Glossary

Key terms and
definitions for CIAM

A

Adaptive Access Controls

What is adaptive access control?

Adaptive access controls adjust sign-in requirements based on context like device, location, and behavior. When risk increases, the system can step up verification instead of adding friction to every login. Learn more about adaptive access

Why it matters

  • Reduces account takeover risk without challenging every user
  • Supports better conversion by adding friction only when needed
  • Helps teams respond to new threats without redesigning the whole login

How it works

  • Collect contextual signals (device, IP or location, session patterns)
  • Evaluate risk using rules or models
  • Decide an action: allow, step up, or deny
  • If step up, require additional verification (MFA, email link, etc.)
  • Log outcomes for auditing and tuning

Authentication

What is authentication?

Authentication is how a user proves they are who they claim to be during sign-in. It can use passwords, MFA, or passwordless methods depending on your security and experience goals. Learn more about the login journey.

Why it matters

  • Protects customer accounts from unauthorized access
  • Impacts conversion because sign-in friction drives drop-off
  • Strengthens downstream security because every access decision starts here

How it works

  • User initiates sign-in and provides a factor (password, OTP, biometric, link)
  • System verifies the factor against the account
  • If risk is elevated, prompt for an additional factor
  • On success, establish a session and issue tokens if applicable
  • On failure, show recovery options and rate-limit repeated attempts

Authorization

What is authorization?

Authorization determines what an authenticated user is allowed to access or do. It enforces permissions and policy decisions after identity has been verified. Learn more by starting with creating your first application.

Why it matters

  • Prevents users from accessing data or actions they should not have
  • Limits breach impact by enforcing least privilege
  • Enables safer self-service and admin experiences with clear permissions

How it works

  • Authenticate the user first
  • Identify the requested resource or action
  • Evaluate policies (roles, attributes, entitlements, context)
  • Allow or deny the request and return the appropriate response
  • Record decisions for audit and troubleshooting

Access token

What is an access token?

An access token is a credential used by an application to call protected APIs or resources on behalf of a customer. It grants access based on scopes and policies without sharing passwords. Learn more about access and refresh tokens.

Why it matters

  • Enables secure API access
  • Supports least privilege through scopes
  • Limits exposure compared to sharing credentials

How it works

  • App receives an access token after a successful OAuth or OIDC flow
  • App includes token in API requests
  • API validates token and permissions
  • Token expires and can be renewed when allowed
C

Consent Management

What is consent management?

Consent management is how customers choose what personal data they share and how it can be used. It supports clear choices, preference updates, and privacy-aligned experiences. Learn more about consent management.

Why it matters

  • Builds trust by giving customers clear, controllable choices
  • Supports privacy expectations and policy requirements
  • Improves personalization by ensuring data use matches user intent

How it works

  • Present consent choices at the right moments (registration, profile, marketing opt-in)
  • Capture consent state with time and context as needed
  • Store consent as a preference tied to the customer identity
  • Enforce consent in downstream experiences and integrations
  • Allow updates and revocation through self-service

Customer Identity and Access Management (CIAM)

What is customer identity and access management (CIAM)?

Customer identity and access management (CIAM) helps organizations manage customer sign-up, sign-in, and account access across digital channels. CIAM also supports security, privacy preferences, and self-service account management across the customer lifecycle.

Why it matters

  • Improves acquisition and retention by reducing registration and login friction
  • Strengthens security for customer accounts and connected systems
  • Supports privacy and preference management to build customer trust

How it works

  • Provide registration and profile capture that fits your business rules
  • Verify identity and authenticate users at sign-in
  • Issue sessions and tokens for apps and APIs
  • Apply authorization policies for roles and permissions
  • Enable self-service for profile, password, and account recovery
  • Monitor risk and respond with step-up verification or fraud controls

Claims

What are claims?

Claims are pieces of information about a customer, like subject identifier, email, or name, that can be included in tokens or assertions. Applications use claims to identify users, personalize experiences, and enforce access decisions. Learn more about claim dialects.

Why it matters

  • Standard way to pass identity attributes to apps
  • Supports consistent personalization and authorization decisions
  • Reduces custom attribute mapping work across systems

How it works

  • Define which account attributes you want to expose
  • Map attributes to token claim names using dialects
  • Issue tokens that include the claims
  • Application reads claims and applies business logic or permissions
D

Data Residency

What is data residency?

Data residency means storing and managing customer data in a specific country or region to meet privacy and regulatory requirements. It helps organizations control where data lives and how it is governed.

Why it matters

  • Supports regional regulatory and contractual requirements
  • Reduces compliance risk by clarifying where data is stored and processed
  • Can build customer trust when paired with transparent privacy choices

How it works

  • Define the regions your identity data must reside in
  • Store customer identity data in approved regional infrastructure
  • Enforce access and processing rules for those regions
  • Document controls and customer-facing disclosures as needed

Digital Identity

What is a digital identity?

Digital identity is the collection of information that represents a person online and helps prove who they are. It can include identifiers, profile attributes, and authentication factors. Learn more by starting with creating an identity store.

Why it matters

  • Enables secure access, personalization, and account recovery
  • Reduces identity theft risk when attributes and factors are protected
  • Improves customer experience when identity data is accurate and up to date

How it works

  • Collect identity attributes during registration and profile updates
  • Store attributes in an identity store
  • Use factors (password, OTP, passkey, biometric) to authenticate
  • Use claims and context to personalize and secure journeys
F

Fraud Detection

What is fraud detection?

Fraud detection identifies suspicious activity early so it can be stopped before it causes harm. In identity flows, it often pairs risk analysis with step-up authentication.

Why it matters

  • Reduces account takeover, chargebacks, and support burden
  • Protects customers and brand reputation
  • Complements authentication by detecting suspicious patterns over time

How it works

  • Monitor signals like unusual location, device changes, velocity, and failed attempts
  • Compare activity to expected behavior baselines
  • Score risk and trigger actions (step up, block, review)
  • Use identity verification when confidence is low
  • Continuously tune rules based on outcomes and new attack patterns
I

Identity Analytics

What are identity analytics?

Identity analytics analyze identity and behavior patterns to improve sign-in experiences, personalization, and security. It helps teams identify drop-off points, measure friction, and improve outcomes over time. Learn more about the dashboard.

Why it matters

  • Shows where users abandon registration or fail sign-in
  • Helps quantify friction and security outcomes instead of guessing
  • Supports continuous improvement through experimentation and segmentation

How it works

  • Capture journey events (success, failure, abandonment)
  • Segment by flow, app, device, or cohort
  • Analyze trends and outliers (spikes in failures, unusual patterns)
  • Test changes (A/B tests) and compare outcomes

Identity as a Service (IDaaS)

What is identity as a service (IDaaS)?

Identity as a service (IDaaS) is identity and access management delivered as a cloud service. CIAM is a customer-focused subset that prioritizes consumer sign-up, sign-in, and self-service at scale.

Why it matters

  • Reduces operational burden compared to self-managed identity systems
  • Speeds time to value with managed infrastructure and updates
  • Helps standardize security controls across apps and channels

How it works

  • Configure identity services in a cloud console
  • Integrate apps using SDKs or APIs
  • Apply policies for authentication and security
  • Monitor outcomes and iterate as needs change

Identity provider (IdP)

What is an identity provider (IdP)?

An identity provider (IdP) is a system that authenticates users and issues tokens or assertions that applications use to establish sessions. In SSO setups, the IdP is the central authority that vouches for the user’s identity. Learn more in SSO and cross-platform authentication.

Why it matters

  • Centralizes authentication across apps
  • Reduces duplicate credential stores
  • Enables consistent security and policy enforcement

How it works

  • App redirects user to the IdP for sign-in
  • IdP authenticates the user
  • IdP returns tokens or assertions to the app
  • App validates and establishes a session based on the IdP response

ID token

What is an id token?

An ID token is an OIDC token that contains identity information about the authenticated customer, expressed as claims. Applications use it to confirm who signed in and to create a session. Learn more about token generation.

Why it matters

  • Standard way to convey identity to an app
  • Reduces custom profile lookups during login
  • Supports consistent session creation across apps

How it works

  • Customer completes authentication
  • Identity provider creates an ID token with claims
  • App validates the token signature and audience
  • App uses claims to create a session and personalize experiences
M

Multi-factor authentication (MFA)

What is multi-factor authentication (MFA)?

MFA adds an extra verification step beyond a single factor, helping confirm a customer’s identity during sign-in. It can include OTP, security keys, passkeys, or other authenticators depending on your policy. Learn more about multi-factor methods.

Why it matters

  • Reduces account takeover risk
  • Supports step-up challenges for higher-risk logins
  • Helps meet security requirements without forcing friction everywhere

How it works

  • Define which MFA methods are allowed
  • Require or recommend MFA based on policy
  • Prompt customers to enroll when needed
  • Challenge customers during authentication and verify the second factor
O

OpenID Connect (OIDC)

What is openid connect (OIDC)?

OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0 that lets applications authenticate users and receive identity information in tokens. It is commonly used for modern web and mobile authentication flows. Learn more about OIDC support.

Why it matters

  • Standardizes authentication for modern apps
  • Supports secure token-based sign-in
  • Reduces custom integration work across apps

How it works

  • Application starts an OIDC login flow
  • User authenticates through the identity provider
  • App receives an authorization code (or similar)
  • App exchanges code for tokens and establishes a session

OAuth 2.0

What is oauth 2.0?

OAuth 2.0 is an authorization framework that lets applications obtain access to protected resources without sharing user credentials. It is commonly used with OIDC to power modern authentication and API access. Learn more about OAuth 2.0 security best practices.

Why it matters

  • Enables secure delegated access to APIs
  • Reduces password exposure by using tokens
  • Supports modern app patterns like mobile and SPA flows

How it works

  • App requests authorization for a user
  • User authenticates and grants access
  • App receives an authorization code or token response
  • App uses access tokens to call APIs and refresh tokens to renew access when allowed
P

Passkeys

What are passkeys?

Passkeys are a phishing-resistant, passwordless way for customers to sign in using device-based biometrics or platform authenticators like Touch ID, Face ID, or Windows Hello. They reduce reliance on passwords while improving usability. Learn more about passkeys.

Why it matters

  • Reduces phishing and credential stuffing risk
  • Improves sign-in conversion by removing passwords
  • Supports modern device-native sign-in experiences

How it works

  • Customer creates a passkey on a device
  • Device uses biometrics or local unlock to approve sign-in
  • Cryptographic proof is sent to complete authentication
  • Passkeys can be promoted during registration or login depending on configuration

Passwordless authentication

What is passwordless authentication?

Passwordless authentication lets customers sign in without typing a password, using methods like passkeys, magic links, OTP, or security keys. It reduces password-related attacks and can lower friction for customers. Learn more about passwordless.

Why it matters

  • Reduces password resets and support costs
  • Lowers risk from stolen passwords
  • Helps modernize sign-in without forcing one method for every user

How it works

  • Choose supported passwordless methods
  • Configure customer journeys to offer the methods
  • Enroll customers (when required)
  • Authenticate using the selected method and complete the login journey
R

Relying party (RP)

What is a relying party (RP)?

A relying party (RP) is the application that relies on an identity provider’s authentication result. In OIDC, the RP receives tokens and uses them to establish a user session and authorize access. Learn more in SSO and cross-platform authentication.

Why it matters

  • Clarifies roles in federation and SSO architectures
  • Helps teams troubleshoot token, redirect, and session issues
  • Supports clean integration patterns across multiple apps

How it works

  • RP initiates an authentication request
  • User completes authentication with the IdP
  • RP receives an authorization code or tokens
  • RP validates tokens and creates an application session

Refresh token

What is a refresh token?

A refresh token is used to obtain new access tokens without asking the customer to sign in again. It helps maintain sessions securely when access tokens are short-lived. Learn more about access and refresh tokens.

Why it matters

  • Reduces repeated logins and improves UX
  • Supports short-lived access tokens for better security
  • Enables consistent session continuity across apps

How it works

  • App stores refresh token securely per platform guidance
  • When access token expires, app requests a new token set
  • Identity provider validates refresh request and issues a new access token
  • Refresh token rotation and revocation can be applied based on policy
S

Step-up authentication

What is step-up authentication?

Step-up authentication increases verification requirements only when risk is higher, such as a new device, unusual location, or sensitive action. It is often used with adaptive access to balance security and user experience. Learn more about adaptive access.

Why it matters

  • Reduces friction for normal logins
  • Strengthens security for risky moments
  • Supports higher assurance for sensitive transactions

How it works

  • Evaluate contextual and behavioral signals
  • Determine risk level
  • If risk is elevated, trigger additional authentication (MFA or stronger method)
  • Allow or deny based on results and policy

Single sign-on (SSO)

What is single sign-on (SSO)?

Single sign-on (SSO) lets customers access multiple applications after authenticating once, using a centralized identity provider (IdP) or broker. It reduces repeated logins while improving customer experience. Learn more about SSO and cross-platform authentication.

Why it matters

  • Reduces password fatigue and repeat sign-ins
  • Improves customer experience across app ecosystems
  • Centralizes security controls and session handling

How it works

  • Customer authenticates with the IdP or broker
  • Session is established and shared across connected apps
  • Apps rely on tokens or assertions to trust the authentication event
  • Logout can be coordinated depending on configuration

SAML 2.0

What is saml 2.0?

SAML 2.0 is a standard for exchanging authentication and authorization data between an identity provider and a service provider using XML-based assertions. It is often used for enterprise and legacy integrations. Learn more by setting up a SAML2 integration.

Why it matters

  • Supports legacy and enterprise ecosystems
  • Enables SSO without custom credential handling
  • Helps unify identity across heterogeneous systems

How it works

  • User authenticates with the IdP
  • IdP issues a signed SAML assertion
  • Service provider validates the assertion
  • User is granted access and a session is established

Single-instance architecture

What is single-instance architecture?

A single-instance architecture is a cloud deployment model where each customer gets a dedicated, isolated instance instead of sharing resources with many other tenants. This can reduce “noisy neighbor” risk and limit cross-tenant exposure by keeping traffic, policies, and data separated. Learn more about why enterprises choose single-instance CIAM.

Why it matters

  • Isolates customer traffic and policies from other tenants
  • Reduces performance variability from noisy neighbors
  • Can simplify meeting security, privacy, and data handling expectations

How it works

  • Provision a dedicated instance for each customer
  • Configure environments (for example, development and production) within that customer’s footprint
  • Run workloads across high-availability zones to maintain resilience
  • Apply policies, integrations, and branding within the customer’s instance
  • Monitor and operate the instance independently from other customers
W

WebAuthn

What is webauthn?

WebAuthn is a web standard that enables strong, phishing-resistant authentication using public key cryptography, often through passkeys or security keys. It is commonly used to support passwordless sign-in and MFA experiences. Learn more by starting with passkeys.

Why it matters

  • Enables phishing-resistant sign-in
  • Supports modern passwordless and MFA flows
  • Reduces reliance on shared secrets like passwords

How it works

  • Register a credential (passkey or security key) for a user
  • During sign-in, the browser requests a cryptographic assertion
  • The device prompts the user to approve (biometric or PIN)
  • The assertion is verified to authenticate the user