Capabilities / Domain

Authentication & Authorization

How a user proves who they are, and what they are then allowed to do. Authentication is where account takeover is won or lost; authorization is the quieter half that decides access once the user is in. The market is moving toward passkeys for the first and fine-grained, externalized policy for the second.

Core capabilities

Multi-factor authentication

A second factor beyond the password: OTP, push, biometrics, or FIDO2. Engage

Single sign-on

One login across multiple apps, brands, and sub-brands. Engage

Authorization & policy engine

Centralized rules for who can do what: RBAC, ABAC, and transactional policy. Engage

Session management

Granular session lifetime, scoping, and revocation. Engage

Open standards support

OAuth 2.0, OIDC, SAML 2.0, FIDO2, SCIM, and UMA. Admin

What to ask a CIAM vendor

• Which authentication methods are first-class, and is passwordless or passkey a default rather than a bolt-on?
• Is authorization handled with real policy (RBAC, ABAC, or ReBAC) or hard-coded per app?
• Can authentication step up mid-session for a sensitive transaction?