• United States



CSO contributor

Top 7 CIAM tools

Nov 28, 202211 mins
Identity and Access Management

Customer identity and access management (CIAM) is the basis to improve management and control of third parties’ access to a business. Here are the top seven CIAM tools currently in the market.

A circuit key at the center of a system of integrated security: endpoints/devices/networks/apps/etc.
Credit: Jackie Niam / Getty Images

Customer identity and access management (CIAM), a subset of identity access management (IAM), is used to manage authentication and authorization of account creation and login process for public facing applications. To helps organizations compare their needs against the options in the market, CSO prepared a list with the top seven vendors in the market.

To decide for the right CIAM product, organizations must balance the ease of the login experience with a kaleidoscope of business goals for how customers sign-in and leverage their accounts. Marketers want to collect data about customers and their devices. Privacy officers want to ensure the data collection process is fully compliant with privacy regulations. And security and risk professionals want to ensure the integrity of accounts and minimize fraudulent usages of customer credentials.

This delicate balancing act is what has driven the evolution and growth of the CIAM market. Unlike workplace IAM that consolidates and manages the identities and access to internal enterprise applications, CIAM has different roots and is measured by a different yard stick for success.

The evolution of CIAM features

John Tolbert, lead analyst and managing director for KuppingerCole, says that more than a decade ago CIAM’s earliest roots had less to do with security than with marketing. “Some of the original motives companies would have had for picking up a CIAM solution were for getting more demographic data around consumers for targeted marketing and increased sales revenue,” he says.

Rampant data breaches, growing regulatory pressure, and increased cost from fraud has pushed evolution of security- and compliance-focused CIAM features on multiple fronts. Privacy regulation like GDPR and CCPA have increased demand for robust consent management systems within CIAM that make it easy for users to dictate how much data an organization can collect about them, and for organizations to methodically track and enforce those preferences. Attack trends have called for organizations to bolster the security of authentication and authorization at login. Similarly, hacking and fraud trends have also driven CIAM vendors to create more features that detect account usage patterns that indicate an account has been fraudulently taken over—triggering alerts and sometimes adaptive authentication steps that might be more rigorous than normal.

Fraud reduction features have been especially in focus in the latest refreshes, according toTolbert. “We’ve seen a pretty significant increase in CIAM having that kind of functionality—if not built into the platform, then easily accessible from the platform through third-party connections,” he tells.

Considerable work has been done across many CIAM products to increase support for passwordless authentication, single sign on methods such as social sign-in, and intuitive account recovery. In fact, Gartner said recently that organizations adoption of CIAM with converged fraud detection and passwordless authentication may help them reduce customer churn by more than half by 2025.

Given the diversity of use cases, feature options, and business drivers now at play in the CIAM market, analysts agree that no vendor can cover all the bases for every CIAM use case.

Top CIAM tools

The following are some of the platforms with the highest marks offered by analysts and customers for the broadest range of features, most extensibility, and best ease of administration.

ForgeRock Identity Platform

A full-featured identity vendor with strong CIAM capabilities, ForgeRock provides a one-stop-shop for enterprises seeking a blend of CIAM, workforce IAM, and identity.

The CIAM tooling provides robust administrative control and flexibility, with a lot of customization in registration workflows and heavy emphasis on creating consumer-friendly user journeys from registration to account recovery. The latest iteration of Identity Platform bolstered this with an emphasis on low-code/no code management of policies, adding more features to drag-and-drop orchestration of policies and customer journeys.

The platform also extends to consumer IoT use cases with some capabilities offered through its ‘Thing SDK’ and device registration API. The platform supports a wide range of authentication standards and methods, including FIDO, OAuth2, OIDC, and SAML, as well as integrating with mobile biometric and passive biometric vendors.

On the security front, the platform provides integrations and connectors for identity proofing and fraud intelligence. It’s also got consent management features to aid in privacy compliance with regulations like GDPR and CCPA. While it doesn’t provide native marketing analytics support, it does have business intelligence and marketing analytics connectors that can tap into the services a range of providers like Adobe, Salesforce, and SAP.

IBM Security Verify

A strong contender in the larger enterprise space, IBM Security Verify gets high marks for its robust infrastructure, which is supported by a containerized, multi-cloud architecture that’s not only scalable, but also provides the option for companies to manage isolated customer instances.

IBM offers support for a wide range of authenticator types and standards, including operating with a FIDO 2 Server certification. It’s built with out-of-the-box identity analytics and reporting, and customers can tap into the IBM ecosystem to layer marketing analytics or business intelligence into the platform or utilize a portfolio of connectors to tap into third-party marketing analytics and automations.

One of the big differentiators for this product is in its built-in risk-based authentication and fraud reduction features, which are frequently only an integration option in other CIAM products. IBM Trusteer capabilities are baked into Security Verify, leveraging analytics fed by the CIAM platform to reduce fraud using AI-powered adaptive access. The system utilizes a combination of anomaly detection, detection of fraud patterns, and other passive behavioral analytics to score the trustworthiness of an account and adjust authentication requirements accordingly.

The platform offers a self-service portal for users to manage consent, and on the backend offers a low-code/no-code management feature so that privacy officers and business stakeholders can set and tweak privacy policies and data requests for user populations without requiring developer intervention.


LoginRadius stands as an ‘easy button’ choice for CIAM, operating a turnkey solution known for its ease of implementation and operation. It’s got sufficient API support and can be customized, but this is not a platform designed for heavy under-the-hood code customization. Instead, it’s designed for organizations that either don’t want to or can’t do a lot of development work, operating with a decidedly no-code philosophy.

Onboarding workflows are done through a GUI, policy creation is developed through drop-down list, and integrations are offered through a marketplace of pre-packaged connectors. There are a number of these connectors that span across categories like advertising, BI, CRM, marketing automation. The platform includes a decent built-in analytics engine with dozens of reports offered for marketing and identity analytics. It’s got basic consent management and consumer self-service features available for privacy compliance purposes and supports a decent range of authenticators, including social login.

In exchange for the ease of operation and deployment, organizations give up some features and a degree of control. For example, the out-of-box the tool has an authentication risk engine but doesn’t give a lot of control over prioritization and there aren’t many connectors for third-party fraud prevention features. Similarly, device attributes are examined for risk scoring and analytics, but only in a limited degree.

Microsoft Entra

While Microsoft is a major player in the broader IAM market, the company is still working its way up the maturity scale for external-facing CIAM use cases. In 2021, when Gartner did its last big access management analysis, analysts argued that Azure AD external capabilities were “immature compared with other vendors’ offerings, and most clients are using the product for workforce scenarios only.”

In the intervening time, though, Microsoft has been pouring investment into its entire identity portfolio, and recently repositioned everything, including external CIAM capabilities, into a new line called Microsoft Entra. Entra now encompasses all of Azure AD, including the CIAM features of Azure AD External Identities. It also added its open-standards platform Verified ID into the mix. Microsoft is doubling down on this decentralized identity proofing ecosystemmostly for workforce identity managementmaking it clear that this will be a long-term focus that will likely span into external use cases as well.

Tolbert says External Identities have some good things going for it in spite of some big feature holes, including a lack of consumer privacy dashboards, pretty rudimentary adaptive authentication policy construction and no out-of-box device identity management available. It’s extremely scalable, easy to use, and has some strong account takeover (ATO) protections. It integrates well with Microsoft business intelligence and customer relationship management platforms for advanced analytics, and has been incrementally improving its integration ecosystem.

“Microsoft is still working toward feature parity between their CIAM and Azure AD platforms,” Tolbert wrote in the KuppingerCole Leadership Compass CIAM Platforms report. “Organizations that need scalability and ease of use that do not require advanced privacy management or consumer device management should review Microsoft External Identities when selecting CIAM solutions.”

Okta and Auth0

Following the acquisition of Auth0, Okta is committed to keep Auth0 CIAM product as an independent offering alongside Okta’s homegrown CIAM capabilities to give customers maximum flexibility in how they implement. Nevertheless, crossover and integration are going to happen, and the vendor combined several functions to accelerate the ability to collaborate and innovate.

While Auth0 does offer some workforce IAM capabilities, this is a platform that grew up with CIAM use cases top-of-mind, so much of the attention is devoted to that offering. According to Gartner analysts, Okta’s Auth0 is especially good for those where developers need to layer in access management for consumers within custom-developed, API-heavy applications.

The platform combines “great UX flows and UI customization abilities” with “comprehensive developer tools and full API support,” according to Gartner’s access management Magic Quadrant.

Kuppinger’s analysis notes that the overall Okta CIAM portfolio has got a strong set of connectors for business intelligence, CRM, marketing analytics and automation, other IAM platforms, popular SaaS apps, and fraud reduction intelligence platforms. It also builds in the standard capabilities to allow consumers to control their profile information, with back-end record keeping for consumer profiles available through Auth0’s support of Kantara Consent Receipt.

Where they say the product could use more work is in baking in device intelligence and behavioral biometrics into the native capabilities of the platform.


A lightweight identity-as-a-service (IdaaS) provider that ranks high on Gartner’s access management magic quadrant, OneLogin offers some stripped down, developer-friendly CIAM features that could be a boon for organizations seeking an affordable option for building out stronger customer authentication. The analyst firm explains that one of OneLogin’s biggest strengths is the competitive pricing it offers for external access management use cases.

The company’s differentiation point is its flexible extensibility, with significant developer support and robust APIs. Its serverless Smart Hooks API feature is designed to help developers easily customize CIAM workflows and policies to simplify the process of creating seamless and secure user experiences during login. However, unlike many of the CIAM providers highlighted in this round-up, it’s not designed with any kind of out-of-box consent management features and is not focused on the business-driven features such as marketing analytics and automation. This is primarily an authentication and authorization play. The tooling makes it easy for developers to easily add single sign-on capabilities into their consumer apps that offer risk-based multifactor authentication in an adaptive fashion that maximizes consumers user experience.

Across both workforce IAM and CIAM, the focus for OneLogin has been on the SMB and midmarket, though the acquisition of the company by One Identity—a company best known for its identity governance and administration tooling—will likely pull in more enterprise use cases from the workforce IAM side. However, a year into the marriage and (for better or for worse) there hasn’t been a lot of significant changes to the CIAM feature sets in the OneLogin platform.

Ping Identity

As one of the first enterprise IAM vendors to dip its toes into the CIAM waters, Ping Identity displays a lot of strength in CIAM security features. This includes high marks from the analysts for its identity proofing, identity orchestration and analytics features, scope of the types of authenticators it supports, and the documentation and security of its API connectors. It’s PingOne Fraud module also layers in a range of detection dimensions like real-time behavioral navigation, behavioral biometrics, device attributes, and network attributes, to pick up on potential fraud attacks and the platform also supports integration with external fraud reduction intelligence platforms. Also, while many of the vendors in this round-up support FIDO 2, Ping Identity stands out for running a FIDO 2 certified server.

One of the weak points highlighted by KuppingerCole’s report is that it’s only got rudimentary permissions management for consumers, with most consent handling taking extra development and integration work to implement. That analysis also noted that though Ping Identity supports integration with HubSpot, Mailchimp, Marketo, and Zoho, out-of-the-box connectors for advanced business intelligence, customer relationship management and marketing analytics are still a work in progress. In spite of this, analysts rank Ping strongly for its features and Gartner notes that it offers one of the more affordable options in the CIAM market.