The difference is night and day. Workforce Identity and Access Management (IAM) is already fairly mature in most companies—of course, there is always room for improvement when it comes to security. Processes are often centralized, user journeys are clearly defined, and even when friction occurs, resilience tends to be high. All in all, employee identities are relatively well protected. When it comes to external identities, however, things still look very different.

Before you read on: we also covered this topic in a webinar together with our partner Descope. So if you would rather listen than read, you can access the webinar recording here: “Managing B2B2X Identites Successfully – Best Practices for Security and User Experience” (Available in German only)

The reason is simple. As soon as suppliers, service providers, partners, or other external parties enter the picture, complexity rises rapidly. Each of them brings different requirements: one may want more self-service options, while another may prioritize a seamless user experience for their end customers.

Managing external identities therefore requires far more flexibility, dynamic administration, and a consistent focus on usability than traditional workforce IAM solutions can offer. The key takeaway upfront is this: companies can no longer treat B2B2X identity security as a side issue. It needs to be approached as a foundational element of modern security strategies.

What probably matters most to you is this: where does your company stand today? We have put together a few questions. If you answer yes to most of them, it is time to move toward more modern security solutions for external identities. Why? Because right now, you are only covering the core requirements of security and user experience moderately well. Your processes and technology likely show signs of age—with security gaps and frustrated users included.

• Do you still rely primarily on passwords and security questions for login?
• Do you often hear requests such as “Can you disable user X?” or “Can you reset my multi-factor authentication?”
• Are you dealing with fragmented identities and multiple accounts?
• Do your systems trigger MFA fatigue with every external login?
• Is your IT team under heavy pressure from identity security-related support tickets?
• Are you relying mainly on role-based access controls?
• Are you struggling to scale your solutions?

Modern approaches are far better suited to meeting both security requirements and stakeholder expectations around user experience. And they are at their most effective when combined in a single solution.

Passwords are a relic of a bygone IT era—impractical, insecure, and no longer capable of meeting the demands of modern access. Passwordless authentication takes the next step by replacing traditional login methods with modern, secure alternatives such as passkeys, biometrics, or magic links.

The result: less attack surface, less IT overhead, and greater satisfaction for everyone involved. Instead of password resets and endless MFA prompts, passwordless login delivers noticeable relief—for both end users and administrators. Companies that switch to these methods report significantly fewer IT tickets and much higher login acceptance. It is a clear sign that security and user experience do not have to be at odds.

From one passkey project, our partner Descope shared some impressive hard numbers:

• 25% passkey adoption rate after just a few weeks
• 5% login failure rate—significantly lower than on password-based sites
• 50% reduction in authentication-related support tickets

Passwordless authentication modernizes the how of login. But what about the when and the how often? Multi-factor authentication is something we all know well, largely because it appears almost everywhere. But these constant interruptions are not just annoying—they also reduce users’ willingness to accept security measures.

That is why modern identity solutions rely on risk-based multi-factor authentication (MFA).

Login attempts are no longer treated uniformly, but evaluated based on their risk level. In real time, the method analyzes a wide range of signals—such as device type, location, network connection, or login behavior—and calculates a dynamic risk score.

Based on the result, the system responds adaptively:

• Low risk: login proceeds without additional friction
• Medium risk: an extra factor is requested
• High risk: access is blocked entirely

Once a user has successfully logged in, the next crucial question is: What is this person—or machine—actually allowed to do in the system?

To be honest, we used to approach this issue in a very coarse-grained way ourselves—with simple yes/no decisions. Yes, this identity may access the application. No, this identity may not enter the portal.

That made Descope especially impressive to us, because it brought a strong solution for fine-grained decisions to the market. In B2B2X environments in particular, traditional role-based access models (RBAC) quickly reach their limits. A rigid role model simply cannot reflect that level of complexity.

Fine-Grained Authorization (FGA) extends access control by adding a more granular, context-aware layer. Instead of broadly defining whether a user can “read” or “write,” FGA takes additional attributes and relationships into account: Who is accessing which resource? In what context? With what level of permission?

A Practical Example

A leading company in the data analytics and AI space manages thousands of customer and partner accounts worldwide across platforms such as Microsoft Azure, Google Cloud, and AWS. But the large number of identity providers and user directories had created isolated data silos—even for a digitally advanced organization, this had become a noticeable obstacle.

The way out was a federated architecture that acts as the central identity source for all applications and databases. Users now log in using only their email address, while an intelligent system automatically determines the correct identity provider in the background. Multiple IDs and passwords are now a thing of the past.

In many organizations, security causes frustration. Too often, companies manage to satisfy only one side of the equation: either security or user experience. But in the context of B2B2X identity security, that trade-off does not have to exist. Descope, for example, offers a drag-and-drop platform that makes it easy to manage external identities—while relying on state-of-the-art security standards such as passwordless authentication, risk-based MFA, and FGA. Ready for the next era of identity security for your external identities?