Built with ZITADEL: A Partnership in Fintech Security with Kaspar&

Dakshitha Ratnayake
Dakshitha Ratnayake

Developer Advocate

Key Outcomes

  • Kaspar&, a Swiss fintech company, uses ZITADEL Cloud for centralized user and access management, serving both external customers and internal users.
  • By leveraging ZITADEL, Kaspar& has successfully enhanced the user experience and security for B2C customers interacting with their mobile app. They achieved this through streamlined user registration and management processes while maintaining high security standards with features, such as passwordless authentication and multi-factor authentication offered by ZITADEL. This resulted in a significant reduction in time spent on these tasks compared to when they were using their in-house solution.
  • ZITADEL will play a crucial role in the growth and expansion of Kaspar&'s core offering to expand its fintech services to a broader clientele in Switzerland. By integrating additional two-factor authentication methods, Kaspar& can offer a higher level of security for their customers. Furthermore, ZITADEL's built-in organization model and federated authentication capabilities will enable Kaspar& to efficiently manage their B2B user base.

Introduction

Kaspar& is a fintech in Switzerland, co-founded by CTO Sebastian Büchler, that offers a user-friendly, mobile app-based wealth management service. We spoke with Sebastian to gain insight into the problems they encountered and the reasons behind choosing ZITADEL as their identity and access management solution. Kaspar& provides users a convenient and affordable way to invest and manage their finances using their smartphones. Users can set various investment goals, choose from different investment strategies, and track their portfolio performance. Kaspar&'s customers are retail customers, primarily from traditional banks, wanting to invest money. Kaspar& operates on a cost-effective, technology-driven business model. By leveraging digital platforms and forgoing the need for physical branches and expensive financial advisors, the company can provide professional wealth management services at a fraction of the cost compared to traditional financial institutions. Kaspar& also offers a debit card for making online and offline purchases, which enables automatic investment of the spare change from those transactions.

Kaspar& generates revenue by charging a fee for its wealth management services. This fee is typically lower than those charged by traditional banks and investment advisors. As a spin-off from the University of St.Gallen (HSG) and ETH Zurich, Kaspar& bases its investment decisions on the latest financial market theories and practical concepts, ensuring that users benefit from a professional, research-driven approach to wealth management. Moreover, Kaspar& is regulated by the Swiss Financial Market Supervisory Authority FINMA and partners with Hypothekarbank Lenzburg, ensuring that users' investments are held securely in a Swiss bank. To get started with Kaspar&, users have to:

  • Download the Kaspar& app from the App Store or Play Store.
  • Sign up by providing personal information, answering financial questions, and completing the KYC (Know Your Customers) process, which includes an automated video identification process. Kaspar&'s services are restricted to Switzerland; customers must have a Swiss domicile address to register.
  • Make an initial deposit from a Swiss bank account.
  • Set investment goals, such as retirement or education funding.
  • Choose an investment strategy (Comfortable, Normal, or Sporty).
  • Start investing with as little as one franc.
  • Monitor and manage investments, adjust strategy, and change thematic focus within the app.

Problem

Kaspar& faced several pain points related to authentication and user management. As Sebastian explained, the company had used an in-house solution that used JSON Web tokens for customer authentication. Although the basic login functionality was relatively simple to implement, other aspects, such as the sign-up process, password reset, two-factor authentication, and security-related concerns proved to be more challenging.

With the rapid growth and expansion of their customer base, Kaspar& needed a robust and scalable identity and access management (IAM) solution to manage user authentication, both for the customer-facing mobile app and for accessing internal applications.

Moreover, Kaspar& wanted a managed solution that was cost-effective, compatible with their Business-to-Customer (B2C) model, and provided data residency in Switzerland to ensure regulatory compliance and maintain customer trust. Sebastian explained that they found the per-user pricing of most of the major market players to be too expensive for their customer base.

Solution

Addressing Customer Identity and Access Management Needs

Based on the recommendation of a mentoring agency, the Kaspar& team was introduced to ZITADEL, which they found to be a better fit for their needs compared to other major vendors. Kaspar& found ZITADEL's user registration and management process much easier to handle, and they value the security aspects provided by the platform.

Kaspar&'s native mobile app for customers applies the OpenID Connect (OIDC) flow with Authorization Code Grant and Proof Key for Code Exchange (PKCE) to securely authenticate users and provide access to its wealth management services. The app initiates the authorization request by opening the system browser with a URL pointing to ZITADEL’s authorization endpoint, including parameters such as client ID, redirect URI, code challenge, etc. Users then authenticate within the system browser using their credentials (the user ID is the phone number), which is accompanied by multi-factor authentication for added security. Upon successful authentication, ZITADEL sends an authorization code to the app via a custom scheme or universal links/app links for iOS and Android, respectively. The app exchanges the authorization code along with the code verifier for an ID token and access token by making a request to ZITADEL's token endpoint.The ID token contains user information, while the access token enables the app to access protected resources, such as APIs. With a valid access token, the authenticated user can set up investment goals, choose investment strategies, and track their portfolio performance within the Kaspar& mobile app.

Kaspar& Diagram 1

Figure 1: OIDC Flow with Authorization Code Grant and PKCE for Kaspar& Mobile App

Addressing Internal Access Management Needs

ZITADEL is also used internally throughout Kaspar&, mainly for integration into internal applications for single sign-on. They use features such as team pass keys. Passkeys eliminate the need for users to remember and enter passwords. By leveraging passkeys for passwordless authentication, Kaspar& can improve security and provide a more seamless login experience for their internal users as the passkey can be securely delivered and used only once, reducing the risk of unauthorized access. Kaspar& currently utilizes ZITADEL's managed cloud solution for their infrastructure, dividing their setup into three environments: production, development, and internal. They separated their cloud instance into projects to map their environments, with customer-facing sites for production and dev environments, and internal tools like Grafana and Admin Dashboard for the internal environment.

Cost-effective Pricing Model

Another reason for Kaspar& to choose ZITADEL as their IAM solution was due to its competitive pricing and compatibility with their B2C model. While they initially compared ZITADEL to other major market players, they found the per-user pricing of these alternatives to be too expensive for their customer base. ZITADEL's approach to pricing and technical capabilities aligned well with Kaspar&'s goals of reaching a mass clientele: ZITADEL's pricing is based not on a pay-per-user model but on the number of requests made. This allows ZITADEL to offer a cost-effective and scalable solution for businesses of all sizes.

Learning Curve and Product Support

Sebastian explained that they started using ZITADEL at its inception and that the ZITADEL team provided extensive support, helping Kaspar& successfully set up their identity infrastructure. He also mentioned that the availability of libraries and support materials has improved over time, making the integration process even smoother.

Getting accustomed to ZITADEL for Kaspar& was challenging at first because of the numerous features and possibilities it offered. However, once they had gained a better understanding of the platform, they found it to be a powerful tool for creating enterprise-grade solutions with just a few clicks.

With the release of ZITADEL 2.0, the Kaspar& team found the UX to be much more intuitive and significantly improved, making it easier to set up and configure the platform. They found the developer tutorials helpful for setting up authentication clients in NextJS and TypeScript.

Their overall experience with ZITADEL has been positive, receiving good feedback for the new technology from their users. They appreciate the regular feature updates and ZITADEL's responsiveness to suggestions.

Future Plans

Expanding Authentication Options with Hardware/Device Tokens

Kaspar& has several upcoming plans to leverage ZITADEL's capabilities to enhance their offerings and provide a seamless experience for their customers. They plan to introduce hardware/device tokens as an optional opt-in feature and explore other two-factor authentication methods, such as FIDO-enabled credit cards and Swiss Pass cards.

B2B User Management and Access Delegation for Kaspar& Fintech Services

In addition, as the company also began exploring Business-to-Business (B2B) solutions, they found ZITADEL's multi-tenancy features to be an added advantage. Kaspar& aims to expand their B2B offerings with ZITADEL, using ZITADEL’s built-in organization model to structure their user base and grant access to necessary projects. Their typical B2B customers are banks, and they plan to create a dedicated organization for each bank to manage their users. Here's how it could work:

  1. Kaspar& sets up a project in ZITADEL with specific roles tailored to the access levels required for their fintech services.
  2. They then delegate access to their fintech services to their B2B customers, such as banks, allowing these organizations to manage their own users and assign roles to them.
  3. Each bank (B2B customer) can now self-assign access to their users and manage user authorizations for the Kaspar& fintech services, without Kaspar& having to build a multi-tenant user management system.
  4. Users from the banks can self-register for Kaspar&'s services and manage their own profile information and authentication methods, providing a seamless user experience.

This approach reduces the burden on Kaspar& to develop a multi-tenant user management system, and enhances the overall experience for their customers.

Kaspar& Diagram 2

Figure 2: B2B User Management for Kaspar& with ZITADEL

Federated Authentication for Seamless Bank Login Integration with Kaspar& Services

One standout feature they hope to deploy is reusing existing clients' logins from the banks to provide a smooth experience for clients through federated authentication. To achieve this, Kaspar& would need to configure a trusted Identity Provider (IdP) for each bank within the ZITADEL platform. These IdPs could be the bank's own identity management systems or popular third-party IdPs such as Google or Microsoft, depending on the bank's preference.

Once the trusted IdP is set up for a bank, users from that bank can use their existing login credentials to access Kaspar&'s services. When they log in, the user's credentials are verified by the bank's IdP, and an authentication token is issued. This token is then used by Kaspar& to grant access to the user, based on their assigned roles and permissions.

This approach not only simplifies the login process for users but also enhances security, as the bank retains control over the user's credentials, and Kaspar& does not store any sensitive information. Full integration with B2B partners will likely be completed by the end of the year, allowing bank customers to experience the new setup from start to end.

Testimonials

Portrait of Sebastian Büchler

“ZITADEL has made a significant difference for our startup, offering a cost-effective solution that aligns with our business model. The ZITADEL development team is highly responsive, regularly adding new features that make our lives easier. As we expand into the B2B market, ZITADEL's multi-tenancy features have proven to be an excellent choice for our needs. Their customer-centric approach and technical expertise set them apart from other big players in the market.“ - Sebastian Büchler, CTO & Co-Founder of Kaspar&

Liked it? Share it!