How to choose a CIAM platform

Product leaders, CTOs, security engineers, and identity architects at consumer apps and B2B SaaS choosing where customers sign up, sign in, and manage accounts. Especially relevant if you are facing a build-vs-buy decision or migrating off a homegrown auth system.

CIAM choice matters most when you are launching a new product, scaling past 50K MAU, adding B2B enterprise customers who demand SSO, replacing homegrown auth, or facing GDPR/CCPA/LGPD obligations. Mistakes are expensive because you cannot easily migrate users mid-flight.

Start from your customer model. B2C-only? Optimize for conversion and fraud. B2B-only? Optimize for tenant SSO and SCIM. Mixed? Validate that one platform can do both without losing on either side. Then run a 2-week DX evaluation with your real engineers, not your evaluator. Model 24-month MAU cost.

• Authentication UX

  Passwordless (magic link, OTP, passkeys), social login, biometric, and clean drop-in UI components. Friction kills conversion.

• B2B / multi-tenant

  If you sell to enterprises, you need org-scoped users, SSO/SAML per tenant, SCIM provisioning, and role hierarchies inside each org. Not all CIAM vendors do this well.

• Authorization

  Beyond login, how do you express "who can do what on which resource?" RBAC, ABAC, ReBAC, or fine-grained policies (OPA, Cedar, Cerbos, OpenFGA-style).

• Fraud and abuse

  Bot detection, credential stuffing protection, device fingerprinting, impossible travel, and account takeover signals. Especially important for fintech, marketplaces, gaming, and crypto.

• Privacy and residency

  GDPR, CCPA, LGPD, regional data residency, consent management, and the right to be forgotten. Plan for EU + US at minimum.

• Scale and pricing model

  MAU-based pricing rewards or punishes you depending on your usage curve. Free B2C users + paying B2B users on the same platform can get expensive fast.

• Developer experience

  SDKs in your stack, sane local dev story, webhooks/hooks for custom logic, and clean migration tooling for password hashes.

• Compliance and certifications

  SOC 2 Type II, ISO 27001, HIPAA, PCI when relevant, and vendor security posture you can defend to your customers.

• Defined your user model (B2C, B2B, B2B2C, mixed)
• Mapped expected MAU growth over 18 months
• Decided required auth factors (password, passkey, OTP, social)
• Decided whether you need per-tenant SSO/SCIM for enterprise customers
• Defined authorization model (RBAC vs ABAC vs ReBAC)
• Mapped fraud / ATO risk tolerance
• Confirmed data residency obligations
• Tested password / user import from incumbent
• Reviewed hosted vs embedded UI trade-offs
• Modeled MAU cost at 3x today's traffic

• Plan migration first — password hash export is the single hardest part of switching CIAM.
• Use a hosted login page or universal login before embedding components — easier to iterate.
• Stand up a real fraud profile before launching public signup.
• Wire account recovery flows and test them; account recovery is where most ATO happens.
• Audit consent and privacy flows before go-live in EU / California.

• Most CIAMs price per MAU; some price per active user, some per total user, some per token.
• B2B add-ons (SAML SSO, SCIM, audit log) are typically separate paid SKUs.
• Fraud, bot defense, and advanced MFA often cost extra.
• Build TCO over 24 months at projected scale — surprises are common at 100K+ MAU.

• Show your default sign-up and sign-in flows on mobile web — no editing.
• What is your bot/credential-stuffing posture? Native or 3rd-party?
• How do you support per-tenant SSO and SCIM at scale?
• Show me passkey enrollment end-to-end.
• What is your data residency footprint today and roadmap?
• How do you handle password hash migration from bcrypt/argon2/scrypt/PBKDF2?
• What does MAU mean precisely in your pricing — and what counts as inactive?
• Show me a real customer's audit and event stream.
• Compliance + DPA + sub-processor list?
• What happens to our data if we leave?

• Building auth in-house because it 'looks simple.'
• Choosing a B2C-only CIAM and then trying to sell to enterprises with SSO requirements.
• Ignoring fraud and bots until after launch.
• Underestimating MAU costs at scale.
• Forgetting to test account recovery and impersonation flows.
• No password migration plan when switching vendors.
• Coupling identity tightly to a single SDK with no abstraction layer.