be to onboard the user by collecting only the bare minimum of information and collect the rest progressively once the user starts using the company’s services.

Another problem of not recognizing the differences between CIAM and workforce IAM is the failure to offer a personalized experience. In workforce IAM, a business has a virtual monopoly over its users (i.e., employees) and retention does not rely upon providing a personalized experience. In contrast, to make a customer keep coming back, it is essential to provide enhanced digital experiences. A personalized experience can help customers feel they are being valued and CIAM can be leveraged to offer such services. According to Blue Research, 66% of surveyed users stated they had received offers that clearly showed companies had no idea about them, and over 50% received offers with the incorrect gender, name, or age.

As an example, according to this study by Kantar Worldpanel ComTech, while men are more likely to buy smartwatches, women are more likely to buy smart bands. So, sending an offer for a smartwatch targeting female consumers is less likely to benefit a business. CIAM can help collect accurate information about customers and, therefore, help businesses create a more personal experience for customers.

Obsessing over authentication security

Too much emphasis on authentication security can also be an instant turn off for customers. A customer deserves to be treated as a customer and not as potential fraud. As per IBM Trusteer’s research, less than 0.1 percent of users are suspects. Should we then sacrifice providing enhanced customer experiences to prevent a low-probability event?

Convenience does not need to come at the expense of security. Passwordless logins offer both security and convenience. Users often use the same password across multiple sites, and even if one of the sites is breached, then, that allows attackers to gain access to multiple accounts belonging to that user. A study by Ponemon found that around 51% of its respondents reuse an average of five passwords across their business and personal accounts. And, 69% of the respondents admitted to sharing their passwords with colleagues for account access. Users utilize weak passwords so that they can easily remember them, or write down passwords to avoid forgetting them—both of which are security vulnerabilities. A password-based authentication system also stands the risk of having its user-credential store being breached. Passwordless authentication eliminates all of these concerns. 

An experiment done by Blink and Trusona found that participants using passwordless multi-factor authentication were 31% more likely to be satisfied with their login experience than those using passwords. A study by Blue Research also shows that 90% of users left a website when they forgot their login credentials instead of spending time resetting passwords. In contrast, passwordless logins yielded a success rate of 99% according to Blink and Trusona. For more details, refer to these resources on passwordless authentication and adaptive authentication.

Taking customers intelligence for granted

It is easy to think that customers can easily be tricked into sharing their personal information and that the majority of them actually don’t care about what information a site collects about them and how this data is used. However, studies show otherwise. 

Ponemon Report states that 63% of its respondents have become more concerned about the privacy and security of their data over the past two years. According to Gigya, 50% of surveyed users were highly concerned about data privacy, while 46% of them were somewhat concerned. Deloitte found out that users have increasingly declined to fill out feedback surveys; 52% of the users cited privacy as the chief concern for declining in 2016. The same study also found that 25% of users took cautionary actions after learning of a breach, and 9% of them took punitive actions owing to privacy concerns. All that this shows is that data privacy is pivotal in a CIAM strategy. 

Taking customers’ intelligence for granted can be harmful and a good CIAM solution should enable them to be in complete control of their data. Customers are increasingly becoming less forgiving, and not taking adequate measures to protect consumer data can have a disastrous impact on a business. A CIAM strategy should include functionality for users to see what data is collected, delete data if required, and know how their data is used; the solution should also ensure adequate measures are taken to protect customer data from breaches. 

Not understanding the customer base

A CIAM strategy should take into consideration its user base. Not doing so can lead to a system that would at best be irrelevant to its customers, or at worst be completely unusable. An example would be using biometric authentication as a primary mode of authentication in a market where smartphones with biometric sensors are uncommon. Similarly offering social logins to businesses operating in countries where certain social media platforms are banned could be pointless. 

Age is another factor that should be taken into consideration. According to Pew Research Center, less than half of Americans above the age of 65 use at least one social media site, and social logins might be irrelevant to such users. Research by Blink and Trusona shows that people over the age of 55 are 10% more likely to adopt passwordless authentication. If targeted customers are in this age group, then, passwordless authentication is almost a must. A CIAM strategy should understand the customer base the company is trying to serve and adopt technologies and user experiences that would be relevant to them.

Poor scalability

A workforce IAM would, on average, be used by a few hundred people. In contrast, CIAM may involve millions of users. So, this is a unique technological challenge to CIAM as the system should be scalable enough to cater to a large number of users. A CIAM system should ensure that performance and speed do not change even a large number of concurrent users are on the system at the same time. 

Failing to provide an omnichannel experience

Today, customers access online businesses through multiple devices, such as laptops, tablets, and mobile phones. The CIAM solution should provide access across all these devices and the user interface should be responsive enough to provide the best experience on each of them. For example, a primarily desktop-based CIAM interface would be unfit for use on a mobile device and might lead to a business losing out on customers who primarily engage on smartphones. Therefore, failing to provide an omnichannel experience can be destructive for a business. 


As developers, often we focus too much on technologies that underlie IAM and overlook the ultimate purpose of the product we engineer—to make the end user's life easier. Even though this may not have a significant impact on a traditional workforce IAM solution, not providing enhanced, hassle-free digital experiences can be highly detrimental for businesses. Key areas such as scalability, the ability to comply with data privacy regulations, and transparency with regards to user data should be considered carefully to devise a sound CIAM strategy.