Traditionally, the information security domain has examined identity through the lens of the corporate enterprise. In this context, user lifecycle management is about onboarding and managing the identity of employees who need access to corporate systems. For consumer-facing businesses, customer identity and access management (CIAM) is just as critical.
And, this is why I’m so excited to share this report with the community. Auth0 has a unique position in the CIAM space, handling billions of logins each month for consumer-facing businesses around the world, which gives us the visibility to quantitatively explore the state of secure identity in 2021.
One of the key takeaways for developers and security professionals is that managing CIAM is messy, not only because your applications are likely to be exposed to large-scale internet attacks, but also because of the ins and outs of managing customers’ identities. Consumers are a varied group and automatically distinguishing between a confused user and an advanced attacker is not straightforward.
Securing your customers’ identities is made more difficult by the industry-wide failure to protect data. The prevalence of breached passwords and the availability of automated attack tools makes the humble password a protective measure from the past. We’re also in a time of transition where traditional enterprises are starting to look more like a set of consumer-facing applications, which means enterprises don’t have the luxury of ignoring CIAM’s security problems. Consequently, identity should be top of mind for CISOs — pragmatism and limited budgets require prioritization, and securing identity should be number one.
At Auth0 we obsess about making identity easy for application builders and our Security and Product teams obsess about keeping those identities secure. I’m very excited to pull back the curtain on what we encounter every day.
—DUNCAN GODFREY, VP SECURITY ENGINEERING
Methodology
This report is based on data from Auth0 customers, retrieved by running simple and anonymous queries against our aggregate database. In many cases, we segmented the data by industry vertical, as self-defined by each customer. Unless otherwise noted, this report presents and analyzes data from the first 90 days of 2021.