Digital TransformationAdvanced7 min read

Digital Identity Strategy

Digital Identity Strategy is the deliberate architecture of how people (customers, employees, partners) prove who they are and what they can access across an organization's digital estate. It splits cleanly into two domains: workforce identity (employees and contractors — the realm of Okta Workforce, Microsoft Entra ID, Ping) and customer identity (CIAM — the realm of Auth0, Okta Customer Identity, Microsoft Entra External ID, ForgeRock). KnowMBA POV: identity is the load-bearing wall of digital strategy. Every other digital initiative — portal, e-signature, partner program, omnichannel, zero trust — depends on identity working well, and most digital transformation failures trace back to an identity layer that was treated as a procurement decision rather than a strategic foundation. Get identity right and most other things become possible; get it wrong and most other things become brittle.

Also known asCustomer Identity StrategyCIAMWorkforce Identity StrategyIAM StrategyIdentity-First Architecture

Challenge a friend Browse library

The Trap

The trap is treating identity as IT infrastructure rather than as a customer experience and security foundation. The IT-led identity decision optimizes for cost and integration ease; the strategic identity decision optimizes for adoption (workforce: low-friction SSO; customer: passwordless, social, biometric), security (MFA everywhere, risk-based authentication), and compliance (privacy law-ready data handling). The second trap: workforce and customer identity in one platform 'for simplicity.' These are different products with different threat models; combined platforms deliver a degraded experience for both. The third trap: building custom identity. Almost every custom identity stack underperforms commercial platforms on security and accumulates technical debt for a decade.

What to Do

Build digital identity strategy in three layers: (1) Separate workforce and customer identity decisions — different vendors are normal and often optimal. (2) Workforce: Okta Workforce or Microsoft Entra ID as the SSO foundation, MFA mandatory, conditional access policies tied to risk signals, federation with key partners. (3) Customer: Auth0, Okta CIAM, or Microsoft Entra External ID for B2C/B2B customer login, with passwordless and social options as defaults; single login state across web/mobile/portal; consent and privacy controls built in for GDPR/CCPA. Decisions to make explicitly: (a) how do we handle customer identity verification (KYC, ID.me-style verified identity for high-value transactions)? (b) what's our position on FIDO2/passkeys (passwordless future)? (c) how do we federate with B2B customers' identity providers? Measure on (a) successful login rate, (b) MFA coverage, (c) password reset volume (lower = better identity), (d) account takeover rate.

Formula

Identity Strategy Maturity = (% Workforce Apps on SSO × MFA Coverage × Customer Login Success Rate) ÷ (Password Resets per User per Year × Account Takeover Rate)

In Practice

Okta is the dominant standalone identity platform — both Okta Workforce (enterprise SSO and MFA) and Auth0 (acquired 2021, the leading developer-focused customer identity platform) are publicly used by thousands of enterprises including Slack, JetBlue, Zoom, and FedEx. Microsoft Entra ID (formerly Azure AD) is the dominant identity platform for Microsoft-stack enterprises, with Microsoft reporting hundreds of millions of monthly active users. ID.me is the publicly known verified-identity provider used by the IRS, US Department of Veterans Affairs, and many state unemployment systems for high-assurance identity verification — a useful reference for use cases requiring strong identity proofing beyond standard authentication. The pattern across mature digital identity strategies is consistent: separate workforce and customer concerns, pick best-of-breed for each, layer in verified identity for high-stakes transactions, and treat identity as a foundational platform investment, not a departmental purchase.

Pro Tips

01
Separate workforce and customer identity. They are different products with different risk models. Forcing them onto one platform is almost always a step backward for both.
02
Adopt passkeys/FIDO2 as the customer login default for new flows now. Passwords are the worst part of customer login by every metric (security, abandonment, support cost). Passkeys are now broadly supported across major platforms.
03
Federation > duplication. For B2B customer identity, federate with the customer's identity provider (their Okta, their Microsoft Entra, their Google) rather than asking their employees to create yet another account. Federation dramatically improves enterprise B2B adoption.

Myth vs Reality

Myth

“MFA materially hurts customer login conversion”

Reality

Risk-based MFA — only triggered on suspicious signals — has minimal conversion impact while reducing account takeover by 90%+. Always-on MFA does have a friction cost; risk-based does not. The tradeoff has been measured extensively.

Myth

“Custom identity stacks give us more flexibility”

Reality

Custom identity stacks give an illusion of flexibility while accumulating security debt. Commercial platforms (Okta, Auth0, Microsoft Entra, ForgeRock) ship security improvements continuously and have dedicated security research teams. Custom stacks rely on internal teams to track and patch — at a meaningful disadvantage.

Try it

Run the numbers.

Pressure-test the concept against your own knowledge — answer the challenge or try the live scenario.

🧪

Knowledge Check

An enterprise plans to consolidate workforce identity, customer identity, and partner identity onto a single platform 'for operational simplicity.' What is the most likely consequence?

Industry benchmarks

Is your number good?

Calibrate against real-world tiers. Use these ranges as targets — not absolutes.

Workforce MFA Coverage

% of enterprise applications protected by MFA in mature workforce identity programs

Best-in-Class

> 98% of workforce apps

Strong

90-98%

Average

70-90%

Weak (significant breach risk)

40-70%

Critical Gap

< 40%

Source: Microsoft / Okta enterprise identity benchmarks (2023-2024)

Real-world cases

Companies that lived this.

Verified narratives with the numbers that prove (or break) the concept.

🔑

Okta + Auth0

Okta: 2009-Present; Auth0 acquired 2021

success

Okta is the dominant standalone identity platform, with Okta Workforce serving thousands of enterprises (Slack, JetBlue, FedEx, Zoom publicly cited) for SSO and MFA across enterprise applications. The 2021 acquisition of Auth0 — the leading developer-focused customer identity platform — gave Okta a strong CIAM offering alongside its workforce platform. The combined company has positioned itself as best-of-breed in both workforce and customer identity, deliberately not forcing customers to use one platform for both.

Workforce Customer Base

Thousands of enterprises

Auth0 Position

Leading developer CIAM

Strategic Position

Best-of-breed for both workforce and customer

Notable Public Customers

Slack, JetBlue, FedEx, Zoom

Best-of-breed identity (often two vendors: one for workforce, one for customer) is the dominant pattern at scale. Okta's deliberate two-product structure validates the separation.

Source ↗

🪪

ID.me

2010-Present

mixed

ID.me is a verified-identity provider used by the IRS, US Department of Veterans Affairs, multiple state unemployment systems, and many private-sector flows requiring high-assurance identity verification (military discounts, healthcare provider verification). ID.me's value is solving a problem that standard authentication cannot: proving that a person is who they claim to be at the level required for high-value or fraud-prone transactions. ID.me has had publicly debated controversies around facial recognition and access for users without smartphones, but remains the dominant verified-identity layer in the US public sector.

Use Cases

Tax, benefits, healthcare, discounts

Public Sector Customers

IRS, VA, multiple states

Verification Strength

NIST IAL2 conformant

Strategic Role

Verified identity layer above standard auth

Standard authentication answers 'is this the person who registered the account?' Verified identity answers 'is this person actually Alice Smith?' For high-value or fraud-prone transactions, verified identity is a separate layer above CIAM — not a substitute for it.

Source ↗

Decision scenario

The Identity Architecture Decision

You are CIO of a 25,000-employee global financial services firm with 12M retail customers. The current state: Active Directory for workforce identity (no SSO across SaaS), home-grown customer identity built in 2014, partner identity handled via emailed credentials. Annual identity-related security incidents: 14. Customer password reset cost: $3.8M/year.

Workforce SSO Coverage

~25%

Workforce MFA Coverage

~50%

Customer Identity Platform

Home-grown (2014)

Annual Identity Incidents

Customer Password Reset Cost

$3.8M/year

Decision 1

Choose your identity architecture path.

Consolidate everything onto one identity platform (workforce, customer, partner) for operational simplicity and a single vendor relationshipReveal

Year 1: workforce migration is painful but successful (SSO coverage hits 85%). Customer identity migration is delayed because the platform's CIAM features lag the home-grown system on key flows. Partner federation is functional but limited. Year 2: customer login NPS drops because the platform's customer-side UX is inferior to the home-grown system that was tuned over 10 years. The cost savings from single-vendor are real but offset by CX degradation.

Workforce SSO: 25% → 85%Customer Login NPS: DeclinedPartner Federation: Limited

Best-of-breed: Okta Workforce or Microsoft Entra ID for workforce (with mandatory MFA), Auth0 or Microsoft Entra External ID for customer (with passkey rollout), federation for partners with their own IDPReveal

Year 1: workforce migration lifts SSO to 90%, MFA to 95% — annual identity incidents fall from 14 to 4. Customer migration to Auth0 with passkey rollout cuts password reset cost by 65% ($2.5M annual savings). Partner federation eliminates emailed credentials entirely. Year 2: customer login conversion improves and account takeover incidents fall sharply. Three-year cumulative value: $15M+ in measurable savings, plus the strategic foundation for zero trust and CIAM-dependent product launches.

Workforce SSO: 25% → 90%Workforce MFA: 50% → 95%Identity Incidents: 14 → 4Password Reset Savings: $2.5M/year

Related concepts