By now, most people are familiar with the idea of “as a service”. At its core, Identity as a Service (IDaaS) is an identity service that is cloud based and available to businesses via a third-party provider. It can encompass full Identity and Access Management (IAM) capabilities, or just portions, such as Multi Factor Authentication (MFA), Single Sign On (SSO), or Identity Management. IDaaS is used primarily for ensuring that a given user is who they claim to be, and allowing users access to only the actions, data, or systems they should have access to. A relatively simple concept on the surface, but increasingly complex the larger and more distributed a given network is.
Another way to think of IDaaS is the same way you’d consider other SaaS solutions. Just like you wouldn’t build your own CRM, website platform, or invoicing software if that wasn’t a core component of your business model, there’s no reason to build your own identity proofing and authentication software. Many businesses outsource their identity services so they can better focus on their own core competencies.
Core Elements of Identity as a Service
Identity as a Service should have at least two core components: the ability to prove an identity, and the ability to later verify that a user matches the originally proven identity. This means a method of enrolling into the system is needed (whether that is a biometric scanning device, admin input, or even the user’s mobile phone), as well as a method for users to verify their identity when they need access to data or systems later.
Identity Proofing: A comprehensive approach to verify the identity of an individual that utilizes a range of authentication methods to ensure that a given user is truly who they claim to be upon enrollment. This typically includes verifying government-issued documents, knowledge-based queries, and/or using biometrics to verify facial features to government IDs.
Identity Authentication: Comparing a newly presented identity against the previously enrolled and proven identity to verify that they are the same person.
The methods for proving and verifying identities vary between IDaaS providers, but typically they rely on a combination of factors that are so difficult to fake that the creation of a fraudulent identity in these systems is nearly impossible. The best IDaaS providers utilize biometrics as at least one of their authentication features, with multiple biometrics being the hallmark of best-in-class solutions.
How does IDaaS work?
Identity as a Service integrates with other systems as an additional step before access is granted, or as a replacement for the use of a password to gain access.
Traditionally, gaining access to systems either remotely or on site is done by presenting who you are (your username, ID number, or just email address) and verifying that it is you with the use of an authenticator. The simplest authenticator is a password, although those have long been known to be vulnerable to theft, hacking, and poor security practices. IDaaS allows businesses to incorporate other authenticators into their access flow, such as one-time passwords (OTP), pin numbers, out of band yes/no prompts, and a range of biometric authentication methods.
Selecting an IDaaS Provider
Not all IDaaS providers offer the same services, level of customer support, or integrations. When evaluating if an identity as a service provider is suitable for your organization, you’ll need to go into the meeting knowing:
- How many identities you need to manage? Is it just a handful of internal employees working remotely, or do you need to securely onboard new customers regularly? Is it a dozen a month, or thousands? Initial enrollment and identity proofing is often more support-intensive than regular authentications, so knowing what kind of customer support you may need is important.
- What systems will you need to have integrated into the IDaaS system, and how will that integration work? There are multiple ways for integrating, ranging from a simple OIDC connector to a custom build relying on an SDK. If you’re not sure how the software or systems you want to protect would integrate with the IDaaS, make a note and check. The provider should be able to let you know.
- What features do you need for your cybersecurity objectives? Different IDaaS providers offer a range of features, so before talking to one, spend time with your cybersecurity team. Are you aiming to go fully passwordless, or are you looking for a system to augment passwords without eliminating them fully? How much flexibility or choice do you want to offer your end users? How likely is it your end users will have access to the appropriate biometric reader, or would you prefer to use a mobile phone to capture biometrics?
User experience is another key aspect to consider when evaluating IDaaS providers. Your users, whether they’re customers or employees, should be able to trust your identity provider to securely handle their data. Look for providers that are able to explain how the data is encrypted, deleted if not in use, or otherwise protected; avoid those who gloss over storage and privacy. Be sure that any stored passwords or biometric data aren’t being stored in plain text, as in the case of the Suprema breach.
In addition to secure data handling, the actual experience of using the tool should be straightforward and easy. Look for prompts, accessibility, and whether the directions are clear and easy to follow. Your IT team will thank you not to replace password reset requests with troubleshooting an authenticator app!
Get started evaluating IDaaS providers – schedule time with the Q5id team to discuss your business needs and how we can help!