How Does Identity Management (IDM) Work?

You need to know your users to protect their data. IDM authenticates users to make sure data doesn’t find its way into the wrong hands. Here’s how.

Oct 25, 2020 - 3 min.
Picture of: Sonja Spaccarotella
Sonja Spaccarotella

When you shop online, binge stream your favorite television series, upload your vacation photos to your social media account, you are sharing very personal data with online service providers: your interests and preferences, your email address, your home address, your credit card information. Identity management (IDM) ensures this data doesn’t fall into the wrong hands.


What is identity management?

In the simplest terms, IDM is the process of verifying that you are who you say you are. When meeting someone face-to-face, it’s relatively easy to look at them (and a photo ID if necessary) and to verify who they are. Not so online. Without an identity management system providing the necessary checks and security measures, anyone could simply pretend to be you. Imagine if you could read all your email by just providing your username and no password. Chaos at best, malicious data theft at worst. That’s why verifying a user’s identity beyond a doubt is a top priority.


The Mechanics of Identity Management

There are several identity management solutions available with unique technologies and tools for accomplishing this. However, they basically all follow the same basic gameplan:

  • assign a user identity: during a registration process, the user is assigned or chooses an identifier (a username, email address, code, etc.). All personal information provided at this point is stored in the service provider’s database under this identifier. The user chooses a password to protect this data.
  • user login: the user can now log into the service to identify him/herself using the identifier.
  • user authentication: to protect their personal data, users now have to authenticate their identity. This can be done with a password, push notification, SMS verification code, and email confirmation. However, this step is becoming less and less secure as hackers and malicious third parties are getting savvier about illegally accessing systems and services.

Once all these steps have been successfully carried out, the user can be authorized to access the data and services requested.

The data and services the user can access are specified by set parameters, or grants and permissions. These are defined by the service provider and are generally assigned based on device type, location, and specific user roles: client, consumer, manager, etc. Depending on your role, you will have access to some or all information in the database. This is the IDM system architecture. And it, too, is stored in that same database where the identifier and all the data from the registration process are saved. This database can be on-premise or in the cloud.


What Are the Most Common Components of IDM Solutions?

There are a number of technologies currently being used for identity management and identity access. They are primarily focused on the authentication process. The most common ones are

  • Two-factor authentication (2FA) & multi-factor authentication (MFA): when these solutions are implemented, users are prompted to provide two or multiple forms of authentication to prove their identity. These might be a password, a token, a single-use code, or biometrics. For more information on these technologies, read our article on MFA vs 2FA.
  • Single sign-on: this function allows a user to access several services or software with just one username and password. This is a user-friendly solution as users don’t have to remember multiple passwords for different services.
  • Public key certificate: these digital certificates store information about the certificate holder, issuer, the expiration date, authorized uses and access granted by the certificate, and a key, which identifies the certificate holder.

The Risks, Challenges, and Benefits of IDM

Can added security actually come with risks? And what challenges should you watch out for?

MFA and 2FA, for example, might involve some authentication factors that could inadvertently exclude certain users. If you plan on implementing this security method, consider whether or not your target audience has the necessary hardware (mobile device) to provide biometric information like face scans and fingerprints.

Before opting for public key certificates, consider that purchasing and installing these certificates requires a bit more tech know-how. If this process is too challenging for your user base, it might deter them from installing this security measure. Or worse yet, it might convince them to choose another service provider.

Single sign-on is very user-friendly. However, critics argue that it lacks the same level of security as other IDM solutions because one password hack would provide access to multiple services and software solutions. If you want to go this route, consider how else you can authenticate a user's identity beyond a password.

However, let’s finish by saying: the benefits far outweigh any risks and challenges of IDM. Protecting user and company data is critical for creating trust and establishing long-lasting consumer relationships. However, added safety and security benefits should be weighed against risks and challenges when deciding how to make IDM work for you.


What is CIAM?