Introduction to Identity and Access Management (IAM)

Introduction to Identity and Access Management (IAM) for Login 3.0

What is identity and access management (IAM)?

Identity and access management provides control over user validation and resource access. Commonly known as IAM, this technology ensures that the right people access the right digital resources at the right time and for the right reasons.

IAM basic concepts

To understand IAM, you must be familiar with some fundamental concepts:

A digital resource is any combination of applications and data in a computer system. Examples of digital resources include web applications, APIs, platforms, devices, or databases.

The core of IAM is identity. Someone wants access to your resource. It could be a customer, employee, member, participant, and so on. In IAM, a user account is a digital identity. User accounts can also represent non-humans, such as software, Internet of Things devices, or robotics.

Authentication is the verification of a digital identity. Someone (or something) authenticates to prove that they’re the user they claim to be.

Authorization is the process of determining what resources a user can access.

The difference between authentication and authorization

It’s common to confuse authentication and authorization because they seem like a single experience to users. They are two separate processes: authentication proves a user’s identity, while authorization grants or denies the user’s access to certain resources.

You can think of authentication and authorization as the security system for an office building. Users are the people who want to enter the building. Resources that people want to access are areas in the building: floors, rooms, and so on.

• Authentication: When you enter the building, you must show your photo ID badge to the security guard. The guard compares the photo on the badge to your face. If they match, the guard lets you through the door to try to access different areas of the building. This is authentication: confirming user identity.

• Authorization: In this scenario, imagine the elevators and doorways in the building have key sensors for access. The chip in your badge gives you access only to the first floor, which your company occupies. This is authorization: granting and denying access to different resources based on identity.

What does IAM do?

Identity and access management gives you control over user validation and resource access:

• How users become a part of your system

• What user information to store

• How users can prove their identity

• When and how often users must prove their identity

• The experience of proving identity

• Who can and cannot access different resources

You integrate IAM with your application, API, device, data store, or other technology. This integration can be very simple. For example, your web application might rely entirely on Login 3.0 for authentication, and have an all-or-nothing authorization policy. Once authenticated, all users can access everything in your app.

In real life, IAM is complex. Most systems require some combination of these capabilities:

• Seamless signup and login experiences: Smooth login and signup experiences occur within your app, with your brand’s look and language.

• Multiple sources of user identities: Users expect to log in using a variety of identity providers, such as social (Google, LinkedIn), enterprise (Microsoft Active Directory), and others.

• Multi-factor authentication (MFA): MFA enhances security by requiring additional proof of identity, such as a fingerprint or a one-time password.

• Step-up authentication: Access to advanced capabilities and sensitive information may require stronger proof of identity than everyday tasks and data.

• Attack protection: Protecting against bots and bad actors is fundamental to cybersecurity.

• Role-based access control (RBAC): Managing user access by roles simplifies the process as user numbers grow.

• Fine-grained authorization (FGA): For more detailed control, you can manage access for individual users to certain resources.

Facing this level of complexity, many developers rely on an IAM platform like Login 3.0 instead of building their own solutions.

How does IAM work?

IAM is a discipline and a framework for solving the challenge of secure access to digital resources. This section explores elements and practices in common implementations.

Identity providers

In the past, systems managed their own identity information for users. As the internet grew, identity providers became a way to simplify the user experience and reduce development effort. Login 3.0 integrates with identity providers, enabling seamless authentication and authorization for users.

Authentication factors

Authentication factors are methods for proving a user’s identity. They commonly fall into these categories:

Factor type	Examples
Knowledge (something you know)	Pin, password
Possession (something you have)	Mobile phone, encryption key device
Inherence (something you are)	Fingerprint, facial recognition

Login 3.0 supports one or multiple authentication factors to verify identity.

Authentication and authorization standards

Login 3.0 adheres to the most secure industry standards for authentication and authorization:

• OAuth 2.0: A delegation protocol for accessing APIs, enabling secure third-party login.

• OpenID Connect (OIDC): Adds an identity layer to OAuth 2.0 for verifying user identity.

• JSON web tokens (JWTs): Compact and secure data transmission for authenticated users.

Why use Login 3.0 for IAM?

User expectations, customer requirements, and compliance standards introduce significant technical challenges. Login 3.0 simplifies identity and access management with:

• Built-in support for identity providers and authentication factors

• APIs for seamless integration with your software

• Adherence to the most secure industry standards

For those evaluating IAM solutions, Login 3.0 provides a robust and scalable platform to meet your needs.