CIAM Balancing Act: Security vs. Customer Experience? Which Should Win in Today’s Landscape?
Over the last few years, consumers across all industry verticals became increasingly comfortable and satisfied with digital experiences. According to a survey by Telus International, over 70% of Americans plan to continue shopping, banking and engaging in e-health and wellness activities[1]. Simultaneously, a Norton report showed that consumers expressed concerns over data privacy and security, with 58% of adults saying that they are more worried than ever about being a victim of cybercrime[2].
Organizations that want to increase their revenue streams need to provide user-friendly customer experiences, but this leaves many security and identity professionals struggling to balance ease of use with security. Providing a passwordless authentication experience leveraging WebAuthn and FIDO can solve both problems, giving organizations the win-win solution they need to remain competitive.
New solutions for a new digital world
Adopting new customer experiences requires organizations to adopt new Consumer Identity and Access Management (CIAM) solutions. Traditional Identity and Access Management (IAM) solutions focus on internal, workforce user access to resources. However, they often lack the ability to manage consumers, partners, citizens and other non-workforce users.
IAM tools give organizations a way to authorize and authenticate users by relying on internal documentation validating identity. For example, when an organization provides birthright access for a new employee, it uses legal documentation to prove that the person is who they say they are. The organization has full control over what the user can access, what devices they can use and how they can access resources.
With digital customer experiences, the organization has no control over these factors. Most customer experiences use self-registration where the person provides a username or email and a password. Additionally, consumers may use multiple devices with different operating systems and security settings to interact with the organization’s technology.
CIAM addresses these differing security issues, providing organizations the technology they need to ensure a streamlined experience and robust security that protects the consumer.
The problem with passwords
Passwords present a plethora of problems. While IAM may mitigate some of these issues for internal workforce users, it lacks the ability to secure customer authentication.
Password hygiene
To protect systems from credential-based attacks, organizations establish and enforce password strength policies for their employees. Further, since an organization’s number of employees is relatively finite, they can provide employees with password managers or password assistants.
However, they can’t put these controls in place with customers. They may be able to implement password strength, but they’re not able to ensure that the password is unique or that the customer has a password manager, assistant or keychain.
Authentication protections
To protect against bot-driven credential-based attacks, many organizations use additional mechanisms. Some common protections include:
- SMS one-time passcodes (OTPs)
- Knowledge-based security questions (KBAs)
- CAPTCHAs
These pose two distinct problems for consumer experiences. First, attackers can find a workaround when they want to deploy an attack. Second, they frustrate consumers, which can lead to abandoned transactions and churn.
The benefits of going passwordless with CIAM
Many organizations are already embracing passwordless technologies to balance security and customer experience starting with the first touch and continuing throughout the rest of the journey. Additionally, the right CIAM solution will address the needs of internal stakeholders, like digital product owners and marketers.
Brand personality: The customer experience is often the psychological reason that consumers are loyal to a company. Therefore, the consumer experience needs to align with the brand personality as much as it needs to protect consumers.
CIAM passwordless technologies can reinforce the organization’s brand by:
- Offering a full spectrum of passwordless methods to authenticate all customers — even those who are not ready or able to use a biometric
- Pairing biometric-enabled devices to authenticate users on older devices to ensure all users have the same experience
- Enabling accessibility for people with cognitive or physical disabilities, like dyslexia or blindness
Security: By removing passwords, these technologies eliminate a primary attack vector. Additionally, they give companies a way to implement multi-factor authentication, even with self-registered users. The technologies create a public/private key structure that adds more robust protection mechanisms to the login process.
Privacy and consent: Finally, passwordless CIAM solutions enable companies to meet consumer privacy compliance requirements. They enable customers to revoke consent, delete stored data, request copies of stored data and opt out of marketing campaigns.
Implementing the right passwordless CIAM solution
With so many different types of passwordless technologies, it can be difficult to choose the right one. Some examples of options include:
- Magic links
- Push-to-authenticate apps
- Soft tokens
- Hard tokens
- SMS OTPs
Time-based one-time passcodes (TOTPs
Unfortunately, each of these creates some level of user frustration, especially when used repeatedly.
Start with FIDO
The Fast Identity Online (FIDO) Alliance developed technical specifications to define an open, scalable, interoperable set of mechanisms to help reduce people’s reliance on passwords as a primary authentication method.
WebAuthn sits at the core of these standards. It uses technology that resides on almost every modern mobile phone, tablet, laptop and PC. When implemented correctly, the WebAuthn-based authentication allows consumers to login using the device’s biometric technology, like fingerprint or facial recognition.
They never have to remember a password, wait to receive an SMS or email or use another app to authenticate. Plus, it’s phishing-proof and impervious to brute force attacks.
Plan for permutations
While the primary goal of implementing passwordless may be security, organizations need to remember that customer experience was the original business driver.
Some scenarios to consider include:
- What if a user has a modern mobile phone but doesn’t rely on the built-in biometric authenticator?
- What if they have an old flip phone?
- What about a user with an older PC that carries a newer iPhone?
- What if the user’s newer laptop has an out-of-date browser or one that is not compatible with the FIDO standards?
A CIAM solution should be able to address all of these and many more scenarios.
Elegant technology solutions are rarely simple. To the end user, passwordless feels like magic. Just like a good magic act, passwordless implementations require preparation and work to give consumers the secure, easy-to-use experience they want.
At Transmit Security, we have built solutions that address different scenarios across banking, insurance, retail and other sectors. To give our customers the desired outcomes, we’ve analyzed and defined journeys (identity flows) for every imaginable scenario and learned where the challenge of good passwordless customer authentication lies. We’ve learned that passwordless is an option for every customer profile, when it’s done right, as long as the organization plans for and handles the various scenarios.
Ready to say goodbye to passwords? Learn more about BindID today!
Check on this. I think of OTPs as a soft token…?