CrossClassify, a provider of AI-powered online account fraud prevention, required a robust Identity and Access Management solution to integrate with its services. They needed a system capable of handling Single Sign-On(SSO), identity federation, and multi-tenancy, catering to their B2B clients' diverse authentication requirements.
ZITADEL emerged as the ideal solution for CrossClassify's IAM requirements, offering features like secure authentication, Role-Based Access Control (RBAC), SSO, identity federation, and multi-tenancy. CrossClassify evaluated other vendors, including RedHat SSO (Keycloak), but chose ZITADEL for its cloud-agnostic deployment, SaaS offering along with self-hosting capabilities, and comprehensive technical support. The flexibility to run ZITADEL on any platform and its active community were also key deciding factors.
By adopting ZITADEL, CrossClassify was able to efficiently develop their comprehensive authentication system and RBAC authorization in under 3 months. This implementation included the advantages of self-hosting and the flexibility for cross-platform scalability. Opting for ZITADEL instead of constructing a solution from the ground up, CrossClassify not only halved the development time frame—typically a 5-to-6-month endeavor—but also significantly minimized potential security risks.
For an insightful exploration into CrossClassify and their implementation of ZITADEL, we had the opportunity to speak with Amir Moghimi, the co-founder and CEO of CrossClassify. Amir provided valuable insights into how CrossClassify integrates ZITADEL to strengthen the security and efficiency of their solution.
CrossClassify: Pioneering AI-Enabled Fraud Detection
Founded in 2020 in Melbourne, and currently based in Brisbane, Australia, CrossClassify offers a B2B AI-enabled fraud prevention solution. The company currently focuses on providing cutting-edge, online account fraud prevention services that are affordable and easy to integrate into any mobile and web app. The core offering, a Software as a Service(SaaS) product, is designed to alleviate concerns around fake accounts and account takeovers. These issues, if not addressed, can lead to significant consequences for businesses, such as fines or the loss of operating licenses.
Their primary customer base includes businesses that provide an application with sign-up and sign-in features. These businesses, particularly as they scale, become increasingly vulnerable to fake account creation and account takeover attacks. Currently, CrossClassify is particularly focused on serving the fintech and healthcare sectors. These domains face stringent regulatory requirements and handle sensitive data, where breaches can lead to substantial fines and severe reputational damage.
Startups and scale-ups are their early adopters. These companies, often working with tighter budgets, find CrossClassify's cost-effectiveness appealing – CrossClassify’s solution is at a price point that is at least ten times less expensive than their nearest competitor. Additionally, these businesses are typically more agile and quicker to adopt new technologies.
One of the key advantages of their solution is its ease of integration that is comparable to analytics SaaS platforms. Amir claims that most of their clients are able to integrate the system within a single day, allowing for swift testing and the ability to go live in just two weeks. This easy integration process, combined with their competitive pricing, makes CrossClassify an attractive option for businesses looking to enhance their security against fraud while adhering to regulatory standards.
The User Journey with CrossClassify
The journey of a B2B user with CrossClassify begins with the initial step of signing up for the service.
- Once signed up, a key is generated per environment (e.g., dev/staging/prod), which serves as the unique identifier and access token for their application. It allows secure data collection between the B2B user's app and CrossClassify's services.
- The next phase involves integrating CrossClassify into the B2B user's application. This is facilitated by CrossClassify's client-side SDK, which is available for various programming languages and platforms, catering to both web and mobile applications. This allows the application to start collecting behavioral data from their application users to detect potentially fraudulent activities.
- Following the client-side integration, the user integrates CrossClassify with their application’s backend. This step is optional but is strongly recommended for implementing security measures, such as blocking access to an account when CrossClassify's AI-driven algorithms detect an unusually high risk of fraud in real-time.
- After integration, users in the B2B organization can log in and access CrossClassify's portal, where they can monitor and review flagged and blocked accounts. This feature provides valuable insights into end-user behavior and potential security threats, enabling businesses to make informed decisions about account activities.
Problem and Solution
The primary need for CrossClassify was a centralized Identity and Access Management (IAM) system capable of handling both authentication and user management effectively. This system would play a crucial role when B2B users sign up for CrossClassify, managing their credentials and access rights while ensuring compatibility with their cloud-native infrastructure.
For B2B customers integrating CrossClassify into their applications, the IAM system should facilitate authentication services. Moreover, in instances where these organizations use their own Identity Providers (IdPs), the IAM system must offer identity federation support. This feature allows them to authenticate with their pre-existing credentials across various IdPs, enhancing the user experience.
An essential requirement for the IAM solution was Single Sign-On (SSO). SSO is pivotal in ensuring a frictionless sign-in process for the B2B users across different services and applications, particularly vital in multi-application ecosystems in large organizations that demand consistent user authentication. CrossClassify wanted to offer SSO for clients who needed it via their enterprise plan. Large companies often wanted to use SSO for all of their internal systems, including CrossClassify’s fraud prevention portal.
Criteria for IAM Selection
Secure and Scalable Authentication: A fundamental requirement was robust authentication to secure user sign-up and sign-in processes. This was vital for preventing fraudulent activities and ensuring system integrity.
SSO and Identity Federation: The IAM solution had to facilitate seamless integration with various IdPs used by CrossClassify's clients. They were also looking for SSO capabilities to cater to the needs of large organizations that prefer to integrate SSO across their internal systems. This integration should extend to their fraud prevention portal, allowing seamless access.
Multi-Tenancy Support: The solution had to be capable of supporting multiple B2B clients, reflecting a multi-tenanted architecture that could handle diverse requirements.
Flexible Hosting Options: A dual hosting approach was sought – a cloud-based solution with the option for self-hosting. This flexibility was necessary to meet specific client demands, especially for direct control over data and authentication processes.
Cloud-Agnostic Deployment: CrossClassify required an IAM solution that could be deployed across various cloud platforms like GCP and AWS. This cloud-agnostic feature would ensure compatibility and flexibility across different infrastructures.
Reliable Support and SLA: The vendor needed to provide dependable commercial support, backed by service level agreements (SLAs), particularly crucial for scenarios involving self-hosting configurations.
Cost-Effective Solution Catering to startups and scaleups, the IAM solution had to be budget-friendly, offering valuable features at a price accessible to early-stage businesses.
Ease of Integration: The solution had to be easy to implement, with a focus on reducing the time and resources required for integration, therefore enabling smooth adaptation and operational testing.
CrossClassify discovered ZITADEL through a Google search and chose it over other options like RedHat SSO (Keycloak) because it closely matched their outlined criteria. Amir mentioned that their team managed to develop the entire authentication framework and Role-Based Access Control (RBAC) on ZITADEL in a span of less than three months. He emphasized the advantage of ZITADEL in providing future flexibility for self-hosting and cross-platform compatibility—benefits not typically offered by standard cloud IAM solutions. Amir also pointed out that creating an IAM solution from scratch would not only have required a significantly longer development time but also would have introduced greater security risks.
Central to their decision was ZITADEL’s multitenancy support, enabling the management of multiple B2B clients within a single instance, each with the capability to self-manage users and roles. This setup was vital for addressing diverse login requirements and security policies across different client organizations.
ZITADEL’s SSO and identity federation capabilities were crucial, allowing seamless access needed for user applications and for the integration with various IdPs used by CrossClassify's clients, thereby facilitating a unified authentication experience. ZITADEL’s support for RBAC aligned with their need for precise user permission management.
Its open-source nature and scalability catered to CrossClassify’s expanding client base, and the dual hosting options—cloud-based SaaS and self-hosting—offered the deployment versatility they required. The choice was further reinforced by the active development community around ZITADEL and the availability of comprehensive technical support.
Solution Architecture and Deployment
In this setup, ZITADEL acts as the central IAM system that manages both direct authentication (for users without an external IdP) and federated authentication (for users with an external IdP). At present, CrossClassify uses ZITADEL’s cloud hosting solution.
CrossClassify leverages both Google Cloud Platform (GCP) and Amazon Web Services (AWS). Their infrastructure heavily utilizes serverless technologies, including Google Cloud Functions and AWS Lambda, which allows for scaling and resource management suited to the dynamic needs of their applications. In terms of data storage, they use a NoSQL approach, using MongoDB for its advanced querying and indexing capabilities and AWS's DynamoDB for its scalability and pay-as-you-go pricing.
For their software development, Python is the programming language of choice for backend development, while the front end is built using React and TypeScript. The integration with ZITADEL is implemented through ZITADEL’s APIs.
ZITADEL and CrossClassify in Action
Organization and Project Creation: In the dynamic collaboration between ZITADEL and CrossClassify, the process begins with the creation of an organization and a specific project within ZITADEL when a B2B customer registers with CrossClassify. This setup allows each customer to have an individually tailored security environment, where they can add users, configure Role Based Access Control (RBAC), multi-factor authentication (MFA), identity federation via external IdPs, and passkeys at an organizational level, thanks to ZITADEL's support for multi-tenancy.
API and Service User Setup in the Project: In the project setup phase, B2B client applications are required to transmit behavioral data to CrossClassify each time a user logs in or performs other relevant actions. This is achieved through API calls to CrossClassify. Within ZITADEL, these client apps are identified as service users. For secure communication, a private-public key pair is generated for each service user using the JSON Web Token (JWT) profile. This key pair enables the service user to request tokens from ZITADEL's OIDC token endpoint, which are then used to access CrossClassify's protected APIs. To facilitate this process, an API application is also set up within the same ZITADEL project. This application is specifically configured to communicate with the CrossClassify API, using the token obtained with the service user's private key for authentication. The CrossClassify API, upon receiving a request, validates the access token by consulting ZITADEL's introspection endpoint, which then determines whether to grant or deny access based on the token's validity. For additional insights on API access and token introspection in ZITADEL, explore further in this detailed post: API Access and Token Introspection - ZITADEL Blog.
SDK Configuration: The client-side SDK is set up with specific ZITADEL OIDC client configurations. This includes essential details like the service user's private key, the token endpoint, and the API Client ID and Secret. Alternatively, an API key may be used if the JWT profile is implemented for API security. These elements, obtained during the service user and API creation phase, enable the SDK to effectively manage the login process and token handling. Additionally, the SDK facilitates interaction with CrossClassify’s fraud detection system by securely communicating with the API.
End-User Interaction: In this phase, B2B applications utilize the assigned private key to transmit end-user behavioral data to CrossClassify. ZITADEL plays a critical role in verifying the validity of this key and identifying its assigned user. This validation process is essential for ensuring that the data is securely and accurately relayed to the CrossClassify API for processing. Based on the fraud score returned, the B2B application can grant or deny access to the end user.
Portal Access: Within ZITADEL, users assigned to an organization gain access to the CrossClassify portal. Here, they can log in to view end-user data and execute a range of tasks tailored to their specific roles and permissions. This login functionality and access control are efficiently managed by ZITADEL.
User Experience and Challenges in Implementing ZITADEL
CrossClassify's experience with implementing ZITADEL has been largely positive. They found ZITADEL's documentation to be very helpful and sufficiently detailed, which facilitated a smoother integration process. On occasions where additional assistance was required, the technical support provided by ZITADEL proved to be highly responsive and effective, addressing their queries directly and efficiently.
One particular aspect CrossClassify wished for improvement was the customization of sign-up and login pages in ZITADEL's SaaS option. They found that more flexibility in this area would enhance their user experience and better align with their branding needs. Recognizing this need, ZITADEL plans to introduce functionality for full customization of the sign-up and register pages within this year, aiming to provide users with more control and alignment with their unique branding and user experience requirements.
Despite this challenge, what CrossClassify appreciates the most about ZITADEL is its cloud-native and modern design.
Currently, CrossClassify primarily utilizes the cloud-based SaaS hosting of ZITADEL. However, they have a strategic plan to expand their hosting options by deploying a self-hosted version of ZITADEL, specifically tailored for certain clients in the future. This move is aimed at providing more customized and controlled hosting solutions to meet the diverse needs of their clientele.
Regarding their service reach, CrossClassify is predominantly active in Australia and Europe at present. Nonetheless, they are not restricting their services geographically and are open to expanding their service offerings to other regions, aligning with their growth strategy and client demand.
“We needed an SSO solution that can be deployed independenty of the cloud provider and self-hosted if required by our clients. ZITADEL is a great choice because it is designed to be deployed as containers, which makes it straightforward to run on any platform and provides commercial SLA with technical support for self-hosting.”