CIAM.wiki

Bring your own identity (BYOI)

Every new account is friction and risk: the customer has one more password to forget, and you have one more credential to protect. Bring your own identity lets people sign in with an identity they already hold. The trade is always the same: less friction at the door in exchange for accepting whatever assurance the issuing identity actually carries.

The three families

  • Social login: sign in with a large consumer provider. Adoption is high and friction is low, which makes it strong for consumer registration. The weakness is assurance: a social account is not identity-proofed and can be synthetic, and you inherit little about how the user was authenticated.
  • Government eID and BankID: credentials already proofed to a high level for opening a bank account or accessing public services. Assurance is strong, but coverage is fragmented by country, so it only fits if your markets and audience have adopted them.
  • Wallets and decentralized credentials: the customer holds verifiable credentials in a wallet and presents them on request. The promise is reusable, user-controlled, proofed identity. The constraint is the classic two-sided adoption problem: users will not maintain a credential nobody accepts, and sites will not accept one few users hold.

Assurance is the real question

BYOI is not one decision, it is a decision per source. Treat each accepted identity by the assurance it carries, and let your adaptive authentication policy weight them differently. A social login is fine for a low-stakes account and wrong for a high-value transaction that should route through identity proofing instead. The platform should let you accept third-party identities through open standards (OpenID Connect is the common one) and apply different downstream policy to each.

What to ask a CIAM vendor

  • Which social, eID, BankID, and wallet sources can we accept out of the box, and through which standards?
  • Can we apply different authentication and authorization policy based on which identity the user brought?
  • How is the assurance level of an external identity recorded and carried into the profile?
  • Can a low-assurance social sign-in be stepped up to a proofed identity for high-value actions?
  • What is the effort to add a new identity source as our markets change?

The buyer takeaway: BYOI lowers the barrier to sign-up, but the value depends entirely on matching each identity source to the assurance the action needs. Decide which sources fit your segments, then run the vendor matcher.