I am CIAM not IAM
Imagine shopping in your favourite wine merchant or checking in to the brand of hotel that you afford the most loyalty, and at the point of self-identification (either to prove age or verification) security is called over and you are frisked. Not a great experience. Would you patronise the establishment again?
Or maybe you're not quite frisked, but you're told your identity isn't valid. (I certainly recall being 'carded' in some parts of the world and told that my UK/EU drivers license wasn't accepted and only my passport would suffice.) Or, finally, (my pet peeve!) having to sort through a random selection of traffic photos, having to point-out photos with road signs (okay, that hasn't happened in real life). In any case, very frustrating experiences.
While these examples are somewhat tongue-in-cheek, I think they help highlight the suboptimal hoops we make customers jump through in a digital setting.
As many of you can relate, more and more businesses are accelerating their transformation to digital in order to service customers. COVID-19 has scaled consumer adoption of digital and, with more of our lives shifting online, negative user experiences will lead to less business.
As businesses make the shift, balancing user experience and security will always be a challenge. One option is to take a leaf out of the workforce identity playbook and mould customer experience to align with the same experience as an employee with an 'always on' security model; e.g., opening a secure document at work.
It's a very different paradigm, and context becomes key. Different access requirements are aligned to different risk appetites and, ultimately, making decisions regarding step up and step down and using as many contextual factors as transparently as possible should be the way we balance experience and risk.
Outside of stepping up, as an industry, we face a challenge. Data dictionaries of breached credentials reduce the value of the password (most adopted knowledge factor) and exploit the breached credentials (because consumers reuse/increment passwords) via credential stuffing and automated attacks that attempt to log in to sites and applications with harvested stolen passwords.
Again, a very-coarse-grain approach to credential stuffing would be 'always on': multi-factor authentication (MFA). Now, in general, this could be a good thing, right? Well, like many things, it depends. For instance, in an employee/employer situation it's very likely that my employer has my mobile phone number, also very likely that if I bring my own device, that I'd install an authenticator application (or carry a hardkey). I'm sure everyone reading this blog would find that expectation reasonable and, in fact, welcome.
Now, in the context of buying wine online or making a hotel reservation, it's unlikely that the merchant has my phone number and very unlikely that I'd download a proprietary application to complete the transaction and prove I'm not an automated bad actor.
Many businesses, especially financial services, retailers, and hospitality firms, use bot management solutions to stop credential stuffing (automated attempts to verify stolen credentials). Firms may also determine if a human is using stolen credentials to try and take over an account by using tools that assess the risk that a user isn't the legitimate account owner. These tools assess the user's profile and signals such as, "Is this the same device this user normally uses?" and "Is the user logging in from a location where they've logged in before?" then either allows the user access or takes another action based on the risk. Solutions that can spot bots (automated attacks) trying to verify stolen credentials are slowly becoming table stakes versus always-on MFA!
Before we look at this from a customer-experience lens, let's explore strong customer authentication (SCA), which is enshrined in law through a number of regulations, but more notably by the deadline for SCA full compliance by 14 March 2021 in the United Kingdom. SCA is a type of two-factor authentication, and it's designed to prove who consumers are. What's great about SCA versus MFA is the focus on the end-user experience (instead of the tooling). Okay, so we all get knowledge-based authentication, this is "something you know" and typically used as a first factor: passwords. A second knowledge-based factor could be something else that you know (e.g., a PIN or answers to security questions). This feels pretty accessible -- I can imagine my folks using this (given that COVID-19 introduced them to the world of online grocery shopping) versus downloading some authenticator app.
Another factor is something that you have. In the B2C world, a smartphone is a great baseline. Having a known device attached to an account, gives us a passive factor, a signal or indicator without friction. Looking for this signal without an app should be what digital teams need to demand as table stakes!
The final factor for SCA is something that you are -- and this is where biometrics are becoming more accessible, both passive (e.g., how you type) and active (e.g., fingerprints).
It's becoming more important for brands and organisations to invest in specialist centralised consumer identity platforms, so websites and apps are able to recognise suspicious behavior -- for example, if multiple unsuccessful login attempts occur in short period, or if a user based in the United States suddenly attempts to log in from a foreign IP address. Accounts should then require step-up authentication, meaning that the user is required to provide additional information to log in, or the account should be locked down completely to protect the user's data.
There is an opportunity in the market to remove friction while improving security. When we plan for stepping up the user journey with additional authentication factions, evaluating context, risk appetite, and risk calculation become key considerations. The experience can then be customer-centric and dynamic, stepping down as well as stepping up.