Identity and Access Management (IAM) is one of the critical components of any commercial software. As the name suggests, IAM solutions cover the identity of the users, their roles, privileges, authentication, and authorization. Long story short, IAM is based on proven industry-standard protocols and is the backbone of software security.
Because access management is a complex topic, the engineering teams usually start with a simplistic local authentication model. In such a case, the application itself manages users — and their passwords — and serves a login screen to the user whenever he/she needs to authenticate. This is an easy solution that, unfortunately, reaches its limits once the software matures, and the users expect integration with various single-sign-on providers, self-service registration, password reset, and integrations with other products. Moreover, security engineers on the customer’s side require adherence to certain policies — usage of multi-factor authentication, password complexity, and reset policies. The complexity of the once simple local IAM increases exponentially, and it makes little sense to try to implement all these features yourself using only basic libraries. As the IAM landscape is vast, the protocols are complex, and it is really easy to code something just imprecise enough to open doors for the attacker.