Inside Okta Customer Identity Cloud for Consumer Apps

TL;DR: Okta has launched the Okta Customer Identity Cloud, powered by Auth0, with support for two use cases: Consumer Apps and SaaS Apps. This article explores the Consumer Apps use case and capabilities, as well as how app builders, digital leaders, and security teams can set their applications up for success with end-users, starting at the login box.

It doesn’t matter if you’re in the public sector or selling pizzas–for every organization, in every industry, digital business is just business now.

As consumers ourselves, we know the best apps are the ones that improve our daily lives, keep us safe online, and are delightful to use. We also know what a terrible login experience feels like: 83% of consumers have abandoned a cart or signup due to an arduous login process, and 48% are frustrated by filling in long login or sign-up forms.

In the identity and access management world, this is called customer identity: Learning about your customers and securely building consent-based trust by understanding who they are and how they want to engage with you.

While managing customer identity is a relatively new concept for marketers, app builders and security teams have been wrestling with complexity around identity and access for years.

What would happen if we treated identity as the “digital front door”? Could we make end-users more secure, help developers launch the next big app, or put an end to passwords?

Consumer Identity Without Compromise

Okta Customer Identity Cloud for Consumer Apps enables app builders, digital marketers, and security teams to give end-users access to everything they need online, in a convenient, and secure way. Consumer-friendly capabilities like Passwordless, Progressive Profiling, and Adaptive Multi-factor Authentication (MFA) ready to go out of the box help maximize conversion, retention, and loyalty, without adding friction or security risk. And our 100% focus on identity means we’re keeping an eye on the latest attacks and technologies for you, too.

“Flo is committed to building a better future for female health with the number one OB-GYN recommended app, a thriving community, and science-backed resources,” said Roman Bugaev, Chief Technology Officer at Flo Health. “Okta Customer Identity Cloud allows us to provide personalized insights to our users in a thoughtful and secure way, so they can take control of their health. Improving the authentication experience has also helped us reduce churn during the login process, driving our signups 12 times higher since we made the change.”

Here are a few of the ways our customers are using Consumer Apps today.

Acquire Customers With Just One Click

Asking consumers to create (yet another) password that meets certain complexity requirements results in lower customer acquisition rates, especially on input-constrained devices. Streamline registration with fewer passwords for users, and fewer password resets for your support team with Single Sign-On (SSO) and social logins, MFA, and more out of the box. Want to do away with passwords entirely? You can with multiple passwordless options, without adding security risk.

Personalize Experiences for Long-Term Loyalty

Today, digital marketing teams are effective at personalization and testing around the login box, but very few are doing this within identity. Considering that the login box is the gateway to digital experiences, this is a huge missed opportunity. Features like Universal Login make it possible to customize the login experience to your exact audience with any number of authenticators–even without your own dedicated identity team. This is a huge selling point for marketers and the developers they work with, who have a lot on their plates already.

Collect First-Party Data Without Friction

Have you ever had someone ask for too much information on a first date? Long sign-up forms are the digital equivalent. With web cookies going away, digital teams are turning to features like Progressive Profiling to collect first-party data over time, as consumers sign up and engage with their website or app. Less creepy? Yes. Even more effective for building trust and personalizing experiences? Definitely.

Protect Revenue From Bots and Brute Force

Credential stuffing accounts for 34% of overall login traffic, and outpaces normal traffic in some countries (61%) in the U.S. and verticals (more than 80% in retail), according to Okta’s 2022 State of Secure Identity Report. Distinguishing between legitimate users and would-be attackers requires finesse, and can quickly become a full-time job. Our Attack Protection capabilities like Bot Detection, Breached Password Detection, Suspicious IP Throttling, and Adaptive MFA give security teams the tools they need to fight fraud, without damaging the user experience.

What’s New for Consumer Apps?

New product innovations for Consumer Apps were announced at Oktane22. Okta expects these features to be available by the end of Q2 2023, with support for Highly Regulated Identity as an Enterprise Add-on.

  • Passkeys support: Passkeys are a replacement for passwords that make it faster and safer to sign into apps and websites on any device. The technology is phishing-resistant and uses a device — usually a fingerprint or facial recognition, or a PIN — to prove a user is who they say they are. We are making it easy for app builders to turn on passkeys with the literal flip of a switch.
  • Highly Regulated Identity: While we’re enabling app builders to offer the most exciting experiences, we also recognize some of our customers operate in highly-regulated industries like banking or utilities. Highly Regulated Identity is a new toolset that allows customers to safeguard riskier transactions with extra security and policy control. We are taking steps toward enabling customers to reach Financial Grade API (FAPI) compliance with several new product innovations, including:
    • Pushed Authorization Request (PAR): A new OAuth endpoint that avoids passing any sensitive information on the front channel (e.g. all authorization details won’t appear in the browsing bar or search history).
    • Rich Authorization Request (RAR): A framework that enables fine-grained control over authorization for any use case, including communicating fine-grained details on a transaction (e.g. payment amount) and customized consent gathering (e.g. selecting a bank account as part of the consent step).
    • Private Key JWT: An authentication method that improves security posture by signing with a private key, rather than a password or secret that can be intercepted and used by someone other than the intended recipient.
    • Strong Customer Authentication (SCA): A component of the European Union’s second Payment Services Directive (PSD2) that requires at least authenticating users with at least two factors: something they have (e.g. device or hardware key), something they know (e.g. password or PIN), and something they are (e.g. biometrics).
    • Mutual Transport Layer Security (mTLS): A type of authentication where access tokens can only be used by the application they were specifically issued for, thus, if a token is leaked, it can’t be used by the attacker. 
  • Security Center: At Okta, we have insights from billions of authentications about the threats facing consumer apps. We want to make sure your entire cross-functional team has this same visibility. Security Center is a single pane of glass that enables security professionals to monitor in real-time, detect, and respond to potential identity security events–either directly through your dashboard, or by integrating with the security stack of your choice. With comprehensive dashboards, visualizations, and controls tailored to customer identity scenarios, this is a powerful tool for keeping your customers secure, and your app operating at the highest level.

Learn more about the Okta Customer Identity Cloud and how to turn your login box into an engine for growth at

Footnote: Any unreleased products, features or functionality referenced in this blog post that are not currently available, may not be delivered on time or at all. Product roadmaps do not represent a commitment, obligation or promise to deliver any product, feature or functionality, and customers should not rely on them to make purchase decisions.